-
Documentation
-
Resolution: Done
-
Major
-
7.1.0.ER3
Currently Elytron SPNEGO authnetication is tcp connection scoped, whereas legacy SPNEGO for applications is http-session scoped.
This different approach can bring these behaviour differences after migration from legacy to Elytron:
- if deployment is behind reverse proxy it can lead to user "cross talk" (different http session, but same TCP connection) [1]
- more frequent kerberos negotiation cycles
- load balancer switches to another node (same http session, but new TCP connection)
- new tab in browser (same http session, but new TCP connection) [2]
[1] JBEAP-11882 - (7.1) Using a proxy and spnego on the EAP 7 management console leads to user "cross talk"
[2] https://superuser.com/questions/1055281/do-web-browsers-use-different-outgoing-ports-for-different-tabs
- clones
-
JBEAP-12460 Elytron, make scope of SPNEGO authentication mechanism configurable
- Closed
- is related to
-
JBEAP-14244 Add additional information regarding session states
- Closed