Elytron, make scope of SPNEGO authentication configurable --------------------------------------------------------- Key: ELY-1314 URL: https://issues.jboss.org/browse/ELY-1314 Project: WildFly Elytron Issue Type: Bug Reporter: Martin Choma Assignee: Darran Lofthouse Priority: Blocker Fix For: 1.1.0.CR5 Currently Elytron SPNEGO authnetication is tcp connection scoped, whereas legacy SPNEGO for applications is http-session scoped. This different approach can bring these behaviour differences after migration from legacy to Elytron: - if deployment is behind reverse proxy it can lead to user "cross talk" (different http session, but same TCP connection) [1] - more frequent kerberos negotiation cycles - load balancer switches to another node (same http session, but new TCP connection) - new tab in browser (same http session, but new TCP connection) [2] [1] JBEAP-11882 - (7.1) Using a proxy and spnego on the EAP 7 management console leads to user "cross talk" [2] https://superuser.com/questions/1055281/do-web-browsers-use-different-out...