Return-Path: 
 <dev-return-132587-apmail-tomcat-dev-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-dev-archive@www.apache.org
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id D1656DA43
	for <apmail-tomcat-dev-archive@www.apache.org>;
 Sat,  3 Nov 2012 22:32:56 +0000 (UTC)
Received: (qmail 77907 invoked by uid 500); 3 Nov 2012 22:32:56 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 77838 invoked by uid 500); 3 Nov 2012 22:32:56 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 77829 invoked by uid 99); 3 Nov 2012 22:32:56 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 03 Nov 2012 22:32:56 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 03 Nov 2012 22:32:54 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
	by eris.apache.org (Postfix) with ESMTP id 8E5B523888CD
	for <dev@tomcat.apache.org>; Sat,  3 Nov 2012 22:32:34 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1405435 - in /tomcat/trunk:
 java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
 webapps/docs/config/valve.xml
Date: Sat, 03 Nov 2012 22:32:34 -0000
To: dev@tomcat.apache.org
From: markt@apache.org
X-Mailer: svnmailer-1.0.8-patched
Message-Id: <20121103223234.8E5B523888CD@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: markt
Date: Sat Nov  3 22:32:33 2012
New Revision: 1405435

URL: http://svn.apache.org/viewvc?rev=1405435&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=54076
Work-around that enables HTTP keep-alive to be deisabled for specified user agents using SPNEGO.

Modified:
    tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
    tomcat/trunk/webapps/docs/config/valve.xml

Modified: tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?rev=1405435&r1=1405434&r2=1405435&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java Sat Nov  3 22:32:33 2012
@@ -21,6 +21,7 @@ import java.io.IOException;
 import java.security.Principal;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
+import java.util.regex.Pattern;
 
 import javax.security.auth.Subject;
 import javax.security.auth.login.LoginContext;
@@ -69,6 +70,24 @@ public class SpnegoAuthenticator extends
         this.storeDelegatedCredential = storeDelegatedCredential;
     }
 
+    private Pattern noKeepAliveUserAgents = null;
+    public String getNoKeepAliveUserAgents() {
+        Pattern p = noKeepAliveUserAgents;
+        if (p == null) {
+            return null;
+        } else {
+            return p.pattern();
+        }
+    }
+    public void setNoKeepAliveUserAgents(String noKeepAliveUserAgents) {
+        if (noKeepAliveUserAgents == null ||
+                noKeepAliveUserAgents.length() == 0) {
+            this.noKeepAliveUserAgents = null;
+        } else {
+            this.noKeepAliveUserAgents = Pattern.compile(noKeepAliveUserAgents);
+        }
+    }
+
 
     @Override
     protected String getAuthMethod() {
@@ -265,6 +284,16 @@ public class SpnegoAuthenticator extends
         if (principal != null) {
             register(request, response, principal, Constants.SPNEGO_METHOD,
                     principal.getName(), null);
+
+            Pattern p = noKeepAliveUserAgents;
+            if (p != null) {
+                MessageBytes ua =
+                        request.getCoyoteRequest().getMimeHeaders().getValue(
+                                "user-agent");
+                if (ua != null && p.matcher(ua.toString()).matches()) {
+                    response.setHeader("Connection", "close");
+                }
+            }
             return true;
         }
 

Modified: tomcat/trunk/webapps/docs/config/valve.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/valve.xml?rev=1405435&r1=1405434&r2=1405435&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/trunk/webapps/docs/config/valve.xml Sat Nov  3 22:32:33 2012
@@ -1188,6 +1188,18 @@
 
     <attributes>
 
+      <attribute name="alwaysUseSession" required="false">
+        <p>Should a session always be used once a user is authenticated? This
+        may offer some performance benefits since the session can then be used
+        to cache the authenticated Principal, hence removing the need to
+        authenticate the user on every request. This will also help with clients
+        that assume that the server will cache the authenticated user. However
+        there will also be the performance cost of creating and GC'ing the
+        session. For an alternative solution see
+        <code>noKeepAliveUserAgents</code>. If not set, the default value of
+        <code>false</code> will be used.</p>
+      </attribute>
+
       <attribute name="cache" required="false">
         <p>Should we cache authenticated Principals if the request is part of an
         HTTP session? If not specified, the default value of <code>true</code>
@@ -1223,6 +1235,25 @@
         <code>com.sun.security.jgss.krb5.accept</code> is used.</p>
       </attribute>
 
+      <attribute name="noKeepAliveUserAgents" required="false">
+        <p>Some clients (not most browsers) expect the server to cache the
+        authenticated user information for a connection and do not resend the
+        credentials with every request. Tomcat will not do this unless an HTTP
+        session is available. A session will be availble if either the
+        application creates one or if <code>alwaysUseSession</code> is enabled
+        for this Authenticator.</p>
+        <p>As an alternative to creating a session, this attribute may be used
+        to define the user agents for which HTTP keep-alive is disabled. This
+        means that a connection will only used for a single request and hence
+        there is no ability to cache authenticated user information per
+        connection. There will be a performance cost in disabling HTTP
+        keep-alive.</p>
+        <p>The attribute should be a regular expression that matches the entire
+        user-agent string, e.g. <code>.*Chrome.*</code>. If not specified, no
+        regular expression will be defined and no user agents will have HTTP
+        keep-alive disabled.</p>
+      </attribute>
+
       <attribute name="securePagesWithPragma" required="false">
         <p>Controls the caching of pages that are protected by security
         constraints. Setting this to <code>false</code> may help work around



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org