[
https://issues.apache.org/jira/browse/KNOX-571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15657282#comment-15657282
]
Jeffrey E Rodriguez commented on KNOX-571:
-------------------------------------------
Hi Summit,
This is more relevant for Web Interfaces that don't use the pass through
approach and still rely on Knox authentication.
Some questions?
1. If a web application is using KnoxSSO, how would it logout the session?
2. If the web application uses Knox pass through, can the application still do
Basic or Form authentication through Knox?
3. Can the pass through approach be used to extend the web application login
module? (the application does the login but still delegates authentication to
Knox - sort of authentication asertion). If this is the case then do we have
an example? If we don't have an example may we need to add one.
We have existing value add like BigSQL DSM that rely on basic authentication in
Knox so I would like to revisit how we logout sessions.
> UI Web pages should have a way to logout
> ----------------------------------------
>
> Key: KNOX-571
> URL: https://issues.apache.org/jira/browse/KNOX-571
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 0.7.0
> Environment: Redhat/Windows
> Reporter: Jeffrey E Rodriguez
> Fix For: Future
>
> Attachments: knox_logout_design.jpg
>
>
> UI using Knox as a proxy should have a way to define a logout so Browser to
> Knox session is invalidated and user is challenged for Authentication. This
> is a web security requirement to prevent session hijacking attacks.
> References
> https://www.owasp.org/index.php/Session_hijacking_attack
> https://owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-007%29
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
