Hi,
Now that digest authentication is fixed (Tomcat 6.0.36), how do we ensure that
clients' authentication requests are routed to correct Tomcats in load balanced
deployments? Otherwise, clients can get stuck in re-authentication loops
(until they happen to be routed to the same Tomcat that issued the original
HTTP 401 Unauthorized response).
The digest authentication challenge may not have a session ID that could be
used for routing. One option is to ensure that jvmRoute is included in
WWW-Authenticate header (as part of realm name or opaque value), and deploy a
custom routing rule based on Authorization header... but that sounds like a
hack...
Does anyone have any better solutions?
Thanks.
- Andrew
