1166724 – NegotiationAuthenticator Valve always creates a session regardless of if authentication is happening.

Bug 1166724 - NegotiationAuthenticator Valve always creates a session regardless of if authentication is happening.

Summary: NegotiationAuthenticator Valve always creates a session regardless of if auth...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Security
Sub Component:
Version:	6.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	DR11
Target Release:	EAP 6.4.0
Assignee:	Darran Lofthouse
QA Contact:	Pavel Slavicek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-11-21 14:59 UTC by Darran Lofthouse
Modified:	2019-08-19 12:44 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-19 12:44:37 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Darran Lofthouse 2014-11-21 14:59:45 UTC

Description of problem:

Where SPNEGO authentication takes place a HTTP session needs to be established to track the intermediate state of this negotiation, however as the valve needs to wrap calls to the next valve it is accidentally creating a session for all requests if a session does not already exist.

Comment 1 Kabir Khan 2014-11-22 10:33:43 UTC

https://github.com/jbossas/jboss-eap/pull/2038

Comment 2 Josef Cacek 2014-11-27 17:04:05 UTC

Verified in 6.4.0.DR11.

Note You need to log in before you can comment on or make changes to this bug.