[
https://issues.apache.org/jira/browse/KNOX-761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15588490#comment-15588490
]
Larry McCay commented on KNOX-761:
----------------------------------
Updated j2e-pac4j and pac4j to latest version and it fixed the issue. In
version 1.3.2 configuration is set in
org.pac4j.j2e.filter.SecurityFilter rather than ConfigSingleton and that
resolved the issue. Also had to update
Pac4jDispatcherFilter to use SecurityFilter (replacing
RequiresAuthenticationFilter from version 1.2.2)
Need to determine whether these changes would require that we drop Java 7
support. Which would not be ideal at this point given the rest of the ecosystem.
[~jleleu] - any insight into the above would be appreciated. Is there a
possibility to backport the changes that would resolve the issues here?
> KnoxSSO Needs to Support Multi-tenant Usecases
> ----------------------------------------------
>
> Key: KNOX-761
> URL: https://issues.apache.org/jira/browse/KNOX-761
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Reporter: Larry McCay
> Assignee: Larry McCay
> Fix For: 0.10.0
>
>
> In a deployment that separates tenant access to Hadoop resources through
> dedicated topologies with tenant specific authentication, there are a couple
> issues:
> * pac4j provider seems to be caching config settings in a singleton which
> makes the redirect url nondeterministic.
> * knoxsso cookie would be trusted across tenant specific topologies which
> could lead to unauthorized access to resources that belongs to another tenant
> The use of tenant specific audience claims within the JWT token could be used
> to mitigate the cross tenant trust issue.
> We need to investigate the pac4j provider issue with the singleton config.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
