[jboss-jira] [JBoss JIRA] (ELY-1406) Elytron, IBM SPNEGO misconfiguration handling difference

Jan Kalina (JIRA) issues at jboss.org
Tue Oct 17 04:27:00 EDT 2017 

     [ https://issues.jboss.org/browse/ELY-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Kalina updated ELY-1406:
----------------------------
    Description: 
Fallback on unavailable KDC is on IBM JDK too slow, because server is waiting for the KDC around 30 seconds on every HTTP request.

Should be possible to configure IBM JDK to not contact KDC, or at least to cache failed state of GSSCredential obtaining for defined time period.

  was:
IBM jdk creates kerberos ticket on server side - in other words validates server kerberos configuration. 

This is different to how Oracle/OpenJDK works, where this behaviour can be switch on with obtain-kerberos-ticket attribute [1].

Main question here is, could be this default IBM java behaviour switched off? .

Because this can make troubles when KDC is temporary down - with IBM java it won't be possible to fallback to another authentication.

Basically, this is separate tracking issue for this comment [2]

[1] https://issues.jboss.org/browse/JBEAP-10246?focusedCommentId=13392098&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13392098
[2] https://issues.jboss.org/browse/JBEAP-10653?focusedCommentId=13407417&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13407417



> Elytron, IBM SPNEGO misconfiguration handling difference
> --------------------------------------------------------
>
>                 Key: ELY-1406
>                 URL: https://issues.jboss.org/browse/ELY-1406
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Credentials
>    Affects Versions: 1.2.0.Beta6
>            Reporter: Jan Kalina
>            Assignee: Jan Kalina
>            Priority: Critical
>
> Fallback on unavailable KDC is on IBM JDK too slow, because server is waiting for the KDC around 30 seconds on every HTTP request.
> Should be possible to configure IBM JDK to not contact KDC, or at least to cache failed state of GSSCredential obtaining for defined time period.



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list