[jboss-jira] [JBoss JIRA] (ELY-1314) Elytron, make scope of SPNEGO authentication configurable
Martin Choma (JIRA)
issues at jboss.org
Tue Aug 1 07:42:01 EDT 2017
Martin Choma created ELY-1314:
---------------------------------
Summary: Elytron, make scope of SPNEGO authentication configurable
Key: ELY-1314
URL: https://issues.jboss.org/browse/ELY-1314
Project: WildFly Elytron
Issue Type: Bug
Reporter: Martin Choma
Assignee: Darran Lofthouse
Priority: Blocker
Currently Elytron SPNEGO authnetication is tcp connection scoped, whereas legacy SPNEGO for applications is http-session scoped.
This different approach can bring these behaviour differences after migration from legacy to Elytron:
- if deployment is behind reverse proxy it can lead to user "cross talk" (different http session, but same TCP connection) [1]
- more frequent kerberos negotiation cycles
- load balancer switches to another node (same http session, but new TCP connection)
- new tab in browser (same http session, but new TCP connection) [2]
[1] JBEAP-11882 - (7.1) Using a proxy and spnego on the EAP 7 management console leads to user "cross talk"
[2] https://superuser.com/questions/1055281/do-web-browsers-use-different-outgoing-ports-for-different-tabs
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list