tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Kulemet <>
Subject HTTP Digest authentication in Tomcat server farms
Date Wed, 15 May 2013 19:33:37 GMT

Now that digest authentication is fixed (Tomcat 6.0.36), how do we ensure that clients' authentication
requests are routed to correct Tomcats in load balanced deployments?  Otherwise, clients can
get stuck in re-authentication loops (until they happen to be routed to the same Tomcat that
issued the original HTTP 401 Unauthorized response).

The digest authentication challenge may not have a session ID that could be used for routing.
 One option is to ensure that jvmRoute is included in WWW-Authenticate header (as part of
realm name or opaque value), and deploy a custom routing rule based on Authorization header...
but that sounds like a hack...

Does anyone have any better solutions?

- Andrew


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message