tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: question for sso session replication in tomcat 6.0.26
Date Tue, 22 Jun 2010 15:03:35 GMT
On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote:
> Hi Andrew
> 
> In case of no failover, SSO works for all web applications on the same host.  Upon failover
[shutting down one node], a user is routed to the other node, and TC is asking for a user
to re-login when he/she tried to access password protected area.  
> 
> I have checked many times on server.xml and session replication is working fine upon
failover, so I cannot think any misconfiguration on server.xml
> The issue is SSO failover is not working.  I think it might be related to my apache virtual
host setup, but could not figure it out.
> 
> Thanks for your help,
> yasushi
> 
> I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3]

mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional
but not perfect & there are many bugfixes and improvements since then,
you should upgrade HTTPD.


p

> OS : Redhat Linux 64bit  RHEL v5.5
> JDK : 1.6.0.20 
> 
> === I created virtual host on port 9050 ==
> Httpd.conf
> 
> <VirtualHost 10.250.200.57:9050>
> ServerAdmin xyz
> ServerName webclust1.xyz.com
> ServerAlias webclust1
> ErrorLog logs/webclust_cluster_error.log
> CustomLog logs/webclust-cluster-access_log common
> 
> <Location /balancer-manager>
> SetHandler balancer-manager
> 
> Order Deny,Allow
> Deny from all
> Allow from all
> </Location>
> 
> ProxyRequests off
> <Proxy balancer://webclust>
> BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1
> BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2
> BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3
> Order Deny,Allow
> Allow from all
> </Proxy>
> 
> #Do not proxy balancer-manager
> ProxyPass /balancer-manager !
> 
> <Location /examples>
> ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid
> ProxyPassReverse balancer://webclust/examples
> Order Deny,Allow
> Allow from all
> </Location>
> 
> <Location / >
> ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid
> ProxyPassReverse balancer://webclust/
> Order Deny,Allow
> Allow from all
> </Location>
> 
> 
> === server.xml ===
>     <!-- Define an AJP 1.3 Connector on port 8009 -->
>     <Connector port="9002" protocol="AJP/1.3" redirectPort="8443" />
> 
> <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
> 
> <Host name="localhost"  appBase="webapps"
>             unpackWARs="true" autoDeploy="true"
>             xmlValidation="false" xmlNamespaceAware="false">
>                         
>         <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"
>                  channelSendOptions="4">
> 
>           <Manager className="org.apache.catalina.ha.session.DeltaManager"
>                            name="node2"
>                    expireSessionsOnShutdown="false"
>                    notifyListenersOnReplication="true"/>
> 
>           <Channel className="org.apache.catalina.tribes.group.GroupChannel">
>             <Membership className="org.apache.catalina.tribes.membership.McastService"
>                         address="228.0.0.5"
>                         port="45564"
>                         frequency="500"
>                         dropTime="3000"/>
>             <Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver"
>                       address="auto"
>                       port="4020"
>                       autoBind="100"
>                       selectorTimeout="5000"
>                       maxThreads="12"/>
> <Sender className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
>               <Transport className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"/>
>             </Sender>
>             <Interceptor className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"/>
>             <Interceptor className="org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor"/>
>                 <Interceptor className="org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor"/>
>           </Channel>
> 
>           <Valve className="org.apache.catalina.ha.tcp.ReplicationValve"
>                  filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;.*\.xls;.*\.sdf;.*\.xml;"/>
>               <!-- only with jk_mod failover-->
>           <Valve className="org.apache.catalina.ha.session.JvmRouteBinderValve"
>                  enabled="true" sessionIdAttribute="takeoverSessionid" />
> <!--
>           <Deployer className="org.apache.catalina.ha.deploy.FarmWarDeployer"
>                     tempDir="/tmp/war-temp/"
>                     deployDir="/usr/local/apache/node2-tomcat-6.0.26/webapps"
>                     watchDir="/tmp/war-listen/"
>                                         watchEnabled="true"/>
> -->
>                   <!-- only with jk_mod and jvmroutebindervalve--> 
>           <ClusterListener className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener"/>
>           <ClusterListener className="org.apache.catalina.ha.session.ClusterSessionListener"/>
>         </Cluster>
> 
> <Valve className="org.apache.catalina.ha.authenticator.ClusterSingleSignOn" />
> 
> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"  
