Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-29624

(8.1.z) Identity cache of Elytron CLIENT_CERT authentication mechanism stopped working on new JDKs

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 8.1.0.Beta
    • Security
    • False
    • Hide

      None

      Show
      None
    • False
    • Known Issue
    • Hide

      Given: applications 1 and 2 are secured by Elytron security domain 1 backed by key-store realm for authentication and properties-realm for authorization,
      and application 3 is secured by Elytron security domain 2 the samerealms,
      and server certificate is in trust store of client,
      and client certificate is in trust store of server,
      and server SSL context cache has maximum size 2 and expires in 2 seconds,

      and client has successfully requested protected resource from application 1 (SSL session is established),
      and authorization realm is changed to assign "anotherRole" to client.

      When client requests (using the same SSL session) protected resource from application 1 that requires role "User",

      then application server should respond with status code 200 OK and requested content (authorization is cached).

      Show
      Given: applications 1 and 2 are secured by Elytron security domain 1 backed by key-store realm for authentication and properties-realm for authorization, and application 3 is secured by Elytron security domain 2 the samerealms, and server certificate is in trust store of client, and client certificate is in trust store of server, and server SSL context cache has maximum size 2 and expires in 2 seconds, and client has successfully requested protected resource from application 1 (SSL session is established), and authorization realm is changed to assign "anotherRole" to client. When client requests (using the same SSL session) protected resource from application 1 that requires role "User", then application server should respond with status code 200 OK and requested content (authorization is cached).

      Starting with Java 11.0.23 and 17.0.10, the identity cache integrated in the Elytron CLIENT_CERT authentication mechanism stopped working. Re-authentication attempts are no longer successful.

      This could impact performance when using the CLIENT_CERT mechanism for authentication.

      This affects cases using TLS 1.2. With TLS 1.3 the feature works as expected.

              darran.lofthouse@redhat.com Darran Lofthouse
              okotek@redhat.com Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: