Hi, because of changes in the HTTP digest implementation within the JDK 8 (https://bugs.openjdk.java.net/browse/JDK-8010505), we are forced to migrate from tomcat 6 to 7.
The problem is that we have a tomcat cluster (several tomcats behind an apache/modjk server) and we cannot guarantee that both HTTP requests resulting from the digest authentication are sent to the same tomcat instance. In Tomcat 6 it was no problem because nonces were not cached or rather unknown nonces did not force a re-authentication like it is done in the DigestAuthenticator of Tomcat 7: if (info == null) { // Nonce is valid but not in cache. It must have dropped out // of the cache - force a re-authentication nonceStale = true; } Some clients have the problem that the second 401 response to the request with authorization header leads to an authentication failure although the credentials are correct. Other clients like e.g. JMeter keep trying to send authorisation header, if stale is true, until a HTTP 200 is responded. So, what is the recommendation here? How to use Digest authentication within tomcat clusters if nonces are cached in a map within DigestAuthenticator? Best regards Sascha