Am 2012-10-27 19:25, schrieb Mark Thomas:
Is this something worth being filed in Bugzilla as a longterm goal for
Tomcat 8?
Sure, but without a proposed patch I suspect it will sit there for a few
years and then closed as WONTFIX. With a patch, it still might not get
fixed but at least you'll know for sure and if the patch isn't too
invasive (for the benefit it provides) it is likely to be applied.
That seems to be very tough. I hacked Tomcat code several times but
wouldn't claim that I am firm enough to implement such a tremendous
improvement. Interesting though that no one else yet requested such an
improvement.
I have no usecase for this at the moment :-(, I only provide patches for
stuff I suffer from at work.
As this [1] draft lays out Negotiate and Kerberos may apply to
connection or request level auth. We are just lucky that the first
gss_accept_sec_context makes the context complete in the SPNEGO
authenticator.
Some clients maintain the state and rely on the server to maintain the
connection state too. Tomcat does not do that which means that the
current SPNEGO authenticator has to issue a "Connection: close" after
successful auth. Otherwise the client will reuse the connection and keep
sending requests w/o reauthenticating eventhough Tomcat requires to do
so. In this case I have a Wireshark capture where this exactly happens
and the clients traps in an endless loop and issues thousands of
requests performs a DoS.
Thanks,
Mike
[1]
http://tools.ietf.org/html/draft-montenegro-httpbis-multilegged-auth-01#section-1
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org