Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12656

Elytron, make scope of SPNEGO authentication mechanism configurable

XMLWordPrintable

      Currently Elytron SPNEGO authnetication is tcp connection scoped, whereas legacy SPNEGO for applications is http-session scoped.

      This different approach can bring these behaviour differences after migration from legacy to Elytron:

      • if deployment is behind reverse proxy it can lead to user "cross talk" (different http session, but same TCP connection) [1]
      • more frequent kerberos negotiation cycles
        • load balancer switches to another node (same http session, but new TCP connection)
        • new tab in browser (same http session, but new TCP connection) [2]

      [1] JBEAP-11882 - (7.1) Using a proxy and spnego on the EAP 7 management console leads to user "cross talk"
      [2] https://superuser.com/questions/1055281/do-web-browsers-use-different-outgoing-ports-for-different-tabs

              rhn-support-chuffman Christian Huffman
              darran.lofthouse@redhat.com Darran Lofthouse
              Martin Choma Martin Choma
              Martin Choma Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: