tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rex Wang <>
Subject Re: what does j_security_check do in clustering?
Date Fri, 18 Sep 2009 02:38:29 GMT
2009/9/17 Mark Thomas <>

> Rex Wang wrote:
> > Dear Tomcat,
> >
> > I meet a problem when config a web project which using the form based
> > security in clustering.
> Clustering or load-balancing? Whether or not session replication is
> configured between your Tomcat instance's is key.

I guess the j_security_check is not implemented by session. so the session
replication does not work for security check, right?
and I see the following in tomcat document:

To run session replication in your Tomcat 6.0 container, the following steps
should be completed:

   - All your session attributes must implement
   - Uncomment the Cluster element in server.xml
   - If you have defined custom cluster valves, make sure you have the
   ReplicationValve defined as well under the Cluster element in server.xml
   - If your Tomcat instances are running on the same machine, make sure the
   tcpListenPort attribute is unique for each instance, in most cases Tomcat
   is smart enough to resolve this on it's own by autodetecting available ports
   in the range 4000-4100
   - Make sure your web.xml has the <distributable/> element or set at
your <Context
   distributable="true" />
   - If you are using mod_jk, make sure that jvmRoute attribute is set at
   your Engine <Engine name="Catalina" jvmRoute="node01" > and that the
   jvmRoute attribute value matches your worker name in
   - Make sure that all nodes have the same time and sync with NTP service!
   - *Make sure that your loadbalancer is configured for sticky session

So the sticky session is the precondition of tomcat clustering?

thanks a lot!


> > When I set session affinity = true in my front http server, the security
> > check was done in single node, there is no problem with that.
> > But if I set affinity = false, the requests from the security check
> process
> > are sent to 2 nodes, and it is really strange.. eg:
> >
> > 1. From index.html(NodeA), try to access protected resouce
> > 2. Go to the logon.html(NodeB), I input the id/passwd, and then submit
> > 3. The request looks like sent to NodeA, but did not do any check
> operation.
> >
> > Does that work as design? that is, if I wanna use form check security, my
> > cluster must be session affinity?
> That depends on the answer to the question above.
> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message