Loading...

XML

Word

Printable

Affects:

Documentation (Ref Guide, User Guide, etc.)
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA
Git Pull Request:
https://github.com/jbossas/jboss-eap7/pull/2274, https://github.com/wildfly-security/elytron-web/pull/106, https://github.com/wildfly-security/wildfly-elytron/pull/936
Steps to Reproduce:
Hide

git clone git@gitlab.mw.lab.eng.bos.redhat.com:mchoma/tests-ldap-kerberos.git cd tests-ldap-kerberos git checkout JBEAP-12460 ./build-eap71.sh -Dversion.jboss.bom=7.1.0.GA -Dversion.wildfly.core=3.0.0.Beta30-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.ER3/jboss-eap-7.1.0.GA-maven-repository/maven-repository -Djboss.dist.zip=/home/mchoma/workspace/git-repositories/wildfly/build/target/wildfly-11.0.0.CR1-SNAPSHOT.zip -Dmaven.test.failure.ignore=true -Dtest=SPNEGO*TestCase,KerberosHttpInterface*TestCase
Show
git clone git@gitlab.mw.lab.eng.bos.redhat.com:mchoma/tests-ldap-kerberos.git cd tests-ldap-kerberos git checkout JBEAP-12460 ./build-eap71.sh -Dversion.jboss.bom=7.1.0.GA -Dversion.wildfly.core=3.0.0.Beta30-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.ER3/jboss-eap-7.1.0.GA-maven-repository/maven-repository -Djboss.dist.zip=/home/mchoma/workspace/git-repositories/wildfly/build/target/wildfly-11.0.0.CR1-SNAPSHOT.zip -Dmaven.test.failure.ignore= true -Dtest=SPNEGO*TestCase,KerberosHttpInterface*TestCase

Currently Elytron SPNEGO authnetication is tcp connection scoped, whereas legacy SPNEGO for applications is http-session scoped.

This different approach can bring these behaviour differences after migration from legacy to Elytron:

if deployment is behind reverse proxy it can lead to user "cross talk" (different http session, but same TCP connection) [1]
more frequent kerberos negotiation cycles
- load balancer switches to another node (same http session, but new TCP connection)
- new tab in browser (same http session, but new TCP connection) [2]

[1] JBEAP-11882 - (7.1) Using a proxy and spnego on the EAP 7 management console leads to user "cross talk"
[2] https://superuser.com/questions/1055281/do-web-browsers-use-different-outgoing-ports-for-different-tabs

incorporates

ELY-1312 Further Scoping and Caching Enhancements to the SpnegoAuthenticationMechanism

is cloned by

ELY-1314 Elytron, make scope of SPNEGO authentication configurable

JBEAP-12656 Elytron, make scope of SPNEGO authentication mechanism configurable

is incorporated by

JBEAP-12390 Upgrade WildFly Elytron to 1.1.0.CR5

is related to

JBEAP-12432 IllegalStateException: ELY01003: No authentication is in progress