tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Okubo, Yasushi (TSD)" <Yasushi.Ok...@takedasd.com>
Subject RE: question for sso session replication in tomcat 6.0.26
Date Thu, 24 Jun 2010 20:13:26 GMT

Hi Pid

I started getting the following error upon login to one node onto
cluster.
Could you tell me what this mean is?

Yasushi


Jun 24, 2010 10:51:58 AM org.apache.catalina.ha.tcp.ReplicationValve
sendReplicationMessage
SEVERE: Unable to perform replication request.
java.lang.NullPointerException
        at
org.apache.catalina.ha.tcp.ReplicationValve.isRequestWithoutSessionChang
e(ReplicationValve.java:590)
        at
org.apache.catalina.ha.tcp.ReplicationValve.sendSessionReplicationMessag
e(ReplicationValve.java:516)
        at
org.apache.catalina.ha.tcp.ReplicationValve.sendReplicationMessage(Repli
cationValve.java:430)
        at
org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java
:363)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:102)
        at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555
)
        at
org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:
421)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:109)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2
98)
        at
org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:427)
        at
org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpApr
Protocol.java:384)
        at
org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1555)
        at java.lang.Thread.run(Thread.java:619)


-----Original Message-----
From: Pid [mailto:pid@pidster.com] 
Sent: Wednesday, June 23, 2010 1:06 AM
To: Tomcat Users List
Subject: Re: question for sso session replication in tomcat 6.0.26

I'll have to look at the code, but maybe you're being affected by a
recent bug whereby the session id changes after login but isn't then
replicated.

You might search bugzilla to see if this applies to 6.0.26.


p

On 22 Jun 2010, at 22:41, "Okubo, Yasushi (TSD)"
<Yasushi.Okubo@takedasd.com> wrote:

