https://issues.apache.org/bugzilla/show_bug.cgi?id=57324
Vamsi Krishna <vkris...@novell.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |---
--- Comment #10 from Vamsi Krishna <vkris...@novell.com> ---
Yes, Tomcat is not sending "Connection: close" after response to 401.
My traces where the client is connected directly demonstrate that 401 is
responded by Tomcat only after consuming the previous request body
completely.Please refer Tomcat HTTP traffic attachment. I do not see your
security point here in my trace. Is the security issue only when a "Proxy" is
involved.
According to RFC, if a server responds with 401 and if client has not sent
"credentials" atleast once , then the client MAY request again with
credentials. By closing the connection, you have really denied that right of
the client. Having said that, the client can always resubmit using a fresh
connection, but this adds the overhead of SSL handshake for those repeated
calls. In a "Keepalive" scenario this does impact performance.
So, may I request and if you do not mind, can you cross reference the wireshark
trace when the original problem is raised with a Proxy in middle so that people
referencing this bug in future has the full context.
At the very least, by making sure Tomcat sends a "Connection: close" directive
is acceptable, but I do want you to consider the performance aspect and see if
something better can be done. I am trying to get to speed on Tomcat code to see
if I can suggest a patch, but given my familiarity it may take time. So, it
will help if you solve both problems.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
