Indeed, it seems a little bit strange and certainly you are right. I think the main reason is that it would be more complicated to maintain the system with regular security updates. It has to be a manual process.
Somehow or other we need a working solution. It is also an option to fix DigestAuthenticator class in tomcat6 to split digest authentication header like it is done in tomcat7, because this is the real cause of the problem - the regular expression submitted to the split method cannot properly handle unquoted parameters at the end of the auth header line. Thank you for your constructive input. -sascha ________________________________________ Von: Christopher Schultz [ch...@christopherschultz.net] Gesendet: Dienstag, 17. März 2015 17:10 Bis: Tomcat Users List Betreff: Re: Migration from Tomcat6-Cluster to Tomcat7-Cluster: Digest Authentication problem -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rainer, On 3/17/15 11:12 AM, Rainer Jung wrote: > Am 17.03.2015 um 15:40 schrieb Sascha Skorupa: >> Hi Rainer, >> >> currently not (Apache 2.2) but it might be an option to upgrade >> the OS and the Apache if it leads to a solution. > > OK. But think twice, whether it is better to just compile mod_jk > from sources or do the big update. +1 I find it hard to believe that you (or your NOC) would be willing to upgrade the OS and the web server to use an alternative solution, but not willing to upgrade to a newer version of single, specialized module for the web server. Note that you don't have to have a compiler on the target system; you just need to be able to cross-compile to that test system (or do what I do and have a spare server with identical architecture, etc. available for module builds). > Updating to 2.4 will bring many interesting achievements, but just > for fixing this issue quickly it would be better to update mod_jk, > even if this means switching to a non-OS-provided variant. +1 Building is trivial. > If you seriously plan the 2.4 update and you have a test system, I > could provide you with the non-trivial workaround letting Apache > set the cookie. You would need to thoroughly test this though. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVCFHcAAoJEBzwKT+lPKRYOQAQAJnIlsepWBvZlO438/zwXIYM WI0X3LspAUt1v1c0JOXagL5VUdZO68/euBV7rmoKaHvo11lEH5lFQ9M91unvRWer d7AQZoTc1+VQDcnBrGDzw6M7jQqlKf2Y7Jadlj9TfNm68cwCYFhpan1Wcv/XCMpy /1Q5j/gW77AdPNpAvtFGOXZ0HPbMpkC+ZpsfFjgpOrwUBPL195xpQXM5nJLoYpAa 7uR34FCAbIIR0Glho/IHqzadxrSBq3AEVZau1uiGi3t8BjuWcOfq85bMZ0dCGdl+ Hlj6wKaTpS6AJi9By5d0xbXkqu5wBY2qFgY6wNq/cHO/Js+svPPMtME7eUZiOPAY t2dUszkzqw0JOEqTN0I1gr0cGVOhJYbHMAdCHrb15FtWACeQVHVK7ikI0GJvKMG3 8EUIW21go3ID4jHBpexMC23QZDKfDTIhzx9Ec300lxRbjkfzpTCEvu3mM36w6y7+ fsRPPkpY0KqFe25nYw/DZCMS4KeAZ5dZSQa3sQSYgpozP71UrRZJw2+cqdALj29Q Ozru/eLGLAvJuOKbXgSMIBfEQugx8vTGzE60Db7e61thMPmyHXlHqi1+zKDnODej g6kbQtNDhak+0AfI2oFbmvHGz+hN8bAJa62hA/3jDKiYphxwH2JpJW4qmcs7HI91 qRp/u8yrAe8S/UAc+x+2 =95gA -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
