Bug 1126490 - [GSS] (6.3.1) Digest Authenticaion within a cluster environment (mod_cluster)
Summary: [GSS] (6.3.1) Digest Authenticaion within a cluster environment (mod_cluster)
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web
Version: 6.3.0
Hardware: x86_64
OS: Linux
Target Milestone: CR1
: EAP 6.3.1
Assignee: Aaron Ogburn
QA Contact: Michal Karm Babacek
Russell Dickenson
Depends On: 1132357
Blocks: eap631-blockers, eap631-payload, eap63-cp01-blockers 1130564 1131814
TreeView+ depends on / blocked
Reported: 2014-08-04 14:42 UTC by Patrick
Modified: 2018-12-09 18:16 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1132357 (view as bug list)
Last Closed: 2014-10-13 18:37:14 UTC
Type: Bug

Attachments (Terms of Use)

Description Patrick 2014-08-04 14:42:21 UTC
Description of problem:

Digest authentication works fine with a single node within a JBoss cluster with httpd as loadbalancer.

But when a second node is added to the cluster, the Digest authentication is no longer working, as expected.


- The stick-session isn't maintained during the authentication mechanism:

-> On the client response, the request gets bounced on different nodes, 
resulting as failed authentication and looping in such way that the authentication succeed after several time or sometimes just ends with a 401 error.

Version-Release number of selected component (if applicable):

-Apache is 2.2.15
-mod_cluster is 1.2.6.final

How reproducible:

2 jboss instances clustered behind a httpd loadbalancer

1DC(hosting servers),1HC, and Apache mod_cluster, testApp( Digest Authentication)

Steps to Reproduce:

0.Configure a loadbalancer on Apache (mod_cluster)
1.Set a Digest Authentication security-domain, deploy the testApp
2.Try to access testApp from the browser to the loabalancer <-- works fine
2.Bring the second node into the cluster, (HC joining the DC)
3.Kill the brwoser
5.Try to access the same App

Actual results:
-Authentication fails several times before it succeed.
-Sometimes, ends up with 401 error after several tries

Expected results:

The sticky-session should be maintained during the Digest-Ath process, so that mod_cluster can route the couple of requests to the same node.

Additional info:

I'm not sure if this should be corrected in mod_cluster code or Digest-Auth code.


Comment 3 Aaron Ogburn 2014-08-15 14:06:25 UTC
Reproduced and fixed it in branch 7.4.x with r2485.  Changed the DigestAuthenticator valve to ensure has a session in place by the time the 401 response is sent.  Thus the loadbalancer will receive a session from the client that it can use to maintain stickiness and the issue is avoided.

Future releases will need to upgrade to JBossWeb 7.4.9.Final+.

Comment 4 Aaron Ogburn 2014-08-20 12:59:09 UTC
r2492 for branch 7.5.x.

Comment 6 baranowb 2014-08-20 13:53:25 UTC
r2485 for 7.4.9

Comment 8 Michal Karm Babacek 2014-09-02 12:16:39 UTC
Verified 6.3.1.CP1.CR1

Note You need to log in before you can comment on or make changes to this bug.