On 27/10/2012 19:32, Michael-O wrote:
> Am 2012-10-27 20:22, schrieb Mark Thomas:
>> On 27/10/2012 18:57, Michael-O wrote:
>>> Am 2012-10-27 19:25, schrieb Mark Thomas:
>>>>> Is this something worth being filed in Bugzilla as a longterm goal for
>>>>> Tomcat 8?
>>>>
>>>> Sure, but without a proposed patch I suspect it will sit there for a
>>>> few
>>>> years and then closed as WONTFIX. With a patch, it still might not get
>>>> fixed but at least you'll know for sure and if the patch isn't too
>>>> invasive (for the benefit it provides) it is likely to be applied.
>>>
>>> That seems to be very tough. I hacked Tomcat code several times but
>>> wouldn't claim that I am firm enough to implement such a tremendous
>>> improvement. Interesting though that no one else yet requested such an
>>> improvement.
>>
>> Yes, we are fairly tough on adding new features. We really don't want to
>> add what, for most users, is bloat. We are usually happy to add hooks if
>> folks need them to implement their particular itch.
>>
>> I wouldn't worry about the quality of the patch. The first one I wrote
>> for Tomcat was (rightly) ripped to pieces by the committers at the time
>> but the feature was implemented and is still there today. If a committer
>> can see a cleaner way of doing the same thing then they'll either give
>> you some pointers or just fix it and apply it. The main point is that if
>> there is a change you want to see, then you need do be the driving force.
>>
>> Adding connection level notes shouldn't be too hard. The trickier part
>> is exposing them to the high-level components that need them. Passing
>> through the request is probably the way to go.
> 
> As long as there is general interest in such a feature I will keep that
> in mind and might take a look at it over Christmas.

I'd certainly be prepared to look at it, both for SPNEGO and SPDY.

>>> I have no usecase for this at the moment :-(, I only provide patches for
>>> stuff I suffer from at work.
>>
>> The below looks like a use case to me.
>>
>>> As this [1] draft lays out Negotiate and Kerberos may apply to
>>> connection or request level auth. We are just lucky that the first
>>> gss_accept_sec_context makes the context complete in the SPNEGO
>>> authenticator.
>>>
>>> Some clients maintain the state and rely on the server to maintain the
>>> connection state too. Tomcat does not do that which means that the
>>> current SPNEGO authenticator has to issue a "Connection: close" after
>>> successful auth. Otherwise the client will reuse the connection and keep
>>> sending requests w/o reauthenticating eventhough Tomcat requires to do
>>> so. In this case I have a Wireshark capture where this exactly happens
>>> and the clients traps in an endless loop and issues thousands of
>>> requests performs a DoS.
> 
> Well, as long as there is support for connection storage should I file a
> bug about that?

Go for it.

> The connector has to close the connection in my opinion.

Not sure what you mean by that.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to