Yes W8 is here but HPQ is still plummeting. Get rid of your CEO and get someone who can improve your stock price!
> Date: Sat, 27 Oct 2012 19:57:30 +0200 > From: 1983-01...@gmx.net > To: users@tomcat.apache.org > Subject: Re: Detect in an authenticator whether a connection is persistent or > not > > Am 2012-10-27 19:25, schrieb Mark Thomas: > >> Is this something worth being filed in Bugzilla as a longterm goal for > >> Tomcat 8? > > > > Sure, but without a proposed patch I suspect it will sit there for a few > > years and then closed as WONTFIX. With a patch, it still might not get > > fixed but at least you'll know for sure and if the patch isn't too > > invasive (for the benefit it provides) it is likely to be applied. > > That seems to be very tough. I hacked Tomcat code several times but > wouldn't claim that I am firm enough to implement such a tremendous > improvement. Interesting though that no one else yet requested such an > improvement. > > I have no usecase for this at the moment :-(, I only provide patches for > stuff I suffer from at work. > > As this [1] draft lays out Negotiate and Kerberos may apply to > connection or request level auth. We are just lucky that the first > gss_accept_sec_context makes the context complete in the SPNEGO > authenticator. > > Some clients maintain the state and rely on the server to maintain the > connection state too. Tomcat does not do that which means that the > current SPNEGO authenticator has to issue a "Connection: close" after > successful auth. Otherwise the client will reuse the connection and keep > sending requests w/o reauthenticating eventhough Tomcat requires to do > so. In this case I have a Wireshark capture where this exactly happens > and the clients traps in an endless loop and issues thousands of > requests performs a DoS. > > Thanks, > > Mike > > [1] > http://tools.ietf.org/html/draft-montenegro-httpbis-multilegged-auth-01#section-1 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >