[jboss-jira] [JBoss JIRA] (ELY-1519) Make restore of SecurityIdentity on replicated session configurable

Martin Choma (JIRA) issues at jboss.org
Tue Feb 20 09:14:00 EST 2018 

     [ https://issues.jboss.org/browse/ELY-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Martin Choma updated ELY-1519:
------------------------------
    Steps to Reproduce: 
clones of testNodeRestart, testFailover, testChangeNode from SPNEGOSessionManualHaTest using new flag
{code}
 git clone git at gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-ldap-kerberos.git
./build-eap71.sh -Deap -Dversion.jboss.bom=7.2.0.EL12.Beta1 -Dversion.wildfly.core=4.0.0.Beta1-redhat-1 -Dmaven.repo.local=/home/mchoma/eap/7.2.0.EL12.ER1/jboss-eap-7.2.0.EL12.Beta1-maven-repository/maven-repository -Djboss.dist=/home/mchoma/eap/7.2.0.EL12.ER1/jboss-eap-7.2 -Dtest=SPNEGOSessionManualHaTest
{code}

  was:
clones of testNodeRestart, testFailover, testChangeNode from SPNEGOSessionManualHaTest using new flag

/code git clone git at gitlab.mw.lab.eng.bos.redhat.com:mchoma/tests-ldap-kerberos.git
./build-eap71.sh -Deap -Dversion.jboss.bom=7.2.0.EL12.Beta1 -Dversion.wildfly.core=4.0.0.Beta1-redhat-1 -Dmaven.repo.local=/home/mchoma/eap/7.2.0.EL12.ER1/jboss-eap-7.2.0.EL12.Beta1-maven-repository/maven-repository -Djboss.dist=/home/mchoma/eap/7.2.0.EL12.ER1/jboss-eap-7.2 -Dtest=SPNEGOSessionManualHaTest



> Make restore of SecurityIdentity on replicated session configurable
> -------------------------------------------------------------------
>
>                 Key: ELY-1519
>                 URL: https://issues.jboss.org/browse/ELY-1519
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Authentication Mechanisms
>    Affects Versions: 1.2.0.Final
>            Reporter: Martin Choma
>
> Currently in clustered environment Security Identity is restored during 
> * failover
> * load balancer change node (not sticky behaviour)
> * session passivation/activation
> This is mainly expected and good. It ensures performance gain because no additional SPNEGO negotiation is performed. But it can make troubles for kerberos ticket propagation, as kerberos ticket can't be serialized and restored. 
> So idea is to have flag to turn this default behaviour off. When user authenticate to app1 on serverA and then wants to access app1 on serverB, SPNEGO authentication will be activated and kerberos ticket will be negotiated and will be available on serverB as well.
> This is follow up on ELY-1503



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list