Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1126490

Summary: [GSS] (6.3.1) Digest Authenticaion within a cluster environment (mod_cluster)
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Patrick <pbajenez>
Component: WebAssignee: Aaron Ogburn <aogburn>
Status: CLOSED CURRENTRELEASE QA Contact: Michal Karm Babacek <mbabacek>
Severity: urgent Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.3.0CC: aogburn, bbaranow, jawilson, mbabacek, rhatlapa, socallag
Target Milestone: CR1Keywords: Triaged
Target Release: EAP 6.3.1   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1132357 (view as bug list) Environment:
Last Closed: 2014-10-13 18:37:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1132357    
Bug Blocks: 1102082, 1130564, 1131814    

Description Patrick 2014-08-04 14:42:21 UTC 
Description of problem:


Digest authentication works fine with a single node within a JBoss cluster with httpd as loadbalancer.

But when a second node is added to the cluster, the Digest authentication is no longer working, as expected.

Observations:

- The stick-session isn't maintained during the authentication mechanism:

-> On the client response, the request gets bounced on different nodes, 
resulting as failed authentication and looping in such way that the authentication succeed after several time or sometimes just ends with a 401 error.


Version-Release number of selected component (if applicable):

-EAP-6.1.1
-Apache is 2.2.15
-mod_cluster is 1.2.6.final


How reproducible:

2 jboss instances clustered behind a httpd loadbalancer

1DC(hosting servers),1HC, and Apache mod_cluster, testApp( Digest Authentication)



Steps to Reproduce:

0.Configure a loadbalancer on Apache (mod_cluster)
1.Set a Digest Authentication security-domain, deploy the testApp
2.Try to access testApp from the browser to the loabalancer <-- works fine
2.Bring the second node into the cluster, (HC joining the DC)
3.Kill the brwoser
5.Try to access the same App

Actual results:
-Authentication fails several times before it succeed.
-Sometimes, ends up with 401 error after several tries

Expected results:

The sticky-session should be maintained during the Digest-Ath process, so that mod_cluster can route the couple of requests to the same node.


Additional info:

I'm not sure if this should be corrected in mod_cluster code or Digest-Auth code.


Thanks.
Patrick
Comment 3 Aaron Ogburn 2014-08-15 14:06:25 UTC 
Reproduced and fixed it in branch 7.4.x with r2485.  Changed the DigestAuthenticator valve to ensure has a session in place by the time the 401 response is sent.  Thus the loadbalancer will receive a session from the client that it can use to maintain stickiness and the issue is avoided.

Future releases will need to upgrade to JBossWeb 7.4.9.Final+.
Comment 4 Aaron Ogburn 2014-08-20 12:59:09 UTC 
r2492 for branch 7.5.x.
Comment 6 baranowb 2014-08-20 13:53:25 UTC 
r2485 for 7.4.9
Comment 8 Michal Karm Babacek 2014-09-02 12:16:39 UTC 
Verified 6.3.1.CP1.CR1