Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11680

(7.1) Kerberos negotiation done in every request

    XMLWordPrintable

Details

    • Hide

      Setup a kerberos environment and test using IE (at least IE8, IE9 and IE10 send the token in every request). You will see the negotiation executed with every token sent.

      Show
      Setup a kerberos environment and test using IE (at least IE8, IE9 and IE10 send the token in every request). You will see the negotiation executed with every token sent.

    Description

      IE pre-authenticates with Kerberos in all situations, even when the server does not require any more authentication (the authorization header is sent in all request with the associated kerberos token). The current implementation in jboss-negotiation 3.0.4 (NegotiationMechanism.java) does not take into account if the user was already authenticated and, therefore, a new re-negotiation is done for every request if the token is there. This is an overwhelming extra work for the infrastructure (AD/Kerberos server mainly).

      Attachments

        1. standalone.xml
          27 kB
        2. SPNEGO_JBEAP-11680.pcapng
          14 kB
        3. server.log.gz
          108 kB
        4. mchoma-7.0.7.CR3-server.log
          153 kB
        5. hello-spnego-jboss.zip
          161 kB

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-12407 [GSS](7.0.z) Kerberos negotiation done in every request

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is incorporated by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-12407 [GSS](7.0.z) Kerberos negotiation done in every request

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              rhn-support-rmartinc Ricardo Martin Camarero
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: