[jboss-jira] [JBoss JIRA] (WFLY-9614) Make keystore optional in SSO configuration
Darran Lofthouse (Jira)
issues at jboss.org
Fri Jul 12 11:17:00 EDT 2019
[ https://issues.jboss.org/browse/WFLY-9614?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13758721#comment-13758721 ]
Darran Lofthouse commented on WFLY-9614:
----------------------------------------
It is actually likely this should be referencing a credential store.
When it comes to anything involving signatures either their generation or validation another thing to consider is if we should have a service to perform that function without needing the actual keys to be used by multiple components.
> Make keystore optional in SSO configuration
> -------------------------------------------
>
> Key: WFLY-9614
> URL: https://issues.jboss.org/browse/WFLY-9614
> Project: WildFly
> Issue Type: Bug
> Components: Security, Web (Undertow)
> Affects Versions: 11.0.0.Final
> Reporter: Martin Choma
> Priority: Major
>
> Keystore is required [1], thus signing logout message by default.
> Questionable is if security brought by this is worth default command complexity as:
> * Integrity of messages could be achieved on node to node communication level
> * If message was not signed, attacker needs to know http session id to do a harm. Once attacker knows http session id, he can do a lot more useful attacks then logout user.
> Some long communication on topic occured on Wildfly Elytron hipchat room 2017-12-7 - 2017-12-11.
> [1] https://docs.jboss.org/author/display/WFLY/Web+Single+Sign-On
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list