URGENT: 8 KB Limit in isapi_redirect.dll + AJP1.3 - Kerberos not working

2006-09-19 Thread Peter Huber 
 Hi y'all

Recently I was assigned to the following task:

Integrate IIS with Tomcat in a pure windows environment. The task was to use
intergrated authentication (kerberos) form IE clients. 
I've used these components: IIS 6, isapi_redirect.dll 1.2.18 and tomcat
5.5.17.

But the Problem is that it does not work from arbitrary client. I tracked
down the problem: It is a hardcoded limit of 8 KB transmission buffer both
in isapi_redirect.dll and in the AJP 1.3 protocol implementation. This makes
requests with rather long kerberos data fail.

After I figured out that my problem was the buffer length and not any
missing windows config stuff I've tried a quick'n'dirty hack:
1.) Recompiling isapi_redirect.dll with extending the buffer size to 32 KB:
Voila, the DLLs log says about 8300 Bytes transmitted. 
2.) Then I patched AJP Protokoll to come over the IndexOutOfBoundException
which was tomcats (silent) result of my first 32 KB attempts :-( 

That hack works for my environment. Though staying with a fixed buffer size
gives me some headache 'cause I think even the 32 KB could be to low for
some esoteric environemnts.

However I have a urgent request to you tomcat developers: Please increase
the buffer size in AJP 1.3 and isapi_redirect.dll with your next release!!!

I know that there might be some backwards compatibility issues, but 8KB is
definitely to low (think of a very long client certificate chain)!
Without increasing the buffer size the use of tomcat solution + IIS is way
to restricted if not completly unusable.

Im looking forward hearing about a increase buffer size patch, guys. I'm
positiv that you can make it happen ;-)

BTW: If you do the patch - Why not clean up the code a bit? I think buffer
size must not spread over several places with declarations like 8*1024 or
8192.

Sincerely,
Peter Huber

-- 

Peter Huber | Software-Entwicklung [EMAIL PROTECTED]
TESIS SYSware GmbH * Baierbrunner Straße 15 * 81379 München

Tel: +49 (89) 747377 90 
Fax: +49 (89) 747377 99 

Verringern Sie Ihre HelpDesk-Kosten für vergessene Passwörter erheblich.
Wir überzeugen Sie gerne z.B. auf der SYSTEMS 2006, Halle A4, Stand 511
oder im Web: http://www.tesis.de/de/aspr




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: URGENT: 8 KB Limit in isapi_redirect.dll + AJP1.3 - Kerberos not working

2006-09-19 Thread Peter Huber 
Thanks for the quick response. Is there any release date fixed for the
components? 

Regards,
Peter

> -Ursprüngliche Nachricht-
> Von: Mladen Turk [mailto:[EMAIL PROTECTED] 
> Gesendet: Dienstag, 19. September 2006 10:31
> An: Tomcat Developers List
> Betreff: Re: URGENT: 8 KB Limit in isapi_redirect.dll + 
> AJP1.3 - Kerberos not working
> 
> Peter Huber wrote:
> >  Hi y'all
> > 
> > Recently I was assigned to the following task:
> > 
> > But the Problem is that it does not work from arbitrary 
> client. I tracked
> > down the problem: It is a hardcoded limit of 8 KB 
> transmission buffer both
> > in isapi_redirect.dll and in the AJP 1.3 protocol 
> implementation. This makes
> > requests with rather long kerberos data fail.
> >
> 
> This feature is enable in mod_jk 1.2.19 and Tomcat 5.5.20+
> use the
> worker.xxx.max_packet_size=32768
> and
> packetSize="32768" in server.xml for AJP/1.3 Connector.
> 
> Regards,
> Mladen.
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]