[jboss-jira] [JBoss JIRA] (WFLY-9614) Make keystore optional in SSO configuration
Martin Choma (JIRA)
issues at jboss.org
Wed Dec 13 03:17:01 EST 2017
Martin Choma created WFLY-9614:
----------------------------------
Summary: Make keystore optional in SSO configuration
Key: WFLY-9614
URL: https://issues.jboss.org/browse/WFLY-9614
Project: WildFly
Issue Type: Bug
Components: Security, Web (Undertow)
Affects Versions: 11.0.0.Final
Reporter: Martin Choma
Assignee: Darran Lofthouse
Keystore is required [1], thus signing logout message by default.
Questionable is if security brought by this is worth default command complexity as:
* Integrity of messages could be achieved on node to node communication level
* If message was not signed, attacker needs to know http session id to do a harm. Once attacker knows http session id, he can do a lot more useful attacks then logout user.
Some long communication on topic occured on Wildfly Elytron hipchat room 2017-12-7 - 2017-12-11.
[1] https://docs.jboss.org/author/display/WFLY/Web+Single+Sign-On
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list