[
https://issues.jboss.org/browse/ELY-1519?page=com.atlassian.jira.plugin.s...
]
Martin Choma updated ELY-1519:
------------------------------
Description:
Currently in clustered environment Security Identity is restored during
* failover
* load balancer change node (not sticky behaviour)
* session passivation/activation
This is mainly expected and good. It ensures performance gain because no additional SPNEGO
negotiation is performed. But it can make troubles for kerberos ticket propagation, as
kerberos ticket can't be serialized and restored.
So idea is to have flag to turn this default behaviour off. When user authenticate to app1
on serverA and then wants to access app1 on serverB, SPNEGO authentication will be
activated and kerberos ticket will be negotiated and will be available on serverB as
well.
was:
Currently in clustered environment Security Identity is restored during
* failover
* load balancer change node (not sticky behaviour)
* session passivation/activation
This is mainly expected and good. It ensures performance gain because no additional SPNEGO
negotiation is performed. But it can make troubles for kerberos ticket propagation, as
kerberos ticket can't be serialized and restored.
So idea is to have flag to turn this default behaviour off. When user authenticate to app1
on serverA and then wants to access app1 on serverB, SPNEGO authentication will be
activated and kerberos ticket will be negotiated and will be available on serverB as
well.
This is follow up on ELY-1503
Make restore of SecurityIdentity on replicated session configurable
-------------------------------------------------------------------
Key: ELY-1519
URL:
https://issues.jboss.org/browse/ELY-1519
Project: WildFly Elytron
Issue Type: Bug
Components: Authentication Mechanisms
Affects Versions: 1.2.0.Final
Reporter: Martin Choma
Currently in clustered environment Security Identity is restored during
* failover
* load balancer change node (not sticky behaviour)
* session passivation/activation
This is mainly expected and good. It ensures performance gain because no additional
SPNEGO negotiation is performed. But it can make troubles for kerberos ticket propagation,
as kerberos ticket can't be serialized and restored.
So idea is to have flag to turn this default behaviour off. When user authenticate to
app1 on serverA and then wants to access app1 on serverB, SPNEGO authentication will be
activated and kerberos ticket will be negotiated and will be available on serverB as well.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)