tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: multiple servers and digest authentication
Date Sun, 01 Dec 2013 16:04:40 GMT


  


> From: cdehaudt@ebay.com
> To: users@tomcat.apache.org
> CC: cdehaudt@ebay.com
> Subject: Re: multiple servers and digest authentication
> Date: Sat, 30 Nov 2013 01:55:32 +0000
> 
> Hi,
> 
> Thanks for your answers:
> 
> 1/ Sticky session : yes, that is the way I have currently set my load
> balancer. 
> But there is a drawback when the client is contineoulsy using the service
> => because it will never been load balanced again.
> The worst is when one of the server is stopped and restarted => all the
> clients will be redistributed to the still alive servers,
> And when the server is restarted, it will not picked up any load
> 
> To work-around this problem, with sticky session on , I have patched my
> client to clear the sticky cookie every X minutes. That enforces the load
> balancer to give me the less used servers (possibly the one that have been
> restarted)
> 
> 2/ front-end load balancer solution: my configuration is with an F5 load
> balancer (citrix). From what I understand, the question is : can we
> configure the F5 to manage the nonce and then delegate the authentication
> to the servers (tomcat)- . It will require:
> F5 to manage the nonce (will send back the 401 when nonce not valid) but
MG> here is the XSD element definition for noonce using wss4j
MG>xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
MG><!-- KANonce -->
        <ObjectProvider qualifiedName="xenc:KA-Nonce">
            <BuilderClass className="org.opensaml.xml.encryption.impl.KANonceBuilder" />
            <MarshallingClass className="org.opensaml.xml.schema.impl.XSBase64BinaryMarshaller"
/>
            <UnmarshallingClass className="org.opensaml.xml.schema.impl.XSBase64BinaryUnmarshaller"
/>
        </ObjectProvider>

MG>so How would F5 build out a noonce such as
<EncryptedData>
   <EncryptionMethod Algorithm="Example:Block/Alg"
     <KeySize>80</KeySize>
   </EncryptionMethod>
   <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <AgreementMethod Algorithm="example:Agreement/Algorithm">
       <KA-Nonce>Zm9v</KA-Nonce>
       <ds:DigestMethod
       Algorithm="http://www.w3.org/2001/04/xmlenc#sha1"/>
      <OriginatorKeyInfo>
         <ds:KeyValue>....</ds:KeyValue>
       </OriginatorKeyInfo>
       <RecipientKeyInfo>
         <ds:KeyValue>....</ds:KeyValue>
       </RecipientKeyInfo> 
     </AgreementMethod>
   </ds:KeyInfo>
   <CipherData>...</CipherData>
MG>? 
> not verify the user credential and pass that to servers
> 
> Servers (tomcat) to not check the nonce but check the credential. I have
> read the description of tomcatAuthentication flag from André's link, but
> I'm not sure it does what I expect
> 
> Any idea if this is feasible from F5/tomcat point of views?
> Any other suggestions? ;)
> 
> Thanks,
> 
> Xtof
> 
> On 11/27/13 9:04 AM, "Christopher Schultz" <chris@christopherschultz.net>
> wrote:
> 
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA256
> >
> >André,
> >
> >On 11/27/13, 5:15 AM, André Warnier wrote:
> >> Mark Thomas wrote:
> >>> On 27/11/2013 07:34, Dehaudt, Christophe wrote:
> >>>> Is there a way to share the nonce between servers so they can
> >>>> act as one?
> >>> 
> >>> No. You'd need to customise the DigestAuthenticator to do that.
> >>> 
> >>>> I would like to get your advices , how to make a multiple
> >>>> server deployment running with Http digest.
> >>> 
> >>> Use sticky load-balancing.
> >>> 
> >> 
> >> Or do the authentication at the front-end load-balancer level, and
> >> set Tomcat's authentication to accept what the front-end says ?
> >> (E.g. 
> >> 
> >>https://tomcat.apache.org/tomcat-8.0-doc/config/ajp.html#Standard_Impleme
> >>ntations
> >>
> >> #tomcatAuthentication)
> >
> >While it is popular to do so, I don't think anyone really uses httpd
> >for industrial-strength load-balancing. Can an F5 do authentication
> >(and forward it to Tomcat?). I suspect not in any way that would work
> >well with the back-end application.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message