tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: multiple servers and digest authentication
Date Mon, 02 Dec 2013 16:29:02 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Christophe,

On 12/2/13, 8:53 AM, Dehaudt, Christophe wrote:
> On 11/29/13, 8:55 PM, Dehaudt, Christophe wrote:
>> I don't believe you can have the F5 manage any part of the 
>> authentication. But you can use (expiring!) sticky
>> load-balancing. I've never used an F5 but I suspect that you can
>> use a combination of lb-generated cookie + server-generated
>> cookie to achieve a "unified stickiness". What you want is the
>> following:
>> 
>> 1. 2-step authentication has both steps going to the same server
>> (can use F5's cookie for stickiness)
>> 
>> 2. Subsequent authenticated requests go to that same server (can
>> use Tomcat's cookie for stickiness)
>> 
>> 3. All stickiness expires when the user's authenticated session 
>> expires. Since HTTP-DIGEST authentication does not have a
>> standard way to de-authenticate a client, you'll have to figure
>> out when this happens. I would use the invalidation of the
>> session cookie to trigger a reset of the F5's stickiness cookie.
>> I'm not sure how to actually do that with an F5.
> 
> I believe I already do 3 (clearing the LB cookie, every X mn), but
> this solution is client side, meaning everybody must be a good
> citizen. I would prefer a solution that enforces the policy = LB or
> server side

Just set the expiration-date of the cookie (on the server) to be 2
minutes?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSnLVOAAoJEBzwKT+lPKRYC8IP/3icAeE5gDbGniNz5sstQ0Td
Yo8ZccqHejVBHH7lqtTkCzjQZGYSFtLJXb1BzV+HvHXtluprIkT4ASFJr51sXwN+
GoeKjOABTC+ThVb8209XZSxg7CnEgEsP14W9HiOCdu3Vv4YNALM6cgokc/WTQYyq
Zqn/MipE2eKjxN5C9K4PeYn6YmNxEk0G9JKfNGDWO/sjBrW0q4/Z4ozcUBg9kR1X
qbf+9Pbrdk8uXzEtrvmPTs0qGp3DcjA//4d/DGCbmCWJwV6luwblvgw11++0qmz0
zjkX+DnyipP9tliE+Rl2Y7M7fdwr4hGAVweyAazL6V1q/fXsik2BeCtZJVq3QE23
H3WhZQIefR9j7+mF7qdVNAJN/lZVIynuKf32sReQHjg5nGFCd/Dp79TZdSXL6yvQ
f0Sb4NaQvBzQD03Nv4wx8KLTaQAQSc0Y5bKuZefCsjdxQbCU6HQiMn0hb7xV5SXi
cOfbf3a/6VD7IlxxqpRV2JDZ63VqYb2I9zKXydUL5hx/dazcChkSpGKFigQttifN
StNDwgIWOs4YNzPyLaCEK1rDGRGtkAN2TskfRdR2eXRC/YHsLtHmXJcbK3tUt6ny
/20uA+UxTgkjzTBd8ij6RapNwCtMeE8cB09rrxp4YiOIBT5Bj91ZQP0xg9b8/mYq
6/yl8K9R/SUZ1OGb1RxK
=hmOu
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message