https://issues.apache.org/bugzilla/show_bug.cgi?id=54076
Priority: P2
Bug ID: 54076
Assignee: [email protected]
Summary: SPNEGO authenticator stateless-ness leads to a DoS
with stateful clients
Severity: major
Classification: Unclassified
OS: All
Reporter: [email protected]
Hardware: All
Status: NEW
Version: trunk
Component: Catalina
Product: Tomcat 7
At the moment, Tomcat is not able to store connection-level information to
support stateful authentication mechanisms. This has been confirmed on the
mailinglist: http://www.mail-archive.com/[email protected]/msg102169.html
Unfortunately, a client which observes that, like Apache HTTPComponents or
libserf (used in Apache Subversion) with authenticate only the first the
request and expect the server to cache that for the connection. Subsequent comm
will end in an endless loop. See here
http://serf.googlecode.com/issues/attachment?aid=770006001&name=tomcat-serf-spnego-response.png&token=GDWvY5f7eMDzDGwtg1tD5N_MUXY%3A1351604707042&inline=1
and here
http://serf.googlecode.com/issues/attachment?aid=770006002&name=serf-endless-loop.png&token=cHvvfubJuAHDuTMjG_OHOaps5hQ%3A1351604707042&inline=1
A simple hint can tell the client that the server does not support stateful
auth on a connection-level. Add here
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?view=markup#l272
before line 272 "response.addHeader("Connection", "close");" and the client
will open a new connection and reauth further requests.
Not doing so makes the Tomcat server vulnerable to DoS as you can see in the
second screenshot.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
