Re: Detect in an authenticator whether a connection is persistent or not

2012-10-28 Thread André Warnier

1983-01...@gmx.net wrote:

I have no usecase for this at the moment :-(, I only provide patches

for

stuff I suffer from at work.

The below looks like a use case to me.


As this [1] draft lays out Negotiate and Kerberos may apply to
connection or request level auth. We are just lucky that the first
gss_accept_sec_context makes the context complete in the SPNEGO
authenticator.

Some clients maintain the state and rely on the server to maintain the
connection state too. Tomcat does not do that which means that the
current SPNEGO authenticator has to issue a "Connection: close" after
successful auth. Otherwise the client will reuse the connection and

keep

sending requests w/o reauthenticating eventhough Tomcat requires to do
so. In this case I have a Wireshark capture where this exactly happens
and the clients traps in an endless loop and issues thousands of
requests performs a DoS.

Well, as long as there is support for connection storage should I file a
bug about that?

Go for it.


The connector has to close the connection in my opinion.

Not sure what you mean by that.


I guess there is a misunderstanding here. There are two issues to be filed:
1. The long-term support for a connection-based store.
2. The above described behavior of the current SPNEGO connector in Tomcat 7. A 
DoS is possible when a client expects that the server has a connection context 
on a persistent connection.

I was referring to the latter in the first place.

Michael



Hi.
This might be slightly OT, but I just wanted to mention that in a Windows domain context, 
maintaining state at the level of the connection is essential.  NTLM authentication 
requires several back-and-forth exchanges between the client and the server, in sequence. 
 In the background, the server has to talk to a domain controller etc.
This is a very heavy authentication mechanism, so it is the connection which is 
authenticated, to avoid having to re-authenticate (or at least verify the token) at each 
subsequent request from the same browser/client.
That's also why NTLM authentication requires (or at least strongly suggests) keep-alive, 
and also why there are limitations using this through firewalls etc.
As far as I know, some NTLM authentication mechanisms "fake" this by caching the client's 
IP address and client-side port number.  For example, if you use Jespa (www.ioplex.com) 
under Tomcat, behind an Apache httpd front-end, you *must* forward the browser's client IP 
address and port number over the httpd-tomcat proxy connection, so that Jespa can retrieve 
the client's authentication status from this cache.


Which all may point to another logical issue :
If you were to implement a connection-level "object" in Tomcat to store such 
authentication information, it may work if Tomcat is accessed directly by the client.
But if the client accesses Tomcat through a proxy, there is (I think) no guarantee that 
the same proxy connection to Tomcat would always be used by the same client.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Detect in an authenticator whether a connection is persistent or not

2012-10-27 Thread 1983-01-06

> >>> I have no usecase for this at the moment :-(, I only provide patches
> for
> >>> stuff I suffer from at work.
> >>
> >> The below looks like a use case to me.
> >>
> >>> As this [1] draft lays out Negotiate and Kerberos may apply to
> >>> connection or request level auth. We are just lucky that the first
> >>> gss_accept_sec_context makes the context complete in the SPNEGO
> >>> authenticator.
> >>>
> >>> Some clients maintain the state and rely on the server to maintain the
> >>> connection state too. Tomcat does not do that which means that the
> >>> current SPNEGO authenticator has to issue a "Connection: close" after
> >>> successful auth. Otherwise the client will reuse the connection and
> keep
> >>> sending requests w/o reauthenticating eventhough Tomcat requires to do
> >>> so. In this case I have a Wireshark capture where this exactly happens
> >>> and the clients traps in an endless loop and issues thousands of
> >>> requests performs a DoS.
> > 
> > Well, as long as there is support for connection storage should I file a
> > bug about that?
> 
> Go for it.
> 
> > The connector has to close the connection in my opinion.
> 
> Not sure what you mean by that.

I guess there is a misunderstanding here. There are two issues to be filed:
1. The long-term support for a connection-based store.
2. The above described behavior of the current SPNEGO connector in Tomcat 7. A 
DoS is possible when a client expects that the server has a connection context 
on a persistent connection.

I was referring to the latter in the first place.

Michael

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Detect in an authenticator whether a connection is persistent or not

2012-10-27 Thread Mark Thomas
On 27/10/2012 19:32, Michael-O wrote:
> Am 2012-10-27 20:22, schrieb Mark Thomas:
>> On 27/10/2012 18:57, Michael-O wrote:
>>> Am 2012-10-27 19:25, schrieb Mark Thomas:
> Is this something worth being filed in Bugzilla as a longterm goal for
> Tomcat 8?

 Sure, but without a proposed patch I suspect it will sit there for a
 few
 years and then closed as WONTFIX. With a patch, it still might not get
 fixed but at least you'll know for sure and if the patch isn't too
 invasive (for the benefit it provides) it is likely to be applied.
>>>
>>> That seems to be very tough. I hacked Tomcat code several times but
>>> wouldn't claim that I am firm enough to implement such a tremendous
>>> improvement. Interesting though that no one else yet requested such an
>>> improvement.
>>
>> Yes, we are fairly tough on adding new features. We really don't want to
>> add what, for most users, is bloat. We are usually happy to add hooks if
>> folks need them to implement their particular itch.
>>
>> I wouldn't worry about the quality of the patch. The first one I wrote
>> for Tomcat was (rightly) ripped to pieces by the committers at the time
>> but the feature was implemented and is still there today. If a committer
>> can see a cleaner way of doing the same thing then they'll either give
>> you some pointers or just fix it and apply it. The main point is that if
>> there is a change you want to see, then you need do be the driving force.
>>
>> Adding connection level notes shouldn't be too hard. The trickier part
>> is exposing them to the high-level components that need them. Passing
>> through the request is probably the way to go.
> 
> As long as there is general interest in such a feature I will keep that
> in mind and might take a look at it over Christmas.

I'd certainly be prepared to look at it, both for SPNEGO and SPDY.

>>> I have no usecase for this at the moment :-(, I only provide patches for
>>> stuff I suffer from at work.
>>
>> The below looks like a use case to me.
>>
>>> As this [1] draft lays out Negotiate and Kerberos may apply to
>>> connection or request level auth. We are just lucky that the first
>>> gss_accept_sec_context makes the context complete in the SPNEGO
>>> authenticator.
>>>
>>> Some clients maintain the state and rely on the server to maintain the
>>> connection state too. Tomcat does not do that which means that the
>>> current SPNEGO authenticator has to issue a "Connection: close" after
>>> successful auth. Otherwise the client will reuse the connection and keep
>>> sending requests w/o reauthenticating eventhough Tomcat requires to do
>>> so. In this case I have a Wireshark capture where this exactly happens
>>> and the clients traps in an endless loop and issues thousands of
>>> requests performs a DoS.
> 
> Well, as long as there is support for connection storage should I file a
> bug about that?

Go for it.

> The connector has to close the connection in my opinion.

Not sure what you mean by that.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Detect in an authenticator whether a connection is persistent or not

2012-10-27 Thread Hassan Schroeder
On Sat, Oct 27, 2012 at 11:36 AM, ken dias  wrote:
>
> Yes W8 is here but HPQ is still plummeting. Get rid of your CEO and get 
> someone who can improve your stock price!

Que?

-- 
Hassan Schroeder  hassan.schroe...@gmail.com
http://about.me/hassanschroeder
twitter: @hassan

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Detect in an authenticator whether a connection is persistent or not

2012-10-27 Thread ken dias

Yes W8 is here but HPQ is still plummeting. Get rid of your CEO and get someone 
who can improve your stock price!
 

> Date: Sat, 27 Oct 2012 19:57:30 +0200
> From: 1983-01...@gmx.net
> To: users@tomcat.apache.org
> Subject: Re: Detect in an authenticator whether a connection is persistent or 
> not
> 
> Am 2012-10-27 19:25, schrieb Mark Thomas:
> >> Is this something worth being filed in Bugzilla as a longterm goal for
> >> Tomcat 8?
> >
> > Sure, but without a proposed patch I suspect it will sit there for a few
> > years and then closed as WONTFIX. With a patch, it still might not get
> > fixed but at least you'll know for sure and if the patch isn't too
> > invasive (for the benefit it provides) it is likely to be applied.
> 
> That seems to be very tough. I hacked Tomcat code several times but 
> wouldn't claim that I am firm enough to implement such a tremendous 
> improvement. Interesting though that no one else yet requested such an 
> improvement.
> 
> I have no usecase for this at the moment :-(, I only provide patches for 
> stuff I suffer from at work.
> 
> As this [1] draft lays out Negotiate and Kerberos may apply to 
> connection or request level auth. We are just lucky that the first 
> gss_accept_sec_context makes the context complete in the SPNEGO 
> authenticator.
> 
> Some clients maintain the state and rely on the server to maintain the 
> connection state too. Tomcat does not do that which means that the 
> current SPNEGO authenticator has to issue a "Connection: close" after 
> successful auth. Otherwise the client will reuse the connection and keep 
> sending requests w/o reauthenticating eventhough Tomcat requires to do 
> so. In this case I have a Wireshark capture where this exactly happens 
> and the clients traps in an endless loop and issues thousands of 
> requests performs a DoS.
> 
> Thanks,
> 
> Mike
> 
> [1] 
> http://tools.ietf.org/html/draft-montenegro-httpbis-multilegged-auth-01#section-1
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
  

Re: Detect in an authenticator whether a connection is persistent or not

2012-10-27 Thread Michael-O

Am 2012-10-27 20:22, schrieb Mark Thomas:

On 27/10/2012 18:57, Michael-O wrote:

Am 2012-10-27 19:25, schrieb Mark Thomas:

Is this something worth being filed in Bugzilla as a longterm goal for
Tomcat 8?


Sure, but without a proposed patch I suspect it will sit there for a few
years and then closed as WONTFIX. With a patch, it still might not get
fixed but at least you'll know for sure and if the patch isn't too
invasive (for the benefit it provides) it is likely to be applied.


That seems to be very tough. I hacked Tomcat code several times but
wouldn't claim that I am firm enough to implement such a tremendous
improvement. Interesting though that no one else yet requested such an
improvement.


Yes, we are fairly tough on adding new features. We really don't want to
add what, for most users, is bloat. We are usually happy to add hooks if
folks need them to implement their particular itch.

I wouldn't worry about the quality of the patch. The first one I wrote
for Tomcat was (rightly) ripped to pieces by the committers at the time
but the feature was implemented and is still there today. If a committer
can see a cleaner way of doing the same thing then they'll either give
you some pointers or just fix it and apply it. The main point is that if
there is a change you want to see, then you need do be the driving force.

Adding connection level notes shouldn't be too hard. The trickier part
is exposing them to the high-level components that need them. Passing
through the request is probably the way to go.


As long as there is general interest in such a feature I will keep that 
in mind and might take a look at it over Christmas.



I have no usecase for this at the moment :-(, I only provide patches for
stuff I suffer from at work.


The below looks like a use case to me.


As this [1] draft lays out Negotiate and Kerberos may apply to
connection or request level auth. We are just lucky that the first
gss_accept_sec_context makes the context complete in the SPNEGO
authenticator.

Some clients maintain the state and rely on the server to maintain the
connection state too. Tomcat does not do that which means that the
current SPNEGO authenticator has to issue a "Connection: close" after
successful auth. Otherwise the client will reuse the connection and keep
sending requests w/o reauthenticating eventhough Tomcat requires to do
so. In this case I have a Wireshark capture where this exactly happens
and the clients traps in an endless loop and issues thousands of
requests performs a DoS.


Well, as long as there is support for connection storage should I file a 
bug about that? The connector has to close the connection in my opinion.


Mike

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Detect in an authenticator whether a connection is persistent or not

2012-10-27 Thread Mark Thomas
On 27/10/2012 18:57, Michael-O wrote:
> Am 2012-10-27 19:25, schrieb Mark Thomas:
>>> Is this something worth being filed in Bugzilla as a longterm goal for
>>> Tomcat 8?
>>
>> Sure, but without a proposed patch I suspect it will sit there for a few
>> years and then closed as WONTFIX. With a patch, it still might not get
>> fixed but at least you'll know for sure and if the patch isn't too
>> invasive (for the benefit it provides) it is likely to be applied.
> 
> That seems to be very tough. I hacked Tomcat code several times but
> wouldn't claim that I am firm enough to implement such a tremendous
> improvement. Interesting though that no one else yet requested such an
> improvement.

Yes, we are fairly tough on adding new features. We really don't want to
add what, for most users, is bloat. We are usually happy to add hooks if
folks need them to implement their particular itch.

I wouldn't worry about the quality of the patch. The first one I wrote
for Tomcat was (rightly) ripped to pieces by the committers at the time
but the feature was implemented and is still there today. If a committer
can see a cleaner way of doing the same thing then they'll either give
you some pointers or just fix it and apply it. The main point is that if
there is a change you want to see, then you need do be the driving force.

Adding connection level notes shouldn't be too hard. The trickier part
is exposing them to the high-level components that need them. Passing
through the request is probably the way to go.

> I have no usecase for this at the moment :-(, I only provide patches for
> stuff I suffer from at work.

The below looks like a use case to me.

> As this [1] draft lays out Negotiate and Kerberos may apply to
> connection or request level auth. We are just lucky that the first
> gss_accept_sec_context makes the context complete in the SPNEGO
> authenticator.
> 
> Some clients maintain the state and rely on the server to maintain the
> connection state too. Tomcat does not do that which means that the
> current SPNEGO authenticator has to issue a "Connection: close" after
> successful auth. Otherwise the client will reuse the connection and keep
> sending requests w/o reauthenticating eventhough Tomcat requires to do
> so. In this case I have a Wireshark capture where this exactly happens
> and the clients traps in an endless loop and issues thousands of
> requests performs a DoS.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Detect in an authenticator whether a connection is persistent or not

2012-10-27 Thread Michael-O

Am 2012-10-27 19:25, schrieb Mark Thomas:

Is this something worth being filed in Bugzilla as a longterm goal for
Tomcat 8?


Sure, but without a proposed patch I suspect it will sit there for a few
years and then closed as WONTFIX. With a patch, it still might not get
fixed but at least you'll know for sure and if the patch isn't too
invasive (for the benefit it provides) it is likely to be applied.


That seems to be very tough. I hacked Tomcat code several times but 
wouldn't claim that I am firm enough to implement such a tremendous 
improvement. Interesting though that no one else yet requested such an 
improvement.


I have no usecase for this at the moment :-(, I only provide patches for 
stuff I suffer from at work.


As this [1] draft lays out Negotiate and Kerberos may apply to 
connection or request level auth. We are just lucky that the first 
gss_accept_sec_context makes the context complete in the SPNEGO 
authenticator.


Some clients maintain the state and rely on the server to maintain the 
connection state too. Tomcat does not do that which means that the 
current SPNEGO authenticator has to issue a "Connection: close" after 
successful auth. Otherwise the client will reuse the connection and keep 
sending requests w/o reauthenticating eventhough Tomcat requires to do 
so. In this case I have a Wireshark capture where this exactly happens 
and the clients traps in an endless loop and issues thousands of 
requests performs a DoS.


Thanks,

Mike

[1] 
http://tools.ietf.org/html/draft-montenegro-httpbis-multilegged-auth-01#section-1


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Detect in an authenticator whether a connection is persistent or not

