Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2786

Identity cache of CLIENT_CERT authentication mechanism stopped working on new JDKs

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • 2.5.0.Final
    • Authentication Mechanisms
    • None
    • Hide

      Given: applications 1 and 2 are secured by Elytron security domain 1 backed by key-store realm for authentication and properties-realm for authorization,
      and application 3 is secured by Elytron security domain 2 the samerealms,
      and server certificate is in trust store of client,
      and client certificate is in trust store of server,
      and server SSL context cache has maximum size 2 and expires in 2 seconds,

      and client has successfully requested protected resource from application 1 (SSL session is established),
      and authorization realm is changed to assign "anotherRole" to client.

      When client requests (using the same SSL session) protected resource from application 1 that requires role "User",

      then application server should respond with status code 200 OK and requested content (authorization is cached).

      Show
      Given: applications 1 and 2 are secured by Elytron security domain 1 backed by key-store realm for authentication and properties-realm for authorization, and application 3 is secured by Elytron security domain 2 the samerealms, and server certificate is in trust store of client, and client certificate is in trust store of server, and server SSL context cache has maximum size 2 and expires in 2 seconds, and client has successfully requested protected resource from application 1 (SSL session is established), and authorization realm is changed to assign "anotherRole" to client. When client requests (using the same SSL session) protected resource from application 1 that requires role "User", then application server should respond with status code 200 OK and requested content (authorization is cached).

      Starting with Java 11.0.23 and 17.0.10, the identity cache integrated in the Elytron CLIENT_CERT authentication mechanism stopped working. Re-authentication attempts are no longer successful.

      This could impact performance when using the CLIENT_CERT mechanism for authentication.

              Unassigned Unassigned
              okotek@redhat.com Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: