tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Okubo, Yasushi (TSD)" <Yasushi.Ok...@takedasd.com>
Subject RE: question for sso session replication in tomcat 6.0.26
Date Tue, 22 Jun 2010 20:48:25 GMT
Hi

I downloaded apache apache v2.2.15 and compiled and installed, but the
result was the same.

Session sso replication looked like failed.  Upon shutting down the
node, it kicked me out of password protected area and needed to re-loin
on the second node.

On apache, I installed/enabled all modules including basic
authentication etc.  Is there any requirement on apache side or how the
virtual host should be set up in httpd.conf to make sso failover work?

Thanks,
yasushi

-----Original Message-----
From: Pid [mailto:pid@pidster.com] 
Sent: Tuesday, June 22, 2010 8:04 AM
To: Tomcat Users List
Subject: Re: question for sso session replication in tomcat 6.0.26

On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote:
> Hi Andrew
> 
> In case of no failover, SSO works for all web applications on the same
host.  Upon failover [shutting down one node], a user is routed to the
other node, and TC is asking for a user to re-login when he/she tried to
access password protected area.  
> 
> I have checked many times on server.xml and session replication is
working fine upon failover, so I cannot think any misconfiguration on
server.xml
> The issue is SSO failover is not working.  I think it might be related
to my apache virtual host setup, but could not figure it out.
> 
> Thanks for your help,
> yasushi
> 
> I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3]

mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional
but not perfect & there are many bugfixes and improvements since then,
you should upgrade HTTPD.


