Hi, Now that digest authentication is fixed (Tomcat 6.0.36), how do we ensure that clients' authentication requests are routed to correct Tomcats in load balanced deployments? Otherwise, clients can get stuck in re-authentication loops (until they happen to be routed to the same Tomcat that issued the original HTTP 401 Unauthorized response).
The digest authentication challenge may not have a session ID that could be used for routing. One option is to ensure that jvmRoute is included in WWW-Authenticate header (as part of realm name or opaque value), and deploy a custom routing rule based on Authorization header... but that sounds like a hack... Does anyone have any better solutions? Thanks. - Andrew