Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D6B7310681 for ; Sun, 1 Dec 2013 14:42:28 +0000 (UTC) Received: (qmail 4815 invoked by uid 500); 1 Dec 2013 14:42:20 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 4680 invoked by uid 500); 1 Dec 2013 14:42:15 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 4671 invoked by uid 99); 1 Dec 2013 14:42:14 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 01 Dec 2013 14:42:14 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy includes SPF record at spf.trusted-forwarder.org) Received: from [76.96.62.48] (HELO qmta05.westchester.pa.mail.comcast.net) (76.96.62.48) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 01 Dec 2013 14:42:07 +0000 Received: from omta09.westchester.pa.mail.comcast.net ([76.96.62.20]) by qmta05.westchester.pa.mail.comcast.net with comcast id wEaq1m0050SCNGk55Ehlwd; Sun, 01 Dec 2013 14:41:45 +0000 Received: from Christophers-MacBook-Pro.local ([68.55.8.89]) by omta09.westchester.pa.mail.comcast.net with comcast id wEhk1m00s1vFKdg3VEhl2G; Sun, 01 Dec 2013 14:41:45 +0000 Message-ID: <529B4AAE.6020200@christopherschultz.net> Date: Sun, 01 Dec 2013 09:41:50 -0500 From: Christopher Schultz User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: multiple servers and digest authentication References: <5295C3D0.8060005@apache.org> <5295C627.2060109@ice-sa.com> <5296260B.30207@christopherschultz.net> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1385908905; bh=u71af18JZpYYswAXIqh8eZke6A9zArE4wUk/34UXry4=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=qn+j8rD/X1q9EOn1IvZhzaqT7zT3J1rTOQxKdA8bq0yXOcJWLOxsWEQK0lXi9eUb7 9+Nq5oKcQYjIOQ1lQ4OoihM/wqYrqtHnRG667OAXb9bovrgnVcGwzEyZuvH/FhkgKR CVKt0JTF8J3zYBfrtldYxCwyEpFoDz12Uf/tNE9m7Jm997PecdM7dssIJeNmzgo+/F F93MtUhY9r66AejYFIsoV41pFNqcgB2f5v7cBnTnapMx8QigZoxAAvC2zNQm5MECHI 75COio8a8naXNH00CtKS2vVskhqJZLffZHQBRAwpkFTB9VYeD9lza+W2Y5h4ZBzPOw YMbn9SB5D9pBw== X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Christophe, On 11/29/13, 8:55 PM, Dehaudt, Christophe wrote: > 1/ Sticky session : yes, that is the way I have currently set my > load balancer. But there is a drawback when the client is > contineoulsy using the service => because it will never been load > balanced again. When the sticky cookie expires, the client can be re-balanced. > The worst is when one of the server is stopped and restarted => all > the clients will be redistributed to the still alive servers, And > when the server is restarted, it will not picked up any load It will pick-up new load. > To work-around this problem, with sticky session on , I have > patched my client to clear the sticky cookie every X minutes. That > enforces the load balancer to give me the less used servers > (possibly the one that have been restarted) This should be configurable on the server and/or the lb. You shouldn't have to modify the client. > 2/ front-end load balancer solution: my configuration is with an F5 > load balancer (citrix). I'm not sure what that means. F5 and Citrix are competitors AFAIK. > From what I understand, the question is : can we configure the F5 > to manage the nonce and then delegate the authentication to the > servers (tomcat)- . That's not going to work unless you tell the (Tomcat) server that the (F5) client is trusted. If the client is trusted (as far as Tomcat is concerned), then there is no need for authentication. Tomcat will not implement such capabilities. You'll need to do that yourself. > Any idea if this is feasible from F5/tomcat point of views? I don't believe you can have the F5 manage any part of the authentication. But you can use (expiring!) sticky load-balancing. I've never used an F5 but I suspect that you can use a combination of lb-generated cookie + server-generated cookie to achieve a "unified stickiness". What you want is the following: 1. 2-step authentication has both steps going to the same server (can use F5's cookie for stickiness) 2. Subsequent authenticated requests go to that same server (can use Tomcat's cookie for stickiness) 3. All stickiness expires when the user's authenticated session expires. Since HTTP-DIGEST authentication does not have a standard way to de-authenticate a client, you'll have to figure out when this happens. I would use the invalidation of the session cookie to trigger a reset of the F5's stickiness cookie. I'm not sure how to actually do that with an F5. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSm0qrAAoJEBzwKT+lPKRY7UIQALorBonbQ6XeXPEK3q0G2RrU i34F82XlFXVwlGuupK4ROxaDYsPa+HJgSC3WH5J/+q5MjX2s8GfgJwp7WmCYNkNr 4vokKOHxwkWy8km/iEwNLbFu0SWJUEFNpfsgCwBvlKuiDr7uIZDGqOSDQlCY4p7G U0eql7Pi/L9hg45IiNUnYpqYij2/bsXNzi8kbLd7u84GOrn6UY6jQScsIGVxbNjV hvPck4Srmsh4OqicL/o98u7N9vbu7x+/leoSCkt2d6cPtQPhd2Pp0oOvmy0NX/j8 +R+JXapT7J6dT2jXI6bbUqJlP+5c2xRZoN79Rw3291ZHLBJ9+89XYazLcEdXyPVO JVUcJOwRvPLAF5vXwWyIkQGz9aeypfYWGQm5D2CK8A942Fhfnn4gGYn+LfQi3I/b SMRMTKQZpwB1jC4iEfbPJS682V2swHOySUzcSKXAnnO2BfvraA2/vGD/IW3FLcfl U4oU6teQ0NTIZTN6oCCpj4fzniQXhjKWAhZRL7jYzDoiPAGR5FdmGDBfCgky6+z/ fu4xSopN5a0otiX5IXizqn4zemewy779Shl6OiI6dbGGDIZ0nNlMPdfkauGz+sP5 cWG+COKG1lSajSPq1CWTWhYHLJ1+qeaUqVWvzCik9Z/NGhFmQf5KiPMCsPkREVs/ bpHvDjAQhBPjjyEDf4nV =Qs1j -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org