tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sascha Skorupa <>
Subject AW: Migration from Tomcat6-Cluster to Tomcat7-Cluster: Digest Authentication problem
Date Tue, 17 Mar 2015 21:28:36 GMT
Indeed, it seems a little bit strange and certainly you are right. I think the main reason
is that it would be more complicated to maintain the system with regular security updates.
It has to be a manual process.

Somehow or other we need a working solution. It is also an option to fix DigestAuthenticator
class in tomcat6 to split digest authentication header like it is done in tomcat7, because
this is the real cause of the problem - the regular expression submitted to the split method
cannot properly handle unquoted parameters at the end of the auth header line.

Thank you for your constructive input.

Von: Christopher Schultz []
Gesendet: Dienstag, 17. März 2015 17:10
Bis: Tomcat Users List
Betreff: Re: Migration from Tomcat6-Cluster to Tomcat7-Cluster: Digest Authentication problem

Hash: SHA256


On 3/17/15 11:12 AM, Rainer Jung wrote:
> Am 17.03.2015 um 15:40 schrieb Sascha Skorupa:
>> Hi Rainer,
>> currently not (Apache 2.2) but it might be an option to upgrade
>> the OS and the Apache if it leads to a solution.
> OK. But think twice, whether it is better to just compile mod_jk
> from sources or do the big update.


I find it hard to believe that you (or your NOC) would be willing to
upgrade the OS and the web server to use an alternative solution, but
not willing to upgrade to a newer version of single, specialized
module for the web server.

Note that you don't have to have a compiler on the target system; you
just need to be able to cross-compile to that test system (or do what
I do and have a spare server with identical architecture, etc.
available for module builds).

> Updating to 2.4 will bring many interesting achievements, but just
> for fixing this issue quickly it would be better to update mod_jk,
> even if this means switching to a non-OS-provided variant.


Building is trivial.

> If you seriously plan the 2.4 update and you have a test system, I
> could provide you with the non-trivial workaround letting Apache
> set the cookie. You would need to thoroughly test this though.

- -chris

Version: GnuPG v1
Comment: GPGTools -


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message