On 21.03.2009 00:10, Michael B Allen wrote:
Hi All,
What is the status of this issue?
https://issues.apache.org/bugzilla/show_bug.cgi?id=41263
I am interested in this because NTLMSSP authentication is basically
not possible unless the remote port is accessible and I want people to
be able to use my product through Apache if possible.
The reason it is not possible is because the NTLMSSP protocol is a
three message "handshake" so it requires storing state with the
connection at least temporarily. If you store the state in the session
using the same key, that state may be incorrectly read or overwritten
if multiple requests from different connections with the same session
ID are processed concurrently. The only solution that I am aware of is
to store the state in the session but use a key that includes the
remote port. Without the remote port is is basically impossible to
correctly implement NTLMSSP authentication through mod_jk.
Can anyone indicate as to how this issue might be resolved either by
implementing getRemotePort via mod_jk or by using another method of
discerning connections from one another?
I write C just as well as I do Java so I'm willing to create a patch
if someone can provide a pointer and any implementation hints they
might have or snags they might know of.
I added a comment with a non spec compliant workaround to BZ41263.
We'll seee, whether we can make the AJP Tomcat connectors "hack aware",
i.e. allow them to get the remotePort from the REMOTE_PORT env var when set.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