2012-10-27 Thread Mark Thomas
On 27/10/2012 17:56, Michael-O wrote:
> Am 2012-10-27 18:38, schrieb Mark Thomas:
>> On 27/10/2012 16:28, Michael-O wrote:
>>> Am 2012-10-27 16:57, schrieb Mark Thomas:
>>
 The only mechanism to maintain state between HTTP requests is the HTTP
 session. You might be able to hack something together (in a
 non-portable
 way) on a per connection basis but that is likely to require some
 rather
 major internal surgery for Tomcat (and may be rejected by the
 committers).
>>>
>>> Is there no way to tell that subsequent n requests come from the very
>>> same socket connection? HTTP is just on top of TCP/IP. Something like
>>> this should be transparent to HTTP though?
>>> I am curious, since I know server implementations which indeed DO
>>> maintain state without HTTP sessions but I do not know how they do that.
>>
>> It is easy if the same request object is reused for each request
>> processed for a given connection. Tomcat doesn't do this.
>>
>> When a connection has data to process, first a processor is taken from
>> the processor pool to process the data. The processor has a request
>> object that is re-used. Each time an HTTP request is processed, a
>> different processor and request object may be used. (This does vary
>> slightly between the different connections but lets not complicate
>> things).
>>
>> Undoing this is the major internal surgery I was referring to. You might
>> be able to add an API to store/retrieve data to/from the connection
>> (similar to notes on the session, but at the connection level) and
>> access this from the authenticator (that is a lot further up the stack).
>> That could still end up being pretty invasive.
> 
> OK that's a statement. Tomcat does fully support persistent connections
> but there is no state information maintained, right?

Correct. Tomcat fully supports HTTP/1.1 and that requires keep-alive
support.

> The answer would be: There is clearly no way to store any information
> for a given connection context and retrieve throughout the Tomcat code.

Currently, yes.

> Is this something worth being filed in Bugzilla as a longterm goal for
> Tomcat 8?

Sure, but without a proposed patch I suspect it will sit there for a few
years and then closed as WONTFIX. With a patch, it still might not get
fixed but at least you'll know for sure and if the patch isn't too
invasive (for the benefit it provides) it is likely to be applied.

> Thanks for the quick response,

You are welcome.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Detect in an authenticator whether a connection is persistent or not

2012-10-27 Thread Michael-O

Am 2012-10-27 18:38, schrieb Mark Thomas:

On 27/10/2012 16:28, Michael-O wrote:

Am 2012-10-27 16:57, schrieb Mark Thomas:



The only mechanism to maintain state between HTTP requests is the HTTP
session. You might be able to hack something together (in a non-portable
way) on a per connection basis but that is likely to require some rather
major internal surgery for Tomcat (and may be rejected by the
committers).


Is there no way to tell that subsequent n requests come from the very
same socket connection? HTTP is just on top of TCP/IP. Something like
this should be transparent to HTTP though?
I am curious, since I know server implementations which indeed DO
maintain state without HTTP sessions but I do not know how they do that.


It is easy if the same request object is reused for each request
processed for a given connection. Tomcat doesn't do this.

When a connection has data to process, first a processor is taken from
the processor pool to process the data. The processor has a request
object that is re-used. Each time an HTTP request is processed, a
different processor and request object may be used. (This does vary
slightly between the different connections but lets not complicate things).

Undoing this is the major internal surgery I was referring to. You might
be able to add an API to store/retrieve data to/from the connection
(similar to notes on the session, but at the connection level) and
access this from the authenticator (that is a lot further up the stack).
That could still end up being pretty invasive.


OK that's a statement. Tomcat does fully support persistent connections 
but there is no state information maintained, right?
The answer would be: There is clearly no way to store any information 
for a given connection context and retrieve throughout the Tomcat code.


Is this something worth being filed in Bugzilla as a longterm goal for 
Tomcat 8?


Thanks for the quick response,

Michael

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Detect in an authenticator whether a connection is persistent or not

2012-10-27 Thread Mark Thomas
On 27/10/2012 16:28, Michael-O wrote:
> Am 2012-10-27 16:57, schrieb Mark Thomas:

>> The only mechanism to maintain state between HTTP requests is the HTTP
>> session. You might be able to hack something together (in a non-portable
>> way) on a per connection basis but that is likely to require some rather
>> major internal surgery for Tomcat (and may be rejected by the
>> committers).
> 
> Is there no way to tell that subsequent n requests come from the very
> same socket connection? HTTP is just on top of TCP/IP. Something like
> this should be transparent to HTTP though?
> I am curious, since I know server implementations which indeed DO
> maintain state without HTTP sessions but I do not know how they do that.

It is easy if the same request object is reused for each request
processed for a given connection. Tomcat doesn't do this.

When a connection has data to process, first a processor is taken from
the processor pool to process the data. The processor has a request
object that is re-used. Each time an HTTP request is processed, a
different processor and request object may be used. (This does vary
slightly between the different connections but lets not complicate things).

