tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: Detect in an authenticator whether a connection is persistent or not
Date Sat, 27 Oct 2012 20:18:47 GMT

> >>> I have no usecase for this at the moment :-(, I only provide patches
> for
> >>> stuff I suffer from at work.
> >>
> >> The below looks like a use case to me.
> >>
> >>> As this [1] draft lays out Negotiate and Kerberos may apply to
> >>> connection or request level auth. We are just lucky that the first
> >>> gss_accept_sec_context makes the context complete in the SPNEGO
> >>> authenticator.
> >>>
> >>> Some clients maintain the state and rely on the server to maintain the
> >>> connection state too. Tomcat does not do that which means that the
> >>> current SPNEGO authenticator has to issue a "Connection: close" after
> >>> successful auth. Otherwise the client will reuse the connection and
> keep
> >>> sending requests w/o reauthenticating eventhough Tomcat requires to do
> >>> so. In this case I have a Wireshark capture where this exactly happens
> >>> and the clients traps in an endless loop and issues thousands of
> >>> requests performs a DoS.
> > 
> > Well, as long as there is support for connection storage should I file a
> > bug about that?
> Go for it.
> > The connector has to close the connection in my opinion.
> Not sure what you mean by that.

I guess there is a misunderstanding here. There are two issues to be filed:
1. The long-term support for a connection-based store.
2. The above described behavior of the current SPNEGO connector in Tomcat 7. A DoS is possible
when a client expects that the server has a connection context on a persistent connection.

I was referring to the latter in the first place.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message