[jboss-jira] [JBoss JIRA] (ELY-1314) Elytron, make scope of SPNEGO authentication configurable
Darran Lofthouse (JIRA)
issues at jboss.org
Mon Aug 7 06:52:00 EDT 2017
[ https://issues.jboss.org/browse/ELY-1314?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse resolved ELY-1314.
-----------------------------------
Fix Version/s: 1.1.0.CR5
Resolution: Duplicate Issue
> Elytron, make scope of SPNEGO authentication configurable
> ---------------------------------------------------------
>
> Key: ELY-1314
> URL: https://issues.jboss.org/browse/ELY-1314
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Blocker
> Fix For: 1.1.0.CR5
>
>
> Currently Elytron SPNEGO authnetication is tcp connection scoped, whereas legacy SPNEGO for applications is http-session scoped.
> This different approach can bring these behaviour differences after migration from legacy to Elytron:
> - if deployment is behind reverse proxy it can lead to user "cross talk" (different http session, but same TCP connection) [1]
> - more frequent kerberos negotiation cycles
> - load balancer switches to another node (same http session, but new TCP connection)
> - new tab in browser (same http session, but new TCP connection) [2]
> [1] JBEAP-11882 - (7.1) Using a proxy and spnego on the EAP 7 management console leads to user "cross talk"
> [2] https://superuser.com/questions/1055281/do-web-browsers-use-different-outgoing-ports-for-different-tabs
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list