tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henri Gomez <henri.go...@gmail.com>
Subject Re: mod_jk, JSESSION_ID and load-balancing
Date Tue, 25 Jun 2013 07:00:42 GMT
Hi Rainer.

>
> It seems Shiro recommend to extend
>
>
https://svn.apache.org/viewvc/shiro/trunk/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java
>

>From code review (I may be wrong), it seems Nexus is extending
org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter

https://github.com/sonatype/nexus-oss/blob/master/plugins/restlet1x/nexus-restlet1x-plugin/src/main/java/org/sonatype/nexus/security/filter/authc/NexusHttpAuthenticationFilter.java


> in order to add the needed suffix to a new id when creating a session
> cookie and to subtract it before forwarding the id to the shiro internals.
>
> Some of the things you need are already implemented in recent mod_jk:
>
> Strategy 1:
>
> You can let mod_jk know about using another cookie by setting the worker
> load balancer attribute "session_cookie" e.g. to "mycookie". You might
> also want to change session_path to something non-standard such that an
> occasional path encoding with the busted session id doesn't interfere
> with mod_jk.
>
> See "session_cookie" and "session_path" in
> http://tomcat.apache.org/connectors-doc/reference/workers.html.

Yep, but Tomcat or HTTPd/mod_jk should set this cookie instead of
JSESSIONID isn't it ?

> Strategy 2:
>
> Directly set the route with Apache means into the Apache environment
> variable JK_ROUTE. See "JK_ROUTE" in
> http://tomcat.apache.org/connectors-doc/reference/apache.html.
>
> The problem is how to set the cookie. You could do it using a servlet
> filter on the Tomcat side. Such a simple filter could be added to the
> webapp, without the need of changing the webapp sources. The filter is
> independent and would just be added to web.xml and the WEB-INF/lib.

Sadly I can't update Nexus installation or setup ;(

> Letting mod_jk itself set the cookie could be a nice addition, because
> it would be easy for it to do. It knows the correct route name, whether
> the cookie was already received with the request and whether a failover
> happened. Would be easy to add. The configuration would need to wire the
> "HttpOnly" and "Secure" flags for the cookie.

Yes and back to my initial question, about updating mod_jk so it could set
and reuse its own cookie instead of substring of JSESSIONID :)

HTTPd mod_proxy and mod_balancer did the same and it seems a smart
alternative.

What do you think ?

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message