HTTP DIGEST authentication does not work when having load balancer (like mod_jk) in front of JBoss 2 nodes
Environment
- JBoss Enterprise Application Platform (EAP) 6.x
- Apache HTTPD
- mod_jk
- mod_cluster
Issue
- Our application uses digest authentication as described in this article. It works fine when using a single node behind the loadbalancer. However when we setup a 2nd node, and enable sticky sessions, we find that we always get a 401 response from EAP.
Resolution
- Upgrade to EAP 6.3.1 or later. Changes were made to the Digest authenticator so that it ensures a session cookie is in place for stickiness during authentication.
- Apply this EAP 6.1.1 one-off patch
- One solution is to use a hardware load balancer, which is capable of doing sticky sessions based on the IP Address of the client. The problem with mod_jk, mod_cluster, and mod_proxy_balancer is they depend on the backend (EAP) server sending a JSESSIONID cookie with the response, which it does not do in case of the DIGEST 401.
Root Cause
- The Digest authentication valve does not ensure that a session is in place. Thus the client isn't guaranteed to have a session to provide to the loadbalancer. With no session, most loadbalancers fail to preserve stickiness, and so Digest auth fails when sticky sessions break.
- BZ-1126490
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments