Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BE28D10925 for ; Mon, 18 Nov 2013 18:29:59 +0000 (UTC) Received: (qmail 53865 invoked by uid 500); 18 Nov 2013 18:29:56 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 53781 invoked by uid 500); 18 Nov 2013 18:29:56 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 53772 invoked by uid 99); 18 Nov 2013 18:29:56 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Nov 2013 18:29:56 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [128.95.166.29] (HELO norman.iris.washington.edu) (128.95.166.29) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Nov 2013 18:29:51 +0000 Received: from hub.iris.washington.edu (hub.iris.washington.edu [192.168.166.46]) by norman.iris.washington.edu (8.13.8+Sun/8.13.8) with ESMTP id rAIITPvi029794 for ; Mon, 18 Nov 2013 10:29:30 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.iris.washington.edu (Postfix) with ESMTP id DFC29150A155 for ; Mon, 18 Nov 2013 10:29:24 -0800 (PST) X-Virus-Scanned: amavisd-new at hub.iris.washington.edu Received: from hub.iris.washington.edu ([127.0.0.1]) by localhost (hub.iris.washington.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u92a-HXfo7ZV for ; Mon, 18 Nov 2013 10:29:24 -0800 (PST) Received: from geodude1.iris.washington.edu (geodude.iris.washington.edu [192.168.166.45]) by hub.iris.washington.edu (Postfix) with ESMTPSA id C09FB150A14B for ; Mon, 18 Nov 2013 10:29:23 -0800 (PST) From: Bruce Weertman Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Subject: Intermittent Digest Authentication User Lockout Message-Id: <982CC876-973C-4364-8D7D-65549DC4EBC1@iris.washington.edu> Date: Mon, 18 Nov 2013 10:29:24 -0800 To: users@tomcat.apache.org Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) X-Mailer: Apple Mail (2.1822) X-Virus-Checked: Checked by ClamAV on apache.org I am running into an intermittent problem with Digest-Authentication. = This is with tomcat 7.0.39 The issue appears to be that clients will occasionally get locked out = for 5 minutes. The problem appears to happen with there is a combination of good password and then = bad password, or the other way round. We have also seen the problem happen when our load = balancer is not sticky.=20 My understanding is that digest-auth really should not work if the = load-balancer is not sticky since there need to be information sent from the server to the client in order to make the authentication. = We have since made our load balancer sticky, hoping that=20 this would resolve the issue.=20 Actually, I should make a clarification here. It=92s not =93clients=94 = that are getting locked out. It is =93users=94.=20 Once a user gets into a bad state the account gets locked out until a 5 = minute period goes by.=20 Looking at the tomcat source code, I see DigestAuthenticator.java line = 147:=20 protected long nonceValidity =3D 5 * 60 * 1000; Sorry if this sounds confused - I=92m confused. I can say this. We=92re = seeing users get locked out for 5 minutes at a time. Having the load balancer not being sticky would = definitely cause the problem, but after making them sticky, we still see the problem with at least one = client program. The client programs are mostly non-webbrowser based. Thanks= --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org