> From: cdeha...@ebay.com
> To: users@tomcat.apache.org
> CC: cdeha...@ebay.com
> Subject: Re: multiple servers and digest authentication
> Date: Sat, 30 Nov 2013 01:55:32 +0000
>
> Hi,
>
> Thanks for your answers:
>
> 1/ Sticky session : yes, that is the way I have currently set my load
> balancer.
> But there is a drawback when the client is contineoulsy using the service
> => because it will never been load balanced again.
> The worst is when one of the server is stopped and restarted => all the
> clients will be redistributed to the still alive servers,
> And when the server is restarted, it will not picked up any load
>
> To work-around this problem, with sticky session on , I have patched my
> client to clear the sticky cookie every X minutes. That enforces the load
> balancer to give me the less used servers (possibly the one that have been
> restarted)
>
> 2/ front-end load balancer solution: my configuration is with an F5 load
> balancer (citrix). From what I understand, the question is : can we
> configure the F5 to manage the nonce and then delegate the authentication
> to the servers (tomcat)- . It will require:
> F5 to manage the nonce (will send back the 401 when nonce not valid) but
MG> here is the XSD element definition for noonce using wss4j
MG>xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
MG><!-- KANonce -->
<ObjectProvider qualifiedName="xenc:KA-Nonce">
<BuilderClass
className="org.opensaml.xml.encryption.impl.KANonceBuilder" />
<MarshallingClass
className="org.opensaml.xml.schema.impl.XSBase64BinaryMarshaller" />
<UnmarshallingClass
className="org.opensaml.xml.schema.impl.XSBase64BinaryUnmarshaller" />
</ObjectProvider>
MG>so How would F5 build out a noonce such as
<EncryptedData>
<EncryptionMethod Algorithm="Example:Block/Alg"
<KeySize>80</KeySize>
</EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<AgreementMethod Algorithm="example:Agreement/Algorithm">
<KA-Nonce>Zm9v</KA-Nonce>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha1"/>
<OriginatorKeyInfo>
<ds:KeyValue>....</ds:KeyValue>
</OriginatorKeyInfo>
<RecipientKeyInfo>
<ds:KeyValue>....</ds:KeyValue>
</RecipientKeyInfo>
</AgreementMethod>
</ds:KeyInfo>
<CipherData>...</CipherData>
MG>?
> not verify the user credential and pass that to servers
>
> Servers (tomcat) to not check the nonce but check the credential. I have
> read the description of tomcatAuthentication flag from André's link, but
> I'm not sure it does what I expect
>
> Any idea if this is feasible from F5/tomcat point of views?
> Any other suggestions? ;)
>
> Thanks,
>
> Xtof
>
> On 11/27/13 9:04 AM, "Christopher Schultz" <ch...@christopherschultz.net>
> wrote:
>
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA256
> >
> >André,
> >
> >On 11/27/13, 5:15 AM, André Warnier wrote:
> >> Mark Thomas wrote:
> >>> On 27/11/2013 07:34, Dehaudt, Christophe wrote:
> >>>> Is there a way to share the nonce between servers so they can
> >>>> act as one?
> >>>
> >>> No. You'd need to customise the DigestAuthenticator to do that.
> >>>
> >>>> I would like to get your advices , how to make a multiple
> >>>> server deployment running with Http digest.
> >>>
> >>> Use sticky load-balancing.
> >>>
> >>
> >> Or do the authentication at the front-end load-balancer level, and
> >> set Tomcat's authentication to accept what the front-end says ?
> >> (E.g.
> >>
> >>https://tomcat.apache.org/tomcat-8.0-doc/config/ajp.html#Standard_Impleme
> >>ntations
> >>
> >> #tomcatAuthentication)
> >
> >While it is popular to do so, I don't think anyone really uses httpd
> >for industrial-strength load-balancing. Can an F5 do authentication
> >(and forward it to Tomcat?). I suspect not in any way that would work
> >well with the back-end application.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>