> >>> I have no usecase for this at the moment :-(, I only provide patches > for > >>> stuff I suffer from at work. > >> > >> The below looks like a use case to me. > >> > >>> As this [1] draft lays out Negotiate and Kerberos may apply to > >>> connection or request level auth. We are just lucky that the first > >>> gss_accept_sec_context makes the context complete in the SPNEGO > >>> authenticator. > >>> > >>> Some clients maintain the state and rely on the server to maintain the > >>> connection state too. Tomcat does not do that which means that the > >>> current SPNEGO authenticator has to issue a "Connection: close" after > >>> successful auth. Otherwise the client will reuse the connection and > keep > >>> sending requests w/o reauthenticating eventhough Tomcat requires to do > >>> so. In this case I have a Wireshark capture where this exactly happens > >>> and the clients traps in an endless loop and issues thousands of > >>> requests performs a DoS. > > > > Well, as long as there is support for connection storage should I file a > > bug about that? > > Go for it. > > > The connector has to close the connection in my opinion. > > Not sure what you mean by that.
I guess there is a misunderstanding here. There are two issues to be filed: 1. The long-term support for a connection-based store. 2. The above described behavior of the current SPNEGO connector in Tomcat 7. A DoS is possible when a client expects that the server has a connection context on a persistent connection. I was referring to the latter in the first place. Michael --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org