p

> OS : Redhat Linux 64bit  RHEL v5.5
> JDK : 1.6.0.20 
> 
> === I created virtual host on port 9050 ==
> Httpd.conf
> 
> <VirtualHost 10.250.200.57:9050>
> ServerAdmin xyz
> ServerName webclust1.xyz.com
> ServerAlias webclust1
> ErrorLog logs/webclust_cluster_error.log
> CustomLog logs/webclust-cluster-access_log common
> 
> <Location /balancer-manager>
> SetHandler balancer-manager
> 
> Order Deny,Allow
> Deny from all
> Allow from all
> </Location>
> 
> ProxyRequests off
> <Proxy balancer://webclust>
> BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145
route=jvm1
> BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145
route=jvm2
> BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145
route=jvm3
> Order Deny,Allow
> Allow from all
> </Proxy>
> 
> #Do not proxy balancer-manager
> ProxyPass /balancer-manager !
> 
> <Location /examples>
> ProxyPass balancer://webclust/examples
stickysession=JSESSIONID|jsessionid
> ProxyPassReverse balancer://webclust/examples
> Order Deny,Allow
> Allow from all
> </Location>
> 
> <Location / >
> ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid
> ProxyPassReverse balancer://webclust/
> Order Deny,Allow
> Allow from all
> </Location>
> 
> 
> === server.xml ===
>     <!-- Define an AJP 1.3 Connector on port 8009 -->
>     <Connector port="9002" protocol="AJP/1.3" redirectPort="8443" />
> 
> <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
> 
> <Host name="localhost"  appBase="webapps"
>             unpackWARs="true" autoDeploy="true"
>             xmlValidation="false" xmlNamespaceAware="false">
>                         
>         <Cluster
className="org.apache.catalina.ha.tcp.SimpleTcpCluster"
>                  channelSendOptions="4">
> 
>           <Manager
className="org.apache.catalina.ha.session.DeltaManager"
>                            name="node2"
>                    expireSessionsOnShutdown="false"
>                    notifyListenersOnReplication="true"/>
> 
>           <Channel
className="org.apache.catalina.tribes.group.GroupChannel">
>             <Membership
className="org.apache.catalina.tribes.membership.McastService"
>                         address="228.0.0.5"
>                         port="45564"
>                         frequency="500"
>                         dropTime="3000"/>
>             <Receiver
className="org.apache.catalina.tribes.transport.nio.NioReceiver"
>                       address="auto"
>                       port="4020"
>                       autoBind="100"
>                       selectorTimeout="5000"
>                       maxThreads="12"/>
> <Sender
className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
>               <Transport
className="org.apache.catalina.tribes.transport.nio.PooledParallelSender
"/>
>             </Sender>
>             <Interceptor
className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetec
tor"/>
>             <Interceptor
className="org.apache.catalina.tribes.group.interceptors.MessageDispatch
15Interceptor"/>
>                 <Interceptor
className="org.apache.catalina.tribes.group.interceptors.ThroughputInter
ceptor"/>
>           </Channel>
> 
>           <Valve
className="org.apache.catalina.ha.tcp.ReplicationValve"
>
filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;
.*\.xls;.*\.sdf;.*\.xml;"/>
>               <!-- only with jk_mod failover-->
>           <Valve
className="org.apache.catalina.ha.session.JvmRouteBinderValve"
>                  enabled="true" sessionIdAttribute="takeoverSessionid"
/>
> <!--
>           <Deployer
className="org.apache.catalina.ha.deploy.FarmWarDeployer"
>                     tempDir="/tmp/war-temp/"
>
deployDir="/usr/local/apache/node2-tomcat-6.0.26/webapps"
>                     watchDir="/tmp/war-listen/"
>                                         watchEnabled="true"/>
> -->
>                   <!-- only with jk_mod and jvmroutebindervalve--> 
>           <ClusterListener
className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListene
r"/>
>           <ClusterListener
className="org.apache.catalina.ha.session.ClusterSessionListener"/>
>         </Cluster>
> 
> <Valve
className="org.apache.catalina.ha.authenticator.ClusterSingleSignOn" />
> 
> <Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"  
>                prefix="webappqa_node2_access_log." suffix=".log"
pattern="common" resolveHosts="false"/>
> 
>       </Host>
> </Engine>
> 
> 
> -----Original Message-----
> From: Andrew Bruno [mailto:andrew.bruno@gmail.com] 
> Sent: Monday, June 21, 2010 10:09 PM
> To: Tomcat Users List
> Subject: Re: question for sso session replication in tomcat 6.0.26
> 
> Oh sorry, I re-read your answer.  Not sure why SSO is not working, be
> interested to find out though..
> 
> AB
> 
> On Tue, Jun 22, 2010 at 3:04 PM, Andrew Bruno <andrew.bruno@gmail.com>
