[jira] [Commented] (QPID-7046) Preemptive HTTP authentication should automatically expire the HTTP session

["Keith Wall (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/QPID-7046?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15350631#comment-15350631 ] 

Keith Wall commented on QPID-7046:
----------------------------------

I don't think we should make this change simply by changing all preemptive paths to invalidate the session after the request.  This approach would catch use cases where preemptive authentication is used and a session is desired, for example, a user using a browser for an interaction WMC session using an SSL client certificate for authentication (uses {{SSLClientCertPreemptiveAuthenticator}}).

I think the way to make this change is to consider the request URI and differentiate between /api and other paths.  If no session exists and the requested path matches {{//api}}, then no long-lived session should be established.  If the path does not matches {{/api}} or a request for a none {{/api}} path has been received, we should maintain the current behaviour.

> Preemptive HTTP authentication should automatically expire the HTTP session
> ---------------------------------------------------------------------------
>
>                 Key: QPID-7046
>                 URL: https://issues.apache.org/jira/browse/QPID-7046
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker
>            Reporter: Keith Wall
>             Fix For: qpid-java-6.1
>
>
> Change HTTP preemptive authentication so that it does not leave behind a HTTP session.   Preemptive authentication is usually single shot so the session is superfluous and will consume unnecessary system resources.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org