>                prefix="webappqa_node2_access_log." suffix=".log" pattern="common" resolveHosts="false"/>
> 
>       </Host>
> </Engine>
> 
> 
> -----Original Message-----
> From: Andrew Bruno [mailto:andrew.bruno@gmail.com] 
> Sent: Monday, June 21, 2010 10:09 PM
> To: Tomcat Users List
> Subject: Re: question for sso session replication in tomcat 6.0.26
> 
> Oh sorry, I re-read your answer.  Not sure why SSO is not working, be
> interested to find out though..
> 
> AB
> 
> On Tue, Jun 22, 2010 at 3:04 PM, Andrew Bruno <andrew.bruno@gmail.com> wrote:
>> Hi Yasushi
>>
>> In your serverl.xml have you added the jvmroute to the Engine?
>>
>> i.e.
>>
>> <Engine name="Catalina" defaultHost="localhost" jvmRoute="1">
>>
>> Andrew
>>
>> On Tue, Jun 22, 2010 at 2:50 PM, Okubo, Yasushi (TSD) <Yasushi.Okubo@takedasd.com>
wrote:
>>> Hi Andrew
>>>
>>> Thank for your post.  When I checked the session id from firefox, sso session
id [jsessionidsso] does not have jvmroute info, but only jsessionid has jvmroute.  So, session
replication upon failover is working fine, but singlesionon upon failover is not working on
tomcat 6.0.x (including 6.0.26).
>>>
>>> yasushi
>>>
>>> -----Original Message-----
>>> From: Andrew Bruno [mailto:andrew.bruno@gmail.com]
>>> Sent: Monday, June 21, 2010 9:18 PM
>>> To: Tomcat Users List
>>> Subject: Re: question for sso session replication in tomcat 6.0.26
>>>
>>> Looking at the code I think this is wrong
>>>
>>> if (!_ssoSessionId.contains("." + jvmRoute)) {
>>>   _ssoSessionId += "." + jvmRoute;
>>>   response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId));
>>> }
>>>
>>> The original sessionId will already have the "."+_any_other_jvmRoute
>>> included, so you need to substring it, and append the new jvmRoute.
>>>
>>>  _ssoSessionId= _ssoSessionId.substring(0, _ssoSessionId.indexOf("."))
>>>
>>> and then add
>>>
>>>  _ssoSessionId += "." + jvmRoute;
>>>
>>> AB
>>>
>>> On Tue, Jun 22, 2010 at 1:03 PM, Okubo, Yasushi (TSD)
>>> <Yasushi.Okubo@takedasd.com> wrote:
>>>> Hi experts
>>>>
>>>>
>>>>
>>>> I found this old email from archive in TC 5.5.23.
>>>>
>>>> Does this problem still exist in tomcat 6.0.x or 6.0.26?
>>>>
>>>>
>>>>
>>>> When failover occurs, sso session id is updated with new number after
>>>> forcing a user to relogin to the application since sso session id is not
>>>> replicated and rewritten correctly.  Could someone explain what is
>>>> expected in current tomcat 6.0.x cluster upon failover?  Should sso
>>>> session id is replicated correctly in tomcat 6.0.x?
>>>>
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> yasushi
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ROOKIE wrote:
>>>> Hi,
>>>> I have a problem with tomcat cluster + mod_proxy load balancer :
>>>>
>>>> We have a main app which authenticate itself to a webapp and from this
>>>> app one
>>>> can launch embedded apps which use the SSO cookie to access other
>>>> webapps on
>>>> the server (Single-Sign-On for the user).
>>>>
>>>> Things are working perfectly for the normal cookie but not for the sso
>>>> cookie.
>>>>
>>>>
>>>> The problem I have is that tomcat does not replicate SSO sessions so
>>>> when these embedded apps route through the load balancer we get 401s on
>>>> all the other cluster members except the one which actually generated
>>>> the SSO cookie.
>>>>
>>>> I wanted to know if we can edit the SSO cookie generated by tomcat to
>>>> also
>>>> contain the jvmRoute parameter so that the load balancer directly goes
>>>> to the
>>>> correct cluster member.
>>>>
>>>>
>>>> I tried doing this in my code by fetching the SSO cookie and appending
>>>> to it
>>>> the jvmRoute as follows :
>>>>
>>>>        HttpServletRequest request =
>>>> (HttpServletRequest)Security.getContext(HttpServletRequest.class);
>>>>        HttpServletResponse response =
>>>> (HttpServletResponse)Security.getContext(HttpServletResponse.class);
>>>>        if(request != null) {
>>>>            String jvmRoute = "Vinod_Cluster_1";    // as mentioned in
>>>> server.xml
>>>>            Cookie[] cookies = request.getCookies();
>>>>            for(int nc=0; cookies != null && nc < cookies.length;
nc++)
>>>> {
>>>>                if(_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) {
>>>>                    _sessionId = cookies[nc].getValue();
>>>>                }
>>>>
>>>> else if(_SSO_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) {
>>>>
>>>>                    _ssoSessionId = cookies[nc].getValue();
>>>>                    if (!_ssoSessionId.contains("." + jvmRoute)) {
>>>>                        _ssoSessionId += "." + jvmRoute;
>>>>
>>>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId));
>>>> }
>>>>
>>>>
>>>>                }
>>>>
>>>>
>>>> But after this I started getting 401s from even the correct cluster
>>>> member. My guess is addCookie doesnt update the cookie in tomcat's cache
>>>> which is reasonable.
>>>>
>>>> Other thought was to edit tomcat's sso cookie generation code to append
>>>> the
>>>> jvmRoute to the sso cookie.
>>>>
>>>>
>>>> Is there an better way to achieve this in my code base ?
>>>>
>>>> Thanks In Advance,
>>>> Vinod
>>>>
>>>>
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 



Mime
View raw message