Undoing this is the major internal surgery I was referring to. You might
be able to add an API to store/retrieve data to/from the connection
(similar to notes on the session, but at the connection level) and
access this from the authenticator (that is a lot further up the stack).
That could still end up being pretty invasive.

> At least the chromium link says how this can be done. Apache HTTP Cient
> does that too. Why not Tomcat?

I didn't say it couldn't be done. See above.

>> It isn't unreasonable for use of an authentication to require an HTTP
>> session. FORM auth does that so I don't immediately see why SPNEGO can't.
> 
> FORM auth works very different compared to header-based auth. Form is
> meant for human interaction with a browser which will always pass cookies.
> I cannot expect that from a "machine" client nor can the client actively
> say destroy that session unless a specific URL is called. "Connection:
> close" can do that.

Yes there are differences and it places requirements on the client but
that doesn't make it a complete non-starter. I agree, if this can be
done per connection it would be a lot better.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Detect in an authenticator whether a connection is persistent or not

2012-10-27 Thread Michael-O

Am 2012-10-27 16:57, schrieb Mark Thomas:

On 27/10/2012 14:50, Michael-O wrote:

Hi,

several authentication mechanisms require a session (*not* HTTP session)
or connection being initiated when authentication is performed and
principal cached for subsquent requests [1], [2].

Now, I want to patch our SPNEGO authenticator in Tomcat 6 to behave
stateful. I once contributed that code to Apache in bug 48465 [3] which
does not behave like that. I like to align both authenticators.
This issue initially popped up while fixing an issue in libserf [4] for
the upcoming Apache Subversion version 1.8.0.

How do I access that information in an authenticator? I do not intend to
create a HTTP session for that for two reasons:

1. Creation of sessions should be upto the webapp.
2. There is no guarantee that the client will present the session cookie
on a subsequent request.


The only mechanism to maintain state between HTTP requests is the HTTP
session. You might be able to hack something together (in a non-portable
way) on a per connection basis but that is likely to require some rather
major internal surgery for Tomcat (and may be rejected by the committers).


Is there no way to tell that subsequent n requests come from the very 
same socket connection? HTTP is just on top of TCP/IP. Something like 
this should be transparent to HTTP though?
I am curious, since I know server implementations which indeed DO 
maintain state without HTTP sessions but I do not know how they do that.


At least the chromium link says how this can be done. Apache HTTP Cient 
does that too. Why not Tomcat?



It isn't unreasonable for use of an authentication to require an HTTP
session. FORM auth does that so I don't immediately see why SPNEGO can't.


FORM auth works very different compared to header-based auth. Form is 
meant for human interaction with a browser which will always pass cookies.
I cannot expect that from a "machine" client nor can the client actively 
say destroy that session unless a specific URL is called. "Connection: 
close" can do that.


Mike

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Detect in an authenticator whether a connection is persistent or not

2012-10-27 Thread Mark Thomas
On 27/10/2012 14:50, Michael-O wrote:
> Hi,
> 
> several authentication mechanisms require a session (*not* HTTP session)
> or connection being initiated when authentication is performed and
> principal cached for subsquent requests [1], [2].
> 
> Now, I want to patch our SPNEGO authenticator in Tomcat 6 to behave
> stateful. I once contributed that code to Apache in bug 48465 [3] which
> does not behave like that. I like to align both authenticators.
> This issue initially popped up while fixing an issue in libserf [4] for
> the upcoming Apache Subversion version 1.8.0.
> 
> How do I access that information in an authenticator? I do not intend to
> create a HTTP session for that for two reasons:
> 
> 1. Creation of sessions should be upto the webapp.
> 2. There is no guarantee that the client will present the session cookie
> on a subsequent request.

The only mechanism to maintain state between HTTP requests is the HTTP
session. You might be able to hack something together (in a non-portable
way) on a per connection basis but that is likely to require some rather
major internal surgery for Tomcat (and may be rejected by the committers).

It isn't unreasonable for use of an authentication to require an HTTP
session. FORM auth does that so I don't immediately see why SPNEGO can't.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org