tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Okubo, Yasushi (TSD)" <Yasushi.Ok...@takedasd.com>
Subject RE: question for sso session replication in tomcat 6.0.26
Date Tue, 22 Jun 2010 14:56:58 GMT
Hi Andrew

In case of no failover, SSO works for all web applications on the same host.  Upon failover
[shutting down one node], a user is routed to the other node, and TC is asking for a user
to re-login when he/she tried to access password protected area.  

I have checked many times on server.xml and session replication is working fine upon failover,
so I cannot think any misconfiguration on server.xml
The issue is SSO failover is not working.  I think it might be related to my apache virtual
host setup, but could not figure it out.

Thanks for your help,
yasushi

I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3]
OS : Redhat Linux 64bit  RHEL v5.5
JDK : 1.6.0.20 

=== I created virtual host on port 9050 ==
Httpd.conf

<VirtualHost 10.250.200.57:9050>
ServerAdmin xyz
ServerName webclust1.xyz.com
ServerAlias webclust1
ErrorLog logs/webclust_cluster_error.log
CustomLog logs/webclust-cluster-access_log common

<Location /balancer-manager>
SetHandler balancer-manager

Order Deny,Allow
Deny from all
Allow from all
</Location>

ProxyRequests off
<Proxy balancer://webclust>
BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1
BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2
BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3
Order Deny,Allow
Allow from all
</Proxy>

#Do not proxy balancer-manager
ProxyPass /balancer-manager !

<Location /examples>
ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid
ProxyPassReverse balancer://webclust/examples
Order Deny,Allow
Allow from all
</Location>

<Location / >
ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid
ProxyPassReverse balancer://webclust/
Order Deny,Allow
Allow from all
</Location>


=== server.xml ===
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="9002" protocol="AJP/1.3" redirectPort="8443" />

<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">

<Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true"
            xmlValidation="false" xmlNamespaceAware="false">
                        
        <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"
                 channelSendOptions="4">

          <Manager className="org.apache.catalina.ha.session.DeltaManager"
                           name="node2"
                   expireSessionsOnShutdown="false"
                   notifyListenersOnReplication="true"/>

          <Channel className="org.apache.catalina.tribes.group.GroupChannel">
            <Membership className="org.apache.catalina.tribes.membership.McastService"
                        address="228.0.0.5"
                        port="45564"
                        frequency="500"
                        dropTime="3000"/>
            <Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver"
                      address="auto"
                      port="4020"
                      autoBind="100"
                      selectorTimeout="5000"
                      maxThreads="12"/>
<Sender className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
              <Transport className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"/>
            </Sender>
            <Interceptor className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"/>
            <Interceptor className="org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor"/>
                <Interceptor className="org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor"/>
          </Channel>

          <Valve className="org.apache.catalina.ha.tcp.ReplicationValve"
                 filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;.*\.xls;.*\.sdf;.*\.xml;"/>
              <!-- only with jk_mod failover-->
          <Valve className="org.apache.catalina.ha.session.JvmRouteBinderValve"
                 enabled="true" sessionIdAttribute="takeoverSessionid" />
<!--
          <Deployer className="org.apache.catalina.ha.deploy.FarmWarDeployer"
                    tempDir="/tmp/war-temp/"
                    deployDir="/usr/local/apache/node2-tomcat-6.0.26/webapps"
                    watchDir="/tmp/war-listen/"
                                        watchEnabled="true"/>
-->
                  <!-- only with jk_mod and jvmroutebindervalve--> 
          <ClusterListener className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener"/>
          <ClusterListener className="org.apache.catalina.ha.session.ClusterSessionListener"/>
        </Cluster>

<Valve className="org.apache.catalina.ha.authenticator.ClusterSingleSignOn" />

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"  
               prefix="webappqa_node2_access_log." suffix=".log" pattern="common" resolveHosts="false"/>

      </Host>
</Engine>


-----Original Message-----
From: Andrew Bruno [mailto:andrew.bruno@gmail.com] 
Sent: Monday, June 21, 2010 10:09 PM
To: Tomcat Users List
Subject: Re: question for sso session replication in tomcat 6.0.26

Oh sorry, I re-read your answer.  Not sure why SSO is not working, be
interested to find out though..