> 
> Hi
> 
> There were two cookies created by Tomcat 6.0.26. One is for SSO, and
the
> other is for regular session between client and tomcat.  JSESSIONID is
> working fine : it means session replication and failover, but not
> JSESSIONIDSSO.  JSESSIONIDSSO is updated with new value upon relogin.
> 
> yasushi
> 
> 
> JSESSIONIDSSO
> 65110434847FE0AA1F1EBF0EF0871D25
> 
> 
> JSESSIONID
> 5CFE92814875C4DEFC554526147698A3.jvm2
> 
> -----Original Message-----
> From: Jon Brisbin [mailto:jon.brisbin@npcinternational.com] 
> Sent: Tuesday, June 22, 2010 2:17 PM
> To: Tomcat Users List
> Cc: Okubo, Yasushi (TSD)
> Subject: Re: question for sso session replication in tomcat 6.0.26
> 
> Are you using a "jvmRoute" setting on your BalancerMember definition
in
> mod_proxy config and on the <Engine/> element in server.xml? Your
cookie
> would have the jvmRoute property added to the end of it (e.g.
> ALONGMD5HASH.server1) if so.
> 
> From the Almighty Google:
> http://community.jboss.org/wiki/usingmodproxywithjboss
> 
> Jon Brisbin
> Portal Webmaster
> NPC International, Inc.
> 
> 
> 
> On Jun 22, 2010, at 3:48 PM, Okubo, Yasushi (TSD) wrote:
> 
>> Hi
>> 
>> I downloaded apache apache v2.2.15 and compiled and installed, but
the
>> result was the same.
>> 
>> Session sso replication looked like failed.  Upon shutting down the
>> node, it kicked me out of password protected area and needed to
> re-loin
>> on the second node.
>> 
>> On apache, I installed/enabled all modules including basic
>> authentication etc.  Is there any requirement on apache side or how
> the
>> virtual host should be set up in httpd.conf to make sso failover
work?
>> 
>> Thanks,
>> yasushi
>> 
>> -----Original Message-----
>> From: Pid [mailto:pid@pidster.com] 
>> Sent: Tuesday, June 22, 2010 8:04 AM
>> To: Tomcat Users List
>> Subject: Re: question for sso session replication in tomcat 6.0.26
>> 
>> On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote:
>>> Hi Andrew
>>> 
>>> In case of no failover, SSO works for all web applications on the
> same
>> host.  Upon failover [shutting down one node], a user is routed to
the
>> other node, and TC is asking for a user to re-login when he/she tried
> to
>> access password protected area.  
>>> 
>>> I have checked many times on server.xml and session replication is
>> working fine upon failover, so I cannot think any misconfiguration on
>> server.xml
>>> The issue is SSO failover is not working.  I think it might be
> related
>> to my apache virtual host setup, but could not figure it out.
>>> 
>>> Thanks for your help,
>>> yasushi
>>> 
>>> I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3]
>> 
>> mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional
>> but not perfect & there are many bugfixes and improvements since
then,
>> you should upgrade HTTPD.
>> 
>> 
>> p
>> 
>>> OS : Redhat Linux 64bit  RHEL v5.5
>>> JDK : 1.6.0.20 
>>> 
>>> === I created virtual host on port 9050 ==
>>> Httpd.conf
>>> 
>>> <VirtualHost 10.250.200.57:9050>
>>> ServerAdmin xyz
>>> ServerName webclust1.xyz.com
>>> ServerAlias webclust1
>>> ErrorLog logs/webclust_cluster_error.log
>>> CustomLog logs/webclust-cluster-access_log common
>>> 
>>> <Location /balancer-manager>
>>> SetHandler balancer-manager
>>> 
>>> Order Deny,Allow
>>> Deny from all
>>> Allow from all
>>> </Location>
>>> 
>>> ProxyRequests off
>>> <Proxy balancer://webclust>
>>> BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150
> smax=145
>> route=jvm1
>>> BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150
> smax=145
>> route=jvm2
>>> BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150
> smax=145
>> route=jvm3
>>> Order Deny,Allow
>>> Allow from all
>>> </Proxy>
>>> 
>>> #Do not proxy balancer-manager
>>> ProxyPass /balancer-manager !
>>> 
>>> <Location /examples>
>>> ProxyPass balancer://webclust/examples
>> stickysession=JSESSIONID|jsessionid
>>> ProxyPassReverse balancer://webclust/examples
>>> Order Deny,Allow
>>> Allow from all
>>> </Location>
>>> 
>>> <Location / >
>>> ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid
>>> ProxyPassReverse balancer://webclust/
>>> Order Deny,Allow
>>> Allow from all
>>> </Location>
>>> 
>>> 
>>> === server.xml ===
>>>   <!-- Define an AJP 1.3 Connector on port 8009 -->
>>>   <Connector port="9002" protocol="AJP/1.3" redirectPort="8443" />
>>> 
>>> <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
>>> 
>>> <Host name="localhost"  appBase="webapps"
