tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ROOKIE <vinod...@yahoo.com>
Subject Re: SSO session replication within TC 5.5.23 cluster
Date Tue, 07 Aug 2007 10:14:16 GMT
Hi,
I have a problem with tomcat cluster + mod_proxy load balancer :

We have a main app which authenticate itself to a webapp and from this app one can launch
embedded apps which use the SSO cookie to access other webapps on the server (Single-Sign-On
for the user).

Things are working perfectly for the normal cookie but not for the sso cookie.

The problem I have is that tomcat does not replicate SSO sessions so when these embedded apps
route through the load balancer we get 401s on all the other cluster members except the one
which actually generated the SSO cookie. 

I wanted to know if we can edit the SSO cookie generated by tomcat to also contain the jvmRoute
parameter so that the load balancer directly goes to the correct cluster member.


I tried doing this in my code by fetching the SSO cookie and appending to it the jvmRoute
as follows :

        HttpServletRequest request = (HttpServletRequest)Security.getContext(HttpServletRequest.class);
        HttpServletResponse response = (HttpServletResponse)Security.getContext(HttpServletResponse.class);
        if(request != null) {
            String jvmRoute = "Vinod_Cluster_1";    // as mentioned in server.xml
            Cookie[] cookies = request.getCookies();
            for(int nc=0; cookies != null && nc < cookies.length; nc++) {
                if(_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) {
                    _sessionId = cookies[nc].getValue();
                }
                else 
                if(_SSO_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) {
                    _ssoSessionId = cookies[nc].getValue();
                    if (!_ssoSessionId.contains("." + jvmRoute)) {
                        _ssoSessionId += "." + jvmRoute;
                        response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId));
                       
                    }

                }

But after this I started getting 401s from even the correct cluster member. My guess is addCookie
doesnt update the cookie in tomcat's cache which is reasonable. 

Other thought was to edit tomcat's sso cookie generation code to append the jvmRoute to the
sso cookie.

Is there an better way to achieve this in my code base ? 

Thanks In Advance,
Vinod
----- Original Message ----
From: Filip Hanik - Dev Lists <devlists@hanik.com>
To: Tomcat Users List <users@tomcat.apache.org>
Sent: Wednesday, May 30, 2007 2:49:59 PM
Subject: Re: SSO session replication within TC 5.5.23 cluster

It was contributed but never completed, so it is not working properly

Filip

ROOKIE wrote:
> Hi,
> Can someone please clarify if tomcat 5.5 supports replication of single-sign-on sessions
across cluster members, if so how to configure it ?
>
> Thanks,
> Vinod
>
> ----- Original Message ----
> From: ROOKIE <vinodv26@yahoo.com>
> To: users@tomcat.apache.org
> Sent: Tuesday, May 29, 2007 5:20:03 PM
> Subject: SSO session replication within TC 5.5.23 cluster
>
> Hi,
>
> I have created a simple TCP cluster of 2 TC 5.5.23 servers and added a Apache 2.2 (mod_proxy)
load balancer in front. Our tomcat has SSO valve enabled.
>
> I wanted to know if TC 5.5.23 supports SSO session replication ? 
>
> Googling tells me that a patch was submitted for this, http://fabien.carrion.free.fr/TomcatCluster.html
and even the catalina-cluster.jar has the ClusterSingleSignOn valve. But TC mailing lists
suggest that the support is still not complete.
>
> In any case I have not been able to get it working. 
>
> Whenever I use the SSO cookie for authentication I get 401 from all the other cluster
members (except the one who generated the SSO session id). 
>
> The requested resource is protected and the UserPrincipal found in the HttpRequest by
the other cluster members is null. I use a customized NTLM authenticator which expects a non-null
UserPrincipal in the HttpRequest if user is already authenticated.
>
> Following is my cluster node in server.xml (embedded in Host node) :
>
>         <Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster"
>              clusterName="rooksCluster"
>              managerClassName="org.apache.catalina.cluster.session.DeltaManager"
>              expireSessionsOnShutdown="false"
>              useDirtyFlag="true"
>              notifyListenersOnReplication="true">
>
>             <!--Shared between the whole cluster-->
>             <Membership 
>             className="org.apache.catalina.cluster.mcast.McastService"
>             mcastAddr="228.0.0.4"
>             mcastPort="45564"
>             mcastFrequency="500"
>             mcastDropTime="3000"/>
>
>             <!--Unique listen port for each cluster node-->
>             <Receiver 
>             className="org.apache.catalina.cluster.tcp.ReplicationListener"
>             tcpListenAddress="auto"
>             tcpListenPort="4002"
>             tcpSelectorTimeout="100"
>             tcpThreadCount="4"/>
>
>             <Sender
>             className="org.apache.catalina.cluster.tcp.ReplicationTransmitter"
>             replicationMode="pooled"
>             ackTimeout="15000"
>             waitForAck="true"/>
>
>             <Valve className="org.apache.catalina.cluster.tcp.ReplicationValve"
>                filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/>
>                   
>             <Valve className="org.apache.catalina.cluster.authenticator.ClusterSingleSignOn"
debug="0"/>
>             <Valve className="org.apache.catalina.cluster.session.JvmRouteBinderValve"
enabled="true" sessionIdAttribute="takeoverSessionid"/>
>                <ClusterListener className="org.apache.catalina.cluster.session.JvmRouteSessionIDBinderListener"
/>            
>             <ClusterListener className="org.apache.catalina.cluster.session.ClusterSessionListener"/>
>         </Cluster>
>
> Any ideas why SSO session replication is not working, is it a configuration error or
does TC 5.5.23 not support this.
>
>
>
> TIA,
>
> Vinod
>
>
>
>
>
>
>
>
>
>        
> ____________________________________________________________________________________Yahoo!
oneSearch: Finally, mobile search 
> that gives answers, not web links. 
> http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>
>
>        
> ____________________________________________________________________________________Boardwalk
for $500? In 2007? Ha! Play Monopoly Here and Now (it's updated for today's economy) at Yahoo!
Games.
> http://get.games.yahoo.com/proddesc?gamekey=monopolyherenow  
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>   


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org






       
____________________________________________________________________________________Ready
for the edge of your seat? 
Check out tonight's top picks on Yahoo! TV. 
http://tv.yahoo.com/

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message