Author: markt
Date: Sat Nov 3 22:36:52 2012
New Revision: 1405436
URL: http://svn.apache.org/viewvc?rev=1405436&view=rev
Log:
Work-around that enables HTTP keep-alive to be deisabled for specified user
agents using SPNEGO.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc7.0.x/trunk/webapps/docs/config/valve.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1405435
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?rev=1405436&r1=1405435&r2=1405436&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
Sat Nov 3 22:36:52 2012
@@ -21,6 +21,7 @@ import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
+import java.util.regex.Pattern;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
@@ -71,6 +72,24 @@ public class SpnegoAuthenticator extends
this.storeDelegatedCredential = storeDelegatedCredential;
}
+ private Pattern noKeepAliveUserAgents = null;
+ public String getNoKeepAliveUserAgents() {
+ Pattern p = noKeepAliveUserAgents;
+ if (p == null) {
+ return null;
+ } else {
+ return p.pattern();
+ }
+ }
+ public void setNoKeepAliveUserAgents(String noKeepAliveUserAgents) {
+ if (noKeepAliveUserAgents == null ||
+ noKeepAliveUserAgents.length() == 0) {
+ this.noKeepAliveUserAgents = null;
+ } else {
+ this.noKeepAliveUserAgents =
Pattern.compile(noKeepAliveUserAgents);
+ }
+ }
+
@Override
protected String getAuthMethod() {
@@ -269,6 +288,16 @@ public class SpnegoAuthenticator extends
if (principal != null) {
register(request, response, principal, Constants.SPNEGO_METHOD,
principal.getName(), null);
+
+ Pattern p = noKeepAliveUserAgents;
+ if (p != null) {
+ MessageBytes ua =
+ request.getCoyoteRequest().getMimeHeaders().getValue(
+ "user-agent");
+ if (ua != null && p.matcher(ua.toString()).matches()) {
+ response.setHeader("Connection", "close");
+ }
+ }
return true;
}
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1405436&r1=1405435&r2=1405436&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Sat Nov 3 22:36:52 2012
@@ -100,6 +100,12 @@
Explorer that was identified when the old parser was introduced
(<bug>53814</bug>).
</update>
+ <fix>
+ <bug>54076</bug>: Add an alternative work-around for clients that use
+ SPNEGO authentication and expect the authenticated user to be cached
+ per connection (Tomcat only does this if an HTTP session is available).
+ (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/valve.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/valve.xml?rev=1405436&r1=1405435&r2=1405436&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/valve.xml Sat Nov 3 22:36:52 2012
@@ -1161,6 +1161,18 @@
<attributes>
+ <attribute name="alwaysUseSession" required="false">
+ <p>Should a session always be used once a user is authenticated? This
+ may offer some performance benefits since the session can then be used
+ to cache the authenticated Principal, hence removing the need to
+ authenticate the user on every request. This will also help with
clients
+ that assume that the server will cache the authenticated user. However
+ there will also be the performance cost of creating and GC'ing the
+ session. For an alternative solution see
+ <code>noKeepAliveUserAgents</code>. If not set, the default value of
+ <code>false</code> will be used.</p>
+ </attribute>
+
<attribute name="cache" required="false">
<p>Should we cache authenticated Principals if the request is part of
an
HTTP session? If not specified, the default value of <code>true</code>
@@ -1196,6 +1208,25 @@
<code>com.sun.security.jgss.krb5.accept</code> is used.</p>
</attribute>
+ <attribute name="noKeepAliveUserAgents" required="false">
+ <p>Some clients (not most browsers) expect the server to cache the
+ authenticated user information for a connection and do not resend the
+ credentials with every request. Tomcat will not do this unless an HTTP
+ session is available. A session will be availble if either the
+ application creates one or if <code>alwaysUseSession</code> is enabled
+ for this Authenticator.</p>
+ <p>As an alternative to creating a session, this attribute may be used
+ to define the user agents for which HTTP keep-alive is disabled. This
+ means that a connection will only used for a single request and hence
+ there is no ability to cache authenticated user information per
+ connection. There will be a performance cost in disabling HTTP
+ keep-alive.</p>
+ <p>The attribute should be a regular expression that matches the entire
+ user-agent string, e.g. <code>.*Chrome.*</code>. If not specified, no
+ regular expression will be defined and no user agents will have HTTP
+ keep-alive disabled.</p>
+ </attribute>
+
<attribute name="securePagesWithPragma" required="false">
<p>Controls the caching of pages that are protected by security
constraints. Setting this to <code>false</code> may help work around
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
