https://issues.apache.org/bugzilla/show_bug.cgi?id=54076
--- Comment #7 from Michael Osipov <1983-01...@gmx.net> --- (In reply to comment #6) > (In reply to comment #5) > > (In reply to comment #4) > > > There is one work-around already available. Set alwaysUseSession on the > > > Authenticator Valve. > > > > This isn't even a workaround for me. You cannot guarantee that the client > > will respond with the JSESSIONID cookie. You could end up with generating a > > huge amount of empty sessions. > > While it might not be a valid work-around for you it may well work for > others. One of the purposes of Bugzilla is to provide useful information to > others that stumble across an issue, not just to fix the issue for the > original reporter. > > > > I have added support for a second work-around to trunk and 7.0.x. This > > > work-around enables HTTP keep-alive to be disabled for specified > > > user-agents > > > if they attempt to use SPNEGO. This will be included in 7.0.33 onwards. > > > > Well, the server admin needs to know the client's UA preemptively. Is this > > really feasable? > > Yes, in some circumstances. > 1. In many environments where SPNEGO is used (I am thinking corporate > environments) the user agents are fixed, known and controlled. I would object at least this one. Given a realistic example: We have more than 50 domains in our forest with around 1000 DCs or more. Try too find someone who is responsible for a buggy server who will alter the config for you. Good luck. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
