Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-27485

Identity cache of Elytron CLIENT_CERT authentication mechanism stopped working on new JDKs

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • 8.0 Update 3
    • Security
    • None
    • False
    • None
    • False
    • Hide

      Given: applications 1 and 2 are secured by Elytron security domain 1 backed by key-store realm for authentication and properties-realm for authorization,
      and application 3 is secured by Elytron security domain 2 the samerealms,
      and server certificate is in trust store of client,
      and client certificate is in trust store of server,
      and server SSL context cache has maximum size 2 and expires in 2 seconds,

      and client has successfully requested protected resource from application 1 (SSL session is established),
      and authorization realm is changed to assign "anotherRole" to client.

      When client requests (using the same SSL session) protected resource from application 1 that requires role "User",

      then application server should respond with status code 200 OK and requested content (authorization is cached).

      Show
      Given: applications 1 and 2 are secured by Elytron security domain 1 backed by key-store realm for authentication and properties-realm for authorization, and application 3 is secured by Elytron security domain 2 the samerealms, and server certificate is in trust store of client, and client certificate is in trust store of server, and server SSL context cache has maximum size 2 and expires in 2 seconds, and client has successfully requested protected resource from application 1 (SSL session is established), and authorization realm is changed to assign "anotherRole" to client. When client requests (using the same SSL session) protected resource from application 1 that requires role "User", then application server should respond with status code 200 OK and requested content (authorization is cached).

      Starting with Java 11.0.23 and 17.0.10, the identity cache integrated in the Elytron CLIENT_CERT authentication mechanism stopped working. Re-authentication attempts are no longer successful.

      This could impact performance when using the CLIENT_CERT mechanism for authentication.

            Unassigned Unassigned
            okotek@redhat.com Ondrej Kotek
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: