Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setup sticky session for Kerberos and NTML HTTP Authentication #392

Merged
merged 3 commits into from
Feb 7, 2024
Merged

Setup sticky session for Kerberos and NTML HTTP Authentication #392

merged 3 commits into from
Feb 7, 2024

Conversation

mariash
Copy link
Member

@mariash mariash commented Feb 3, 2024

When server responds with WWW-Authenticate: Negotiate, save VCAP_ID cookie on response to client so that subsequent request with Authorization: Negotiate ... will be directed to the same application instance.

See RFC-4559

  • I have viewed signed and have submitted the Contributor License Agreement

  • I have made this pull request to the main branch

  • I have run all the unit tests.

  • (Optional) I have run Routing Acceptance Tests and Routing Smoke Tests

  • (Optional) I have run CF Acceptance Tests

@mariash mariash requested a review from a team as a code owner February 3, 2024 00:56
@jrussett @mariash
Setup sticky session for Kerberos and NTML HTTP Authentication
e7853c2 
When server responds with `WWW-Authenticate: Negotiate`, save VCAP_ID
cookie on response to client so that subsequent request with
`Authorization: Negotiate ...` will be directed to the same application
instance.

See [RFC-4559](https://www.ietf.org/rfc/rfc4559.txt)

Signed-off-by: Josh Russett <[email protected]>
@maxmoehl
Copy link
Member

maxmoehl commented Feb 3, 2024

Can you please explain why the same behaviour cannot be achieved by having the server set the configured sticky session cookie (e.g. JSESSIONID) and using the already existing functionality?

@geofffranks
Copy link
Contributor

Can you please explain why the same behaviour cannot be achieved by having the server set the configured sticky session cookie (e.g. JSESSIONID) and using the already existing functionality?

With NTLM + Kerberos based Integraded Windows Authentication, the authentication logic happens at a core library level for .Net, rather than something the application can control. No cookies can be set until after the auth has been successful. Sticky session cookies work great after the fact, but unfortunately not for IWA.

domdom82
domdom82 requested changes Feb 6, 2024
View reviewed changes
proxy/round_tripper/proxy_round_tripper.go Outdated Show resolved Hide resolved
route/leastconnection.go Show resolved Hide resolved
route/roundrobin.go Show resolved Hide resolved
@domdom82
Copy link
Contributor

domdom82 commented Feb 7, 2024

@mariash thanks for the fixes.
I have to say I feel uneasy about this change, it adds a lot of logic for a niche use-case. NTLM is not an internet standard because it introduces state to an otherwise stateless protocol like HTTP. It clearly wasn't designed with reverse-proxies like Gorouter in mind. So, to me it would have been better to add a flag for enabling the protocol in the routing-release, probably also with operator configuration options for the VCAP cookie which are now hard-coded.

The entire session handling will eventually have to move to its own middleware, I really don't like it in round tripper.
Sessions don't work for websockets for example, because they are a different code path. (See this issue for that)

I will accept the changes for now, with a major refactor of the session logic on my mind.

@winkingturtle-vmw winkingturtle-vmw merged commit ad6b877 into main Feb 7, 2024
1 check passed
@winkingturtle-vmw winkingturtle-vmw deleted the add-http-iwa-ntlm-support branch February 7, 2024 13:11
@geofffranks geofffranks mentioned this pull request Feb 7, 2024
Merged
9 tasks
@geofffranks
Copy link
Contributor

@domdom82
FYI, we added a config flag for enabling/disabling this in #393 and cloudfoundry/routing-release#387.

@domdom82
Copy link
Contributor

domdom82 commented Feb 8, 2024

thanks @geofffranks !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@domdom82 domdom82 domdom82 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@mariash @maxmoehl @geofffranks @domdom82 @winkingturtle-vmw @jrussett