Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-15807

(7.2.z) Make restore of SecurityIdentity on replicated session configurable

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • 7.2.0.GA
    • Security
    • None
    • Hide
      Closing JBEAP issue since we don't have a customer case. Will track it with ELY-1519.
      Show
      Closing JBEAP issue since we don't have a customer case. Will track it with ELY-1519 .
    • Hide

      clones of testNodeRestart, testFailover, testChangeNode from SPNEGOSessionManualHaTest using new flag

       git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-ldap-kerberos.git
      ./build-eap71.sh -Deap -Dversion.jboss.bom=7.2.0.EL12.Beta1 -Dversion.wildfly.core=4.0.0.Beta1-redhat-1 -Dmaven.repo.local=/home/mchoma/eap/7.2.0.EL12.ER1/jboss-eap-7.2.0.EL12.Beta1-maven-repository/maven-repository -Djboss.dist=/home/mchoma/eap/7.2.0.EL12.ER1/jboss-eap-7.2 -Dtest=SPNEGOSessionManualHaTest
      
      Show
      clones of testNodeRestart, testFailover, testChangeNode from SPNEGOSessionManualHaTest using new flag git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-ldap-kerberos.git ./build-eap71.sh -Deap -Dversion.jboss.bom=7.2.0.EL12.Beta1 -Dversion.wildfly.core=4.0.0.Beta1-redhat-1 -Dmaven.repo.local=/home/mchoma/eap/7.2.0.EL12.ER1/jboss-eap-7.2.0.EL12.Beta1-maven-repository/maven-repository -Djboss.dist=/home/mchoma/eap/7.2.0.EL12.ER1/jboss-eap-7.2 -Dtest=SPNEGOSessionManualHaTest

      Currently in clustered environment Security Identity is restored during

      • failover
      • load balancer change node (not sticky behaviour)
      • session passivation/activation

      This is mainly expected and good. It ensures performance gain because no additional SPNEGO negotiation is performed. But it can make troubles for kerberos ticket propagation, as kerberos ticket can't be serialized and restored.

      So idea is to have flag to turn this default behaviour off. When user authenticate to app1 on serverA and then wants to access app1 on serverB, SPNEGO authentication will be activated and kerberos ticket will be negotiated and will be available on serverB as well.

              rhn-support-ivassile Ilia Vassilev
              rhn-support-ivassile Ilia Vassilev
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: