Hi Support,
We are having a strange issue in our application after we changed our code to implement our own Authenticator that extends ChallengeAuthenticator and overrides authenticate method. Inside this authenticate method, we are handling 3 possible cases. If the request is being made by the system, we authenticate using system credentials. If the request's identifier corresponds to a valid session token generated by a previous login, we check the cache and allow the request to proceed. If neither of the above checks allow the request, we make a REST call to our security component to authenticate the incoming user. This flow is working fine for successful authentication. For a wrong userid/password case, we are making the above REST call to authenticate user, we are making it fail with Authorization Denied status. In this case, the request fails for the end user, but a TCP/IP port on the server is left hanging in a TIMED_OUT state. If I put a test in a loop with failed login, it keeps leaving a connection in TIMED_OUT state. After certain number of connections (based on the property used in the HTTP client creation request) are in this state, my client hangs waiting to connect to the server. All this started happening after we moved to our own extension of ChallengeAuthenticator as we did not want to live on getLocalSecret() implemented in a verifier as returning a plain text password through this function is not possible when using MD5 to store the password. Can anyone shed some light on what might be happening here? Our RESTlet application is running inside Tomcat 7.0.5. Your help will be greatly appreciated. Regards, RK. ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2701687
