[
https://issues.apache.org/jira/browse/QPID-7046?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15350631#comment-15350631
]
Keith Wall commented on QPID-7046:
----------------------------------
I don't think we should make this change simply by changing all preemptive
paths to invalidate the session after the request. This approach would catch
use cases where preemptive authentication is used and a session is desired, for
example, a user using a browser for an interaction WMC session using an SSL
client certificate for authentication (uses
{{SSLClientCertPreemptiveAuthenticator}}).
I think the way to make this change is to consider the request URI and
differentiate between /api and other paths. If no session exists and the
requested path matches {{//api}}, then no long-lived session should be
established. If the path does not matches {{/api}} or a request for a none
{{/api}} path has been received, we should maintain the current behaviour.
> Preemptive HTTP authentication should automatically expire the HTTP session
> ---------------------------------------------------------------------------
>
> Key: QPID-7046
> URL: https://issues.apache.org/jira/browse/QPID-7046
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Reporter: Keith Wall
> Fix For: qpid-java-6.1
>
>
> Change HTTP preemptive authentication so that it does not leave behind a HTTP
> session. Preemptive authentication is usually single shot so the session is
> superfluous and will consume unnecessary system resources.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
