tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sascha Skorupa <sascha.skor...@traveltainment.de>
Subject AW: Migration from Tomcat6-Cluster to Tomcat7-Cluster: Digest Authentication problem
Date Tue, 17 Mar 2015 21:28:36 GMT
Indeed, it seems a little bit strange and certainly you are right. I think the main reason
is that it would be more complicated to maintain the system with regular security updates.
It has to be a manual process.

Somehow or other we need a working solution. It is also an option to fix DigestAuthenticator
class in tomcat6 to split digest authentication header like it is done in tomcat7, because
this is the real cause of the problem - the regular expression submitted to the split method
cannot properly handle unquoted parameters at the end of the auth header line.

Thank you for your constructive input.

-sascha
________________________________________
Von: Christopher Schultz [chris@christopherschultz.net]
Gesendet: Dienstag, 17. März 2015 17:10
Bis: Tomcat Users List
Betreff: Re: Migration from Tomcat6-Cluster to Tomcat7-Cluster: Digest Authentication problem

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Rainer,

On 3/17/15 11:12 AM, Rainer Jung wrote:
> Am 17.03.2015 um 15:40 schrieb Sascha Skorupa:
>> Hi Rainer,
>>
>> currently not (Apache 2.2) but it might be an option to upgrade
>> the OS and the Apache if it leads to a solution.
>
> OK. But think twice, whether it is better to just compile mod_jk
> from sources or do the big update.

+1

I find it hard to believe that you (or your NOC) would be willing to
upgrade the OS and the web server to use an alternative solution, but
not willing to upgrade to a newer version of single, specialized
module for the web server.

Note that you don't have to have a compiler on the target system; you
just need to be able to cross-compile to that test system (or do what
I do and have a spare server with identical architecture, etc.
available for module builds).

> Updating to 2.4 will bring many interesting achievements, but just
> for fixing this issue quickly it would be better to update mod_jk,
> even if this means switching to a non-OS-provided variant.

+1

Building is trivial.

> If you seriously plan the 2.4 update and you have a test system, I
> could provide you with the non-trivial workaround letting Apache
> set the cookie. You would need to thoroughly test this though.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVCFHcAAoJEBzwKT+lPKRYOQAQAJnIlsepWBvZlO438/zwXIYM
WI0X3LspAUt1v1c0JOXagL5VUdZO68/euBV7rmoKaHvo11lEH5lFQ9M91unvRWer
d7AQZoTc1+VQDcnBrGDzw6M7jQqlKf2Y7Jadlj9TfNm68cwCYFhpan1Wcv/XCMpy
/1Q5j/gW77AdPNpAvtFGOXZ0HPbMpkC+ZpsfFjgpOrwUBPL195xpQXM5nJLoYpAa
7uR34FCAbIIR0Glho/IHqzadxrSBq3AEVZau1uiGi3t8BjuWcOfq85bMZ0dCGdl+
Hlj6wKaTpS6AJi9By5d0xbXkqu5wBY2qFgY6wNq/cHO/Js+svPPMtME7eUZiOPAY
t2dUszkzqw0JOEqTN0I1gr0cGVOhJYbHMAdCHrb15FtWACeQVHVK7ikI0GJvKMG3
8EUIW21go3ID4jHBpexMC23QZDKfDTIhzx9Ec300lxRbjkfzpTCEvu3mM36w6y7+
fsRPPkpY0KqFe25nYw/DZCMS4KeAZ5dZSQa3sQSYgpozP71UrRZJw2+cqdALj29Q
Ozru/eLGLAvJuOKbXgSMIBfEQugx8vTGzE60Db7e61thMPmyHXlHqi1+zKDnODej
g6kbQtNDhak+0AfI2oFbmvHGz+hN8bAJa62hA/3jDKiYphxwH2JpJW4qmcs7HI91
qRp/u8yrAe8S/UAc+x+2
=95gA
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message