>>>           unpackWARs="true" autoDeploy="true"
>>>           xmlValidation="false" xmlNamespaceAware="false">
>>> 
>>>       <Cluster
>> className="org.apache.catalina.ha.tcp.SimpleTcpCluster"
>>>                channelSendOptions="4">
>>> 
>>>         <Manager
>> className="org.apache.catalina.ha.session.DeltaManager"
>>>                          name="node2"
>>>                  expireSessionsOnShutdown="false"
>>>                  notifyListenersOnReplication="true"/>
>>> 
>>>         <Channel
>> className="org.apache.catalina.tribes.group.GroupChannel">
>>>           <Membership
>> className="org.apache.catalina.tribes.membership.McastService"
>>>                       address="228.0.0.5"
>>>                       port="45564"
>>>                       frequency="500"
>>>                       dropTime="3000"/>
>>>           <Receiver
>> className="org.apache.catalina.tribes.transport.nio.NioReceiver"
>>>                     address="auto"
>>>                     port="4020"
>>>                     autoBind="100"
>>>                     selectorTimeout="5000"
>>>                     maxThreads="12"/>
>>> <Sender
>> 
>
className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
>>>             <Transport
>> 
>
className="org.apache.catalina.tribes.transport.nio.PooledParallelSender
>> "/>
>>>           </Sender>
>>>           <Interceptor
>> 
>
className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetec
>> tor"/>
>>>           <Interceptor
>> 
>
className="org.apache.catalina.tribes.group.interceptors.MessageDispatch
>> 15Interceptor"/>
>>>               <Interceptor
>> 
>
className="org.apache.catalina.tribes.group.interceptors.ThroughputInter
>> ceptor"/>
>>>         </Channel>
>>> 
>>>         <Valve
>> className="org.apache.catalina.ha.tcp.ReplicationValve"
>>> 
>> 
>
filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;
>> .*\.xls;.*\.sdf;.*\.xml;"/>
>>>             <!-- only with jk_mod failover-->
>>>         <Valve
>> className="org.apache.catalina.ha.session.JvmRouteBinderValve"
>>>                enabled="true" sessionIdAttribute="takeoverSessionid"
>> />
>>> <!--
>>>         <Deployer
>> className="org.apache.catalina.ha.deploy.FarmWarDeployer"
>>>                   tempDir="/tmp/war-temp/"
>>> 
>> deployDir="/usr/local/apache/node2-tomcat-6.0.26/webapps"
>>>                   watchDir="/tmp/war-listen/"
>>>                                       watchEnabled="true"/>
>>> -->
>>>                 <!-- only with jk_mod and jvmroutebindervalve--> 
>>>         <ClusterListener
>> 
>
className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListene
>> r"/>
>>>         <ClusterListener
>> className="org.apache.catalina.ha.session.ClusterSessionListener"/>
>>>       </Cluster>
>>> 
>>> <Valve
>> className="org.apache.catalina.ha.authenticator.ClusterSingleSignOn"
> />
>>> 
>>> <Valve className="org.apache.catalina.valves.AccessLogValve"
>> directory="logs"  
>>>              prefix="webappqa_node2_access_log." suffix=".log"
>> pattern="common" resolveHosts="false"/>
>>> 
>>>     </Host>
>>> </Engine>
>>> 
>>> 
>>> -----Original Message-----
>>> From: Andrew Bruno [mailto:andrew.bruno@gmail.com] 
>>> Sent: Monday, June 21, 2010 10:09 PM
>>> To: Tomcat Users List
>>> Subject: Re: question for sso session replication in tomcat 6.0.26
>>> 
>>> Oh sorry, I re-read your answer.  Not sure why SSO is not working,
be
>>> interested to find out though..
>>> 
>>> AB
>>> 
>>> On Tue, Jun 22, 2010 at 3:04 PM, Andrew Bruno
> <andrew.bruno@gmail.com>
>> wrote:
>>>> Hi Yasushi
>>>> 
>>>> In your serverl.xml have you added the jvmroute to the Engine?
>>>> 
>>>> i.e.
>>>> 
>>>> <Engine name="Catalina" defaultHost="localhost" jvmRoute="1">
>>>> 
>>>> Andrew
>>>> 
>>>> On Tue, Jun 22, 2010 at 2:50 PM, Okubo, Yasushi (TSD)
>> <Yasushi.Okubo@takedasd.com> wrote:
>>>>> Hi Andrew
>>>>> 
>>>>> Thank for your post.  When I checked the session id from firefox,
>> sso session id [jsessionidsso] does not have jvmroute info, but only
>> jsessionid has jvmroute.  So, session replication upon failover is
>> working fine, but singlesionon upon failover is not working on tomcat
>> 6.0.x (including 6.0.26).
>>>>> 
>>>>> yasushi
>>>>> 
>>>>> -----Original Message-----
>>>>> From: Andrew Bruno [mailto:andrew.bruno@gmail.com]
>>>>> Sent: Monday, June 21, 2010 9:18 PM
>>>>> To: Tomcat Users List
>>>>> Subject: Re: question for sso session replication in tomcat 6.0.26
