tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bruce Weertman <>
Subject Intermittent Digest Authentication User Lockout
Date Mon, 18 Nov 2013 18:29:24 GMT
I am running into an intermittent problem with Digest-Authentication. This is with tomcat 7.0.39

The issue appears to be that clients will occasionally get locked out for 5 minutes. The problem
appears to happen with there is a combination of good password and then bad password, or the
other way round. We have also seen the problem happen when our load balancer is not sticky.

My understanding is that digest-auth really should not work if the load-balancer is not sticky
since there need to be information
sent from the server to the client in order to make the authentication. We have since made
our load balancer sticky, hoping that 
this would resolve the issue. 

Actually, I should make a clarification here. It’s not “clients” that are getting locked
out. It is “users”. 

Once a user gets into a bad state the account gets locked out until a 5 minute period goes

Looking at the tomcat source code, I see line 147: 
protected long nonceValidity = 5 * 60 * 1000;

Sorry if this sounds confused - I’m confused. I can say this. We’re seeing users get locked
out for
5 minutes at a time. Having the load balancer not being sticky would definitely cause the
but after making them sticky, we still see the problem with at least one client program. The
programs are mostly non-webbrowser based.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message