wrote:
>> Hi Yasushi
>>
>> In your serverl.xml have you added the jvmroute to the Engine?
>>
>> i.e.
>>
>> <Engine name="Catalina" defaultHost="localhost" jvmRoute="1">
>>
>> Andrew
>>
>> On Tue, Jun 22, 2010 at 2:50 PM, Okubo, Yasushi (TSD)
<Yasushi.Okubo@takedasd.com> wrote:
>>> Hi Andrew
>>>
>>> Thank for your post.  When I checked the session id from firefox,
sso session id [jsessionidsso] does not have jvmroute info, but only
jsessionid has jvmroute.  So, session replication upon failover is
working fine, but singlesionon upon failover is not working on tomcat
6.0.x (including 6.0.26).
>>>
>>> yasushi
>>>
>>> -----Original Message-----
>>> From: Andrew Bruno [mailto:andrew.bruno@gmail.com]
>>> Sent: Monday, June 21, 2010 9:18 PM
>>> To: Tomcat Users List
>>> Subject: Re: question for sso session replication in tomcat 6.0.26
>>>
>>> Looking at the code I think this is wrong
>>>
>>> if (!_ssoSessionId.contains("." + jvmRoute)) {
>>>   _ssoSessionId += "." + jvmRoute;
>>>   response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME,
_ssoSessionId));
>>> }
>>>
>>> The original sessionId will already have the "."+_any_other_jvmRoute
>>> included, so you need to substring it, and append the new jvmRoute.
>>>
>>>  _ssoSessionId= _ssoSessionId.substring(0,
_ssoSessionId.indexOf("."))
>>>
>>> and then add
>>>
>>>  _ssoSessionId += "." + jvmRoute;
>>>
>>> AB
>>>
>>> On Tue, Jun 22, 2010 at 1:03 PM, Okubo, Yasushi (TSD)
>>> <Yasushi.Okubo@takedasd.com> wrote:
>>>> Hi experts
>>>>
>>>>
>>>>
>>>> I found this old email from archive in TC 5.5.23.
>>>>
>>>> Does this problem still exist in tomcat 6.0.x or 6.0.26?
>>>>
>>>>
>>>>
>>>> When failover occurs, sso session id is updated with new number
after
>>>> forcing a user to relogin to the application since sso session id
is not
>>>> replicated and rewritten correctly.  Could someone explain what is
>>>> expected in current tomcat 6.0.x cluster upon failover?  Should sso
>>>> session id is replicated correctly in tomcat 6.0.x?
>>>>
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> yasushi
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ROOKIE wrote:
>>>> Hi,
>>>> I have a problem with tomcat cluster + mod_proxy load balancer :
>>>>
>>>> We have a main app which authenticate itself to a webapp and from
this
>>>> app one
>>>> can launch embedded apps which use the SSO cookie to access other
>>>> webapps on
>>>> the server (Single-Sign-On for the user).
>>>>
>>>> Things are working perfectly for the normal cookie but not for the
sso
>>>> cookie.
>>>>
>>>>
>>>> The problem I have is that tomcat does not replicate SSO sessions
so
>>>> when these embedded apps route through the load balancer we get
401s on
>>>> all the other cluster members except the one which actually
generated
>>>> the SSO cookie.
>>>>
>>>> I wanted to know if we can edit the SSO cookie generated by tomcat
to
>>>> also
>>>> contain the jvmRoute parameter so that the load balancer directly
goes
>>>> to the
>>>> correct cluster member.
>>>>
>>>>
>>>> I tried doing this in my code by fetching the SSO cookie and
appending
>>>> to it
>>>> the jvmRoute as follows :
>>>>
>>>>        HttpServletRequest request =
>>>> (HttpServletRequest)Security.getContext(HttpServletRequest.class);
>>>>        HttpServletResponse response =
>>>>
(HttpServletResponse)Security.getContext(HttpServletResponse.class);
>>>>        if(request != null) {
>>>>            String jvmRoute = "Vinod_Cluster_1";    // as mentioned
in
>>>> server.xml
>>>>            Cookie[] cookies = request.getCookies();
>>>>            for(int nc=0; cookies != null && nc < cookies.length;
nc++)
>>>> {
>>>>
if(_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) {
>>>>                    _sessionId = cookies[nc].getValue();
>>>>                }
>>>>
>>>> else if(_SSO_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) {
>>>>
>>>>                    _ssoSessionId = cookies[nc].getValue();
>>>>                    if (!_ssoSessionId.contains("." + jvmRoute)) {
>>>>                        _ssoSessionId += "." + jvmRoute;
>>>>
>>>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME,
_ssoSessionId));
>>>> }
>>>>
>>>>
>>>>                }
>>>>
>>>>
>>>> But after this I started getting 401s from even the correct cluster
>>>> member. My guess is addCookie doesnt update the cookie in tomcat's
cache
>>>> which is reasonable.
>>>>
>>>> Other thought was to edit tomcat's sso cookie generation code to
append
>>>> the
>>>> jvmRoute to the sso cookie.
>>>>
>>>>
>>>> Is there an better way to achieve this in my code base ?
>>>>
>>>> Thanks In Advance,
>>>> Vinod
>>>>
>>>>
>>>>
>>>>
>>>
>>>
---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>>
>>>
---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message