https://issues.apache.org/bugzilla/show_bug.cgi?id=54076
Priority: P2
Bug ID: 54076
Assignee: dev@tomcat.apache.org
Summary: SPNEGO authenticator stateless-ness leads to a DoS
with stateful clients
Severity: major
Classification: Unclassified
OS: All
Reporter: 1983-01...@gmx.net
Hardware: All
Status: NEW
Version: trunk
Component: Catalina
Product: Tomcat 7
At the moment, Tomcat is not able to store connection-level information to
support stateful authentication mechanisms. This has been confirmed on the
mailinglist: http://www.mail-archive.com/users@tomcat.apache.org/msg102169.html
Unfortunately, a client which observes that, like Apache HTTPComponents or
libserf (used in Apache Subversion) with authenticate only the first the
request and expect the server to cache that for the connection. Subsequent comm
will end in an endless loop. See here
http://serf.googlecode.com/issues/attachment?aid=770006001&name=tomcat-serf-spnego-response.png&token=GDWvY5f7eMDzDGwtg1tD5N_MUXY%3A1351604707042&inline=1
and here
http://serf.googlecode.com/issues/attachment?aid=770006002&name=serf-endless-loop.png&token=cHvvfubJuAHDuTMjG_OHOaps5hQ%3A1351604707042&inline=1
A simple hint can tell the client that the server does not support stateful
auth on a connection-level. Add here
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?view=markup#l272
before line 272 "response.addHeader("Connection", "close");" and the client
will open a new connection and reauth further requests.
Not doing so makes the Tomcat server vulnerable to DoS as you can see in the
second screenshot.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
