[JBEAP-29624] Identity cache of Elytron CLIENT_CERT authentication mechanism stopped working on new JDKs - Red Hat Issue Tracker

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: None
Affects Version/s: 8.1.0.Beta
Component/s: Security
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

8.1.0.GA
Steps to Reproduce:

Hide

Given: applications 1 and 2 are secured by Elytron security domain 1 backed by key-store realm for authentication and properties-realm for authorization,
and application 3 is secured by Elytron security domain 2 the samerealms,
and server certificate is in trust store of client,
and client certificate is in trust store of server,
and server SSL context cache has maximum size 2 and expires in 2 seconds,

and client has successfully requested protected resource from application 1 (SSL session is established),
and authorization realm is changed to assign "anotherRole" to client.

When client requests (using the same SSL session) protected resource from application 1 that requires role "User",

then application server should respond with status code 200 OK and requested content (authorization is cached).

Show
Given: applications 1 and 2 are secured by Elytron security domain 1 backed by key-store realm for authentication and properties-realm for authorization, and application 3 is secured by Elytron security domain 2 the samerealms, and server certificate is in trust store of client, and client certificate is in trust store of server, and server SSL context cache has maximum size 2 and expires in 2 seconds, and client has successfully requested protected resource from application 1 (SSL session is established), and authorization realm is changed to assign "anotherRole" to client. When client requests (using the same SSL session) protected resource from application 1 that requires role "User", then application server should respond with status code 200 OK and requested content (authorization is cached).
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Starting with Java 11.0.23 and 17.0.10, the identity cache integrated in the Elytron CLIENT_CERT authentication mechanism stopped working. Re-authentication attempts are no longer successful.

This could impact performance when using the CLIENT_CERT mechanism for authentication.

clones

JBEAP-27485 Identity cache of Elytron CLIENT_CERT authentication mechanism stopped working on new JDKs

Assignee:: Unassigned

Reporter:: Ondrej Kotek

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/03/12 8:32 AM

Updated:: 2025/03/12 8:44 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide