tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 54076] SPNEGO authenticator's stateless-ness incompatible with stateful clients
Date Sun, 04 Nov 2012 16:52:23 GMT

--- Comment #5 from Michael Osipov <> ---
(In reply to comment #4)
> There is one work-around already available. Set alwaysUseSession on the
> Authenticator Valve.

This isn't even a workaround for me. You cannot guarantee that the client will
respond with the JSESSIONID cookie. You could end up with generating a huge
amount of empty sessions.

> I have added support for a second work-around to trunk and 7.0.x. This
> work-around enables HTTP keep-alive to be disabled for specified user-agents
> if they attempt to use SPNEGO. This will be included in 7.0.33 onwards.

Well, the server admin needs to know the client's UA preemptively. Is this
really feasable?
The client cannot know that the server is incapable of performing stateful
I'd rather always write "Connection: close" for general safety.

> I'm not a huge fan of adding the ability to cache information per connection
> as that goes against the stateless nature of HTTP. That said, I'd be
> prepared to look at a patch that did this and, depending on how invasive it
> was, would consider such a patch for 8.0.x.

We have discussed this already on the mailing list. Yes, HTTP is stateless but
some auth mechs are stateful. This means that HTTP has to be stateful somehow.
Since this is done on the connection-level, you already have the statefulness
w/o tampering of the HTTP model. Consider that SSL is stateful too and simply
wraps HTTP messages.

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message