>>>>> 
>>>>> Looking at the code I think this is wrong
>>>>> 
>>>>> if (!_ssoSessionId.contains("." + jvmRoute)) {
>>>>> _ssoSessionId += "." + jvmRoute;
>>>>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME,
>> _ssoSessionId));
>>>>> }
>>>>> 
>>>>> The original sessionId will already have the
> "."+_any_other_jvmRoute
>>>>> included, so you need to substring it, and append the new
jvmRoute.
>>>>> 
>>>>> _ssoSessionId= _ssoSessionId.substring(0,
>> _ssoSessionId.indexOf("."))
>>>>> 
>>>>> and then add
>>>>> 
>>>>> _ssoSessionId += "." + jvmRoute;
>>>>> 
>>>>> AB
>>>>> 
>>>>> On Tue, Jun 22, 2010 at 1:03 PM, Okubo, Yasushi (TSD)
>>>>> <Yasushi.Okubo@takedasd.com> wrote:
>>>>>> Hi experts
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> I found this old email from archive in TC 5.5.23.
>>>>>> 
>>>>>> Does this problem still exist in tomcat 6.0.x or 6.0.26?
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> When failover occurs, sso session id is updated with new number
>> after
>>>>>> forcing a user to relogin to the application since sso session id
>> is not
>>>>>> replicated and rewritten correctly.  Could someone explain what
is
>>>>>> expected in current tomcat 6.0.x cluster upon failover?  Should
> sso
>>>>>> session id is replicated correctly in tomcat 6.0.x?
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Thanks,
>>>>>> 
>>>>>> yasushi
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> ROOKIE wrote:
>>>>>> Hi,
>>>>>> I have a problem with tomcat cluster + mod_proxy load balancer :
>>>>>> 
>>>>>> We have a main app which authenticate itself to a webapp and from
>> this
>>>>>> app one
>>>>>> can launch embedded apps which use the SSO cookie to access other
>>>>>> webapps on
>>>>>> the server (Single-Sign-On for the user).
>>>>>> 
>>>>>> Things are working perfectly for the normal cookie but not for
the
>> sso
>>>>>> cookie.
>>>>>> 
>>>>>> 
>>>>>> The problem I have is that tomcat does not replicate SSO sessions
>> so
>>>>>> when these embedded apps route through the load balancer we get
>> 401s on
>>>>>> all the other cluster members except the one which actually
>> generated
>>>>>> the SSO cookie.
>>>>>> 
>>>>>> I wanted to know if we can edit the SSO cookie generated by
tomcat
>> to
>>>>>> also
>>>>>> contain the jvmRoute parameter so that the load balancer directly
>> goes
>>>>>> to the
>>>>>> correct cluster member.
>>>>>> 
>>>>>> 
>>>>>> I tried doing this in my code by fetching the SSO cookie and
>> appending
>>>>>> to it
>>>>>> the jvmRoute as follows :
>>>>>> 
>>>>>>      HttpServletRequest request =
>>>>>>
(HttpServletRequest)Security.getContext(HttpServletRequest.class);
>>>>>>      HttpServletResponse response =
>>>>>> 
>> (HttpServletResponse)Security.getContext(HttpServletResponse.class);
>>>>>>      if(request != null) {
>>>>>>          String jvmRoute = "Vinod_Cluster_1";    // as mentioned
>> in
>>>>>> server.xml
>>>>>>          Cookie[] cookies = request.getCookies();
>>>>>>          for(int nc=0; cookies != null && nc < cookies.length;
>> nc++)
>>>>>> {
>>>>>> 
>> if(_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) {
>>>>>>                  _sessionId = cookies[nc].getValue();
>>>>>>              }
>>>>>> 
>>>>>> else if(_SSO_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) {
>>>>>> 
>>>>>>                  _ssoSessionId = cookies[nc].getValue();
>>>>>>                  if (!_ssoSessionId.contains("." + jvmRoute)) {
>>>>>>                      _ssoSessionId += "." + jvmRoute;
>>>>>> 
>>>>>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME,
>> _ssoSessionId));
>>>>>> }
>>>>>> 
>>>>>> 
>>>>>>              }
>>>>>> 
>>>>>> 
>>>>>> But after this I started getting 401s from even the correct
> cluster
>>>>>> member. My guess is addCookie doesnt update the cookie in
tomcat's
>> cache
>>>>>> which is reasonable.
>>>>>> 
>>>>>> Other thought was to edit tomcat's sso cookie generation code to
>> append
>>>>>> the
>>>>>> jvmRoute to the sso cookie.
>>>>>> 
>>>>>> 
>>>>>> Is there an better way to achieve this in my code base ?
>>>>>> 
>>>>>> Thanks In Advance,
>>>>>> Vinod
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>>>> 
>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>> 
>>>>> 
>>>> 
>>>> 
>>> 
>>>
---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>> 
>>> 
>>> 
>>> 
>>>
---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>> 
>> 
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message