tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pottinger, Hardy J." <Pottinge...@missouri.edu>
Subject RE: seeking help with stabilizing the persistence of a JSESSIONID
Date Thu, 03 Sep 2015 18:32:44 GMT
> Are you actually using HTTP Basic authentication? You may be configuring
> the wrong authenticator. (I know nothing about Shibboleth)

I'm using Apache HTTPD as a front-end (via mod_proxy) for Tomcat, since Shibboleth works (mostly)
with Apache HTTPD. So, the authentication happens on the HTTPD side.

I am now trying different values for Authenticators (feeling rather silly, but willing to
try)...

https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/authenticator/package-summary.html

--Hardy
________________________________________
From: Christopher Schultz [chris@christopherschultz.net]
Sent: Thursday, September 03, 2015 12:00 PM
To: Tomcat Users List
Subject: Re: seeking help with stabilizing the persistence of a JSESSIONID

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hardy,

On 9/3/15 12:52 PM, Pottinger, Hardy J. wrote:
> Hi, I'm trying to disable session-fixation-attack protection on
> our test server, and I've added the following valve to both my
> application's context-fragment file, as well as the main
> context.xml file:
>
> <Valve
> className="org.apache.catalina.authenticator.BasicAuthenticator"
> changeSessionIdOnAuthentication="false" alwaysUseSession="true"/>

Are you actually using HTTP Basic authentication? You may be configuring
the wrong authenticator. (I know nothing about Shibboleth).

> However, after several Tomcat restarts, I can still see the
> session cookie change after authentication.
>
> I'm wondering if perhaps the problem is that this isn't Tomcat
> authentication, but HTTPD authentication, via the Shibboleth
> module on Apache.

Perhaps, but Tomcat is always the arbiter of your session identifier.
Are you even using an authenticator in Tomcat? What is your
<auth-method> in web.xml say?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV6HzCAAoJEBzwKT+lPKRY03cQAI0jlkvH+bLotz3wFo895a4v
7a+AsrP7zpIErjC5oMMzRXwqpXbxkBX93Yc7h5xH08iW3KeqmPAz2R3SF1BTmbsW
1julPHxo1VDc00siTNflWgxHk3JHn/OD08YlUolVLYxAEgoCj8oZ/m8wmWyNAkmX
LuW23mr32l+QmPvFWQbwlaQzt4uGrt2f1nq24wWP3ZZ+NhoZLhFyEqYVnq2KQ7PS
gyvRjnhGZJ+EuVyL8N3rna0yTyKVHIrh9amTduOx1XwC85+3QLvQDhpIFjVSAm3L
Bbpoi81rHnZHVfGNO6HGf2oJRmCJAg3s1iLbY2gTG5PsXUtu4PoKTaMUHPJbKS43
BhoTacODdsa0IdGeDlFX3vjUfGMYh7ymo+a43FscOLsbMyZJAZRjAFD26oHislcb
RYaYYIRseXHir65NxlDn/lvdFNllqOJtcBXKB2kFZlDPNUcuizR17bZV6BzJi0bG
iQWej2JbYSfOKHLCd9mkQO7iI9eklwNXHxyoAPFP2aSP6Hu5hispKtckO2Pu3UOW
VqEsH929MD9XMCe/wea0WxW+JmQDFmFZZxHDYfGisJ1v5wSKStjH6mNZZR1tmCpm
tPIJDcgUB4ag2k+pkzs35QVYBgaXRbh3S2/XMlXHoMhzSZd+ciPPGa96Zll2TEZR
puMLQsH0udM3ptXfWDBR
=6J0h
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message