AB

On Tue, Jun 22, 2010 at 3:04 PM, Andrew Bruno <andrew.bruno@gmail.com> wrote:
> Hi Yasushi
>
> In your serverl.xml have you added the jvmroute to the Engine?
>
> i.e.
>
> <Engine name="Catalina" defaultHost="localhost" jvmRoute="1">
>
> Andrew
>
> On Tue, Jun 22, 2010 at 2:50 PM, Okubo, Yasushi (TSD) <Yasushi.Okubo@takedasd.com>
wrote:
>> Hi Andrew
>>
>> Thank for your post.  When I checked the session id from firefox, sso session id
[jsessionidsso] does not have jvmroute info, but only jsessionid has jvmroute.  So, session
replication upon failover is working fine, but singlesionon upon failover is not working on
tomcat 6.0.x (including 6.0.26).
>>
>> yasushi
>>
>> -----Original Message-----
>> From: Andrew Bruno [mailto:andrew.bruno@gmail.com]
>> Sent: Monday, June 21, 2010 9:18 PM
>> To: Tomcat Users List
>> Subject: Re: question for sso session replication in tomcat 6.0.26
>>
>> Looking at the code I think this is wrong
>>
>> if (!_ssoSessionId.contains("." + jvmRoute)) {
>>   _ssoSessionId += "." + jvmRoute;
>>   response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId));
>> }
>>
>> The original sessionId will already have the "."+_any_other_jvmRoute
>> included, so you need to substring it, and append the new jvmRoute.
>>
>>  _ssoSessionId= _ssoSessionId.substring(0, _ssoSessionId.indexOf("."))
>>
>> and then add
>>
>>  _ssoSessionId += "." + jvmRoute;
>>
>> AB
>>
>> On Tue, Jun 22, 2010 at 1:03 PM, Okubo, Yasushi (TSD)
>> <Yasushi.Okubo@takedasd.com> wrote:
>>> Hi experts
>>>
>>>
>>>
>>> I found this old email from archive in TC 5.5.23.
>>>
>>> Does this problem still exist in tomcat 6.0.x or 6.0.26?
>>>
>>>
>>>
>>> When failover occurs, sso session id is updated with new number after
>>> forcing a user to relogin to the application since sso session id is not
>>> replicated and rewritten correctly.  Could someone explain what is
>>> expected in current tomcat 6.0.x cluster upon failover?  Should sso
>>> session id is replicated correctly in tomcat 6.0.x?
>>>
>>>
>>>
>>> Thanks,
>>>
>>> yasushi
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ROOKIE wrote:
>>> Hi,
>>> I have a problem with tomcat cluster + mod_proxy load balancer :
>>>
>>> We have a main app which authenticate itself to a webapp and from this
>>> app one
>>> can launch embedded apps which use the SSO cookie to access other
>>> webapps on
>>> the server (Single-Sign-On for the user).
>>>
>>> Things are working perfectly for the normal cookie but not for the sso
>>> cookie.
>>>
>>>
>>> The problem I have is that tomcat does not replicate SSO sessions so
>>> when these embedded apps route through the load balancer we get 401s on
>>> all the other cluster members except the one which actually generated
>>> the SSO cookie.
>>>
>>> I wanted to know if we can edit the SSO cookie generated by tomcat to
>>> also
>>> contain the jvmRoute parameter so that the load balancer directly goes
>>> to the
>>> correct cluster member.
>>>
>>>
>>> I tried doing this in my code by fetching the SSO cookie and appending
>>> to it
>>> the jvmRoute as follows :
>>>
>>>        HttpServletRequest request =
>>> (HttpServletRequest)Security.getContext(HttpServletRequest.class);
>>>        HttpServletResponse response =
>>> (HttpServletResponse)Security.getContext(HttpServletResponse.class);
>>>        if(request != null) {
>>>            String jvmRoute = "Vinod_Cluster_1";    // as mentioned in
>>> server.xml
>>>            Cookie[] cookies = request.getCookies();
>>>            for(int nc=0; cookies != null && nc < cookies.length;
nc++)
>>> {
>>>                if(_SESSION_COOKIE_NAME.equals(cookies[nc].getName()))
{
>>>                    _sessionId = cookies[nc].getValue();
>>>                }
>>>
>>> else if(_SSO_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) {
>>>
>>>                    _ssoSessionId = cookies[nc].getValue();
>>>                    if (!_ssoSessionId.contains("." + jvmRoute)) {
>>>                        _ssoSessionId += "." + jvmRoute;
>>>
>>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId));
>>> }
>>>
>>>
>>>                }
>>>
>>>
>>> But after this I started getting 401s from even the correct cluster
>>> member. My guess is addCookie doesnt update the cookie in tomcat's cache
>>> which is reasonable.
>>>
>>> Other thought was to edit tomcat's sso cookie generation code to append
>>> the
>>> jvmRoute to the sso cookie.
>>>
>>>
>>> Is there an better way to achieve this in my code base ?
>>>
>>> Thanks In Advance,
>>> Vinod
>>>
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message