'Re: multiple servers and digest authentication'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: multiple servers and digest authentication
From:       "Dehaudt, Christophe" <cdehaudt () ebay ! com>
Date:       2013-11-30 1:55:32
Message-ID: CEBE7CED.38F84%cdehaudt () ebay ! com
[Download RAW message or body]

Hi,

Thanks for your answers:

1/ Sticky session : yes, that is the way I have currently set my load
balancer. 
But there is a drawback when the client is contineoulsy using the service
=> because it will never been load balanced again.
The worst is when one of the server is stopped and restarted => all the
clients will be redistributed to the still alive servers,
And when the server is restarted, it will not picked up any load

To work-around this problem, with sticky session on , I have patched my
client to clear the sticky cookie every X minutes. That enforces the load
balancer to give me the less used servers (possibly the one that have been
restarted)

2/ front-end load balancer solution: my configuration is with an F5 load
balancer (citrix). From what I understand, the question is : can we
configure the F5 to manage the nonce and then delegate the authentication
to the servers (tomcat)- . It will require:
	F5 to manage the nonce (will send back the 401 when nonce not valid) but
not verify the user credential and pass that to servers

	Servers (tomcat) to not check the nonce but check the credential. I have
read the description of tomcatAuthentication flag from André's link, but
I'm not sure it does what I expect

Any idea if this is feasible from F5/tomcat point of views?
Any other suggestions? ;)

Thanks,

Xtof

On 11/27/13 9:04 AM, "Christopher Schultz" <chris@christopherschultz.net>
wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>André,
>
>On 11/27/13, 5:15 AM, André Warnier wrote:
>> Mark Thomas wrote:
>>> On 27/11/2013 07:34, Dehaudt, Christophe wrote:
>>>> Is there a way to share the nonce between servers so they can
>>>> act as one?
>>> 
>>> No. You'd need to customise the DigestAuthenticator to do that.
>>> 
>>>> I would like to get your advices , how to make a multiple
>>>> server deployment running with Http digest.
>>> 
>>> Use sticky load-balancing.
>>> 
>> 
>> Or do the authentication at the front-end load-balancer level, and
>> set Tomcat's authentication to accept what the front-end says ?
>> (E.g. 
>> 
>>https://tomcat.apache.org/tomcat-8.0-doc/config/ajp.html#Standard_Impleme
>>ntations
>>
>>  #tomcatAuthentication)
>
>While it is popular to do so, I don't think anyone really uses httpd
>for industrial-strength load-balancing. Can an F5 do authentication
>(and forward it to Tomcat?). I suspect not in any way that would work
>well with the back-end application.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic