tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sascha Skorupa <sascha.skor...@traveltainment.de>
Subject Migration from Tomcat6-Cluster to Tomcat7-Cluster: Digest Authentication problem
Date Wed, 04 Mar 2015 15:20:46 GMT
Hi,

because of changes in the HTTP digest implementation within the JDK 8 (https://bugs.openjdk.java.net/browse/JDK-8010505),
we are forced to migrate from tomcat 6 to 7.

The problem is that we have a tomcat cluster (several tomcats behind an apache/modjk server)
and we cannot guarantee that both HTTP requests resulting from the digest authentication are
sent to the same tomcat instance. In Tomcat 6 it was no problem because nonces were not cached
or rather unknown nonces did not force a re-authentication like it is done in the DigestAuthenticator
of Tomcat 7:

                if (info == null) {
                    // Nonce is valid but not in cache. It must have dropped out
                    // of the cache - force a re-authentication
                    nonceStale = true;
                }

Some clients have the problem that the second 401 response to the request with authorization
header leads to an authentication failure although the credentials are correct. Other clients
like e.g. JMeter keep trying to send authorisation header, if stale is true, until a HTTP
200 is responded.

So, what is the recommendation here? How to use Digest authentication within tomcat clusters
if nonces are cached in a map within DigestAuthenticator?

Best regards

Sascha


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message