On 6/19/2015 10:08 AM, Marek Posolda wrote:
Fact is that for production environment using Kerberos (FreeIPA or
Windows domain backed by ActiveDirectory) the kerberos ticket is usually
tight to the desktop login of user and user either has it or not. The
flow with "display the form, then kinit from CMD to obtain kerberos
ticket and then refresh the page to retry kerberos" is probably
something more for development use.
From the possibilities, the (a) seems to me slightly better? For
example if you accidentally have 2 opened tabs with the login form in
the browser and you login successfully in tab1, you will have SSO
cookie, so refresh on tab2 should retry the cookie and logged you
successfully. In case (b) it won't logged you because cookie won't be
retried. But not sure if this is not corner case as well ;-)
Ok, we'll reset the client session on a refresh. Its already set up
that way in master.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com