I am running into an intermittent problem with Digest-Authentication. This is with tomcat 7.0.39
The issue appears to be that clients will occasionally get locked out for 5 minutes. The problem appears to happen with there is a combination of good password and then bad password, or the other way round. We have also seen the problem happen when our load balancer is not sticky. My understanding is that digest-auth really should not work if the load-balancer is not sticky since there need to be information sent from the server to the client in order to make the authentication. We have since made our load balancer sticky, hoping that this would resolve the issue. Actually, I should make a clarification here. It’s not “clients” that are getting locked out. It is “users”. Once a user gets into a bad state the account gets locked out until a 5 minute period goes by. Looking at the tomcat source code, I see DigestAuthenticator.java line 147: protected long nonceValidity = 5 * 60 * 1000; Sorry if this sounds confused - I’m confused. I can say this. We’re seeing users get locked out for 5 minutes at a time. Having the load balancer not being sticky would definitely cause the problem, but after making them sticky, we still see the problem with at least one client program. The client programs are mostly non-webbrowser based. Thanks --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
