Well... it occurred to me that from time to time we happen to have stack traces
show up in our log files due to some error or another, and, I could just *look*
at the log files. Sure enough, here's an example of one line of interest (there
are many similar ones):
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
Is that enough of a clue?
--Hardy
________________________________________
From: Pottinger, Hardy J.
Sent: Wednesday, September 09, 2015 9:35 AM
To: Tomcat Users List
Subject: RE: seeking help with stabilizing the persistence of a JSESSIONID
Hi, thanks for following up! No, no luck at all. The web application I'm
working with is based on Apache Cocoon 2.2, so, no JSPs in sight. I am actually
weighing my options, I have a choice to either pursue making the current design
work (i.e. try to get the session to stick around long enough so I can use it),
or else change the design and go with a more conventional "pass the return URL
around as a parameter in the request" approach. I'm leaning towards the latter,
as it sidesteps this whole issue we're having with session fixation protection,
*and* it deals with a slightly esoteric use case, where a user encounters a
password challenge when attempting to view a restricted item, backtracks, then
later chooses to log in for some other reason, and is returned to the original
restricted item page (because the redirect URL is still in the session).
If I do continue to persue the session route, I'll let you know if I'm able to
determine what authentication class ends up in the stack trace.
--Hardy
________________________________________
From: Christopher Schultz [ch...@christopherschultz.net]
Sent: Wednesday, September 09, 2015 8:24 AM
To: Tomcat Users List
Subject: Re: seeking help with stabilizing the persistence of a JSESSIONID
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hardy,
On 9/4/15 4:32 PM, Pottinger, Hardy J. wrote:
>> Are you using AJP or HTTP as your proxy protocol? If AJP, are
>> you using tomcatAuthentication="false" on your <Connector>? I'm
>> not exactly sure what happens when you do that... you might get
>> a NonLoginAuthenticator.
>
> in our Vhost file, we have this:
>
> <Location "/xmlui"> ProxyPass ajp://127.0.0.1:8009/xmlui
> retry=1 keepalive=on ProxyPassReverse ajp://127.0.0.1:8009/xmlui
> ShibUseHeaders On SetEnv proxy-sendchunked 1 </Location>
>
> in our server.xml file, we have this: <!-- Define an AJP 1.3
> Connector on port 8009, just on localhost --> <Connector
> port="8009" enableLookups="false" redirectPort="8080"
> protocol="AJP/1.3" address="127.0.0.1"
> tomcatAuthentication="false" maxSwallowSize="-1"
> connectionTimeout="1232000" disableUploadTimeout="false"
> connectionUploadTimeout="1232000" URIEncoding="UTF-8"/>
>
> So, we're using tomcatAuthentication="false"
>
> I will try your suggestion of using NonLoginAuthenticator and see
> what I get. If it doesn't work, I'll try your suggestion of setting
> a breakpoint and using a debugger to look at the stack.
Any luck?
You don't have to use a debugger to get a stack trace: just create a
JSP and have it 'throw Exception("getting a stack trace")'.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJV8DLwAAoJEBzwKT+lPKRY48YQAIUdyi1UwJTtdmjJBRWLXH7Q
ochdn2fBkBF+nDn1V3mLp7svDrk4SNFdymRUudOgCg4ZF4GHVClYDEVcQFMYKgOB
7NjBNtxTLXKhX7AloY+nYHJaCBEcKsYW3fZXCmNt1/KKCXq2cEcJ264++VUN//sT
khvWjTipOuDQAZYauWfQWb2T4flp5Viitq37zyYpeTD1HeTxepdTFAlPIquFYAlK
bHQQuWpI55YjTTBoDq3+FKabH97DQ1A3mLYcktIvIT4KiHFFlE2F+mb30F60Qdw7
RRDFJhTFGbnr0gIIV1b6VUJyDhh6m4bIXkRCixo41d9JAzzcmkpivaEClO+YTFwF
X8nVRPFkRiFKgKU6Gw0g/fzMNz53LrhW5TPvy7nHe2f+Ahip0M94pS3sD0azh+y0
ZoxG9JyquDQWHPGgwfQqjtide7+u5bo8mEhuUC2tWNl7iSwB7rUFgz9GgyWl7fNi
jRRZ3gCrqaZFdUoJdh9/eUpfzo24DNEPO5mNsD5Ii0REXXGHkalVd1Rk6MyYFc+X
Jt4ZJVG2Jxlcu3Z2G9wUfNBuc/0ejsmHuOKlLeg0++J0QIoKOwZw67k5HD/XoUhT
ieSV9f2LZwA5Wh3vA4o80uC94SWU/4aav6D0qhB5Np6YXy7xtX/q/oGSVu6sr0XY
zg8u3mC90npBIj5b3nPQ
=kWRl
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
