Yes W8 is here but HPQ is still plummeting. Get rid of your CEO and get someone 
who can improve your stock price!
 

> Date: Sat, 27 Oct 2012 19:57:30 +0200
> From: 1983-01...@gmx.net
> To: users@tomcat.apache.org
> Subject: Re: Detect in an authenticator whether a connection is persistent or 
> not
> 
> Am 2012-10-27 19:25, schrieb Mark Thomas:
> >> Is this something worth being filed in Bugzilla as a longterm goal for
> >> Tomcat 8?
> >
> > Sure, but without a proposed patch I suspect it will sit there for a few
> > years and then closed as WONTFIX. With a patch, it still might not get
> > fixed but at least you'll know for sure and if the patch isn't too
> > invasive (for the benefit it provides) it is likely to be applied.
> 
> That seems to be very tough. I hacked Tomcat code several times but 
> wouldn't claim that I am firm enough to implement such a tremendous 
> improvement. Interesting though that no one else yet requested such an 
> improvement.
> 
> I have no usecase for this at the moment :-(, I only provide patches for 
> stuff I suffer from at work.
> 
> As this [1] draft lays out Negotiate and Kerberos may apply to 
> connection or request level auth. We are just lucky that the first 
> gss_accept_sec_context makes the context complete in the SPNEGO 
> authenticator.
> 
> Some clients maintain the state and rely on the server to maintain the 
> connection state too. Tomcat does not do that which means that the 
> current SPNEGO authenticator has to issue a "Connection: close" after 
> successful auth. Otherwise the client will reuse the connection and keep 
> sending requests w/o reauthenticating eventhough Tomcat requires to do 
> so. In this case I have a Wireshark capture where this exactly happens 
> and the clients traps in an endless loop and issues thousands of 
> requests performs a DoS.
> 
> Thanks,
> 
> Mike
> 
> [1] 
> http://tools.ietf.org/html/draft-montenegro-httpbis-multilegged-auth-01#section-1
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
                                          

Reply via email to