tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jon Brisbin <jon.bris...@npcinternational.com>
Subject Re: question for sso session replication in tomcat 6.0.26
Date Tue, 22 Jun 2010 21:16:48 GMT
Are you using a "jvmRoute" setting on your BalancerMember definition in mod_proxy config and
on the <Engine/> element in server.xml? Your cookie would have the jvmRoute property
added to the end of it (e.g. ALONGMD5HASH.server1) if so.

From the Almighty Google: http://community.jboss.org/wiki/usingmodproxywithjboss

Jon Brisbin
Portal Webmaster
NPC International, Inc.



On Jun 22, 2010, at 3:48 PM, Okubo, Yasushi (TSD) wrote:

> Hi
> 
> I downloaded apache apache v2.2.15 and compiled and installed, but the
> result was the same.
> 
> Session sso replication looked like failed.  Upon shutting down the
> node, it kicked me out of password protected area and needed to re-loin
> on the second node.
> 
> On apache, I installed/enabled all modules including basic
> authentication etc.  Is there any requirement on apache side or how the
> virtual host should be set up in httpd.conf to make sso failover work?
> 
> Thanks,
> yasushi
> 
> -----Original Message-----
> From: Pid [mailto:pid@pidster.com] 
> Sent: Tuesday, June 22, 2010 8:04 AM
> To: Tomcat Users List
> Subject: Re: question for sso session replication in tomcat 6.0.26
> 
> On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote:
>> Hi Andrew
>> 
>> In case of no failover, SSO works for all web applications on the same
> host.  Upon failover [shutting down one node], a user is routed to the
> other node, and TC is asking for a user to re-login when he/she tried to
> access password protected area.  
>> 
>> I have checked many times on server.xml and session replication is
> working fine upon failover, so I cannot think any misconfiguration on
> server.xml
>> The issue is SSO failover is not working.  I think it might be related
> to my apache virtual host setup, but could not figure it out.
>> 
>> Thanks for your help,
>> yasushi
>> 
>> I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3]
> 
> mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional
> but not perfect & there are many bugfixes and improvements since then,
> you should upgrade HTTPD.
> 
> 
> p
> 
>> OS : Redhat Linux 64bit  RHEL v5.5
>> JDK : 1.6.0.20 
>> 
>> === I created virtual host on port 9050 ==
>> Httpd.conf
>> 
>> <VirtualHost 10.250.200.57:9050>
>> ServerAdmin xyz
>> ServerName webclust1.xyz.com
>> ServerAlias webclust1
>> ErrorLog logs/webclust_cluster_error.log
>> CustomLog logs/webclust-cluster-access_log common
>> 
>> <Location /balancer-manager>
>> SetHandler balancer-manager
>> 
>> Order Deny,Allow
>> Deny from all
>> Allow from all
>> </Location>
>> 
>> ProxyRequests off
>> <Proxy balancer://webclust>
>> BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145
> route=jvm1
>> BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145
> route=jvm2
>> BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145
> route=jvm3
>> Order Deny,Allow
>> Allow from all
>> </Proxy>
>> 
>> #Do not proxy balancer-manager
>> ProxyPass /balancer-manager !
>> 
>> <Location /examples>
>> ProxyPass balancer://webclust/examples
> stickysession=JSESSIONID|jsessionid
>> ProxyPassReverse balancer://webclust/examples
>> Order Deny,Allow
>> Allow from all
>> </Location>
>> 
>> <Location / >
>> ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid
>> ProxyPassReverse balancer://webclust/
>> Order Deny,Allow
>> Allow from all
>> </Location>
>> 
>> 
>> === server.xml ===
>>    <!-- Define an AJP 1.3 Connector on port 8009 -->
>>    <Connector port="9002" protocol="AJP/1.3" redirectPort="8443" />
>> 
>> <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
>> 
>> <Host name="localhost"  appBase="webapps"
>>            unpackWARs="true" autoDeploy="true"
>>            xmlValidation="false" xmlNamespaceAware="false">
>> 
>>        <Cluster
> className="org.apache.catalina.ha.tcp.SimpleTcpCluster"
>>                 channelSendOptions="4">
>> 
>>          <Manager
> className="org.apache.catalina.ha.session.DeltaManager"
>>                           name="node2"
>>                   expireSessionsOnShutdown="false"
>>                   notifyListenersOnReplication="true"/>
>> 
>>          <Channel
> className="org.apache.catalina.tribes.group.GroupChannel">
>>            <Membership
> className="org.apache.catalina.tribes.membership.McastService"
>>                        address="228.0.0.5"
>>                        port="45564"
>>                        frequency="500"
>>                        dropTime="3000"/>
>>            <Receiver
> className="org.apache.catalina.tribes.transport.nio.NioReceiver"
>>                      address="auto"
>>                      port="4020"
>>                      autoBind="100"
>>                      selectorTimeout="5000"
>>                      maxThreads="12"/>
>> <Sender
> className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
>>              <Transport
> className="org.apache.catalina.tribes.transport.nio.PooledParallelSender
> "/>
>>            </Sender>
>>            <Interceptor
> className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetec
> tor"/>
>>            <Interceptor
> className="org.apache.catalina.tribes.group.interceptors.MessageDispatch
> 15Interceptor"/>
>>                <Interceptor
> className="org.apache.catalina.tribes.group.interceptors.ThroughputInter
> ceptor"/>
>>          </Channel>
>> 
>>          <Valve
> className="org.apache.catalina.ha.tcp.ReplicationValve"
>> 
> filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;
> .*\.xls;.*\.sdf;.*\.xml;"/>
>>              <!-- only with jk_mod failover-->
>>          <Valve
> className="org.apache.catalina.ha.session.JvmRouteBinderValve"
>>                 enabled="true" sessionIdAttribute="takeoverSessionid"
> />
>> <!--
>>          <Deployer
> className="org.apache.catalina.ha.deploy.FarmWarDeployer"
>>                    tempDir="/tmp/war-temp/"
>> 
> deployDir="/usr/local/apache/node2-tomcat-6.0.26/webapps"
>>                    watchDir="/tmp/war-listen/"
>>                                        watchEnabled="true"/>
>> -->
>>                  <!-- only with jk_mod and jvmroutebindervalve--> 
>>          <ClusterListener
> className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListene
> r"/>
>>          <ClusterListener
> className="org.apache.catalina.ha.session.ClusterSessionListener"/>
>>        </Cluster>
>> 
>> <Valve
> className="org.apache.catalina.ha.authenticator.ClusterSingleSignOn" />
>> 
>> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs"  
>>               prefix="webappqa_node2_access_log." suffix=".log"
> pattern="common" resolveHosts="false"/>
>> 
>>      </Host>
>> </Engine>
>> 
>> 
>> -----Original Message-----
>> From: Andrew Bruno [mailto:andrew.bruno@gmail.com] 
>> Sent: Monday, June 21, 2010 10:09 PM
>> To: Tomcat Users List
>> Subject: Re: question for sso session replication in tomcat 6.0.26
>> 
>> Oh sorry, I re-read your answer.  Not sure why SSO is not working, be
>> interested to find out though..
>> 
>> AB
>> 
>> On Tue, Jun 22, 2010 at 3:04 PM, Andrew Bruno <andrew.bruno@gmail.com>
> wrote:
>>> Hi Yasushi
>>> 
>>> In your serverl.xml have you added the jvmroute to the Engine?
>>> 
>>> i.e.
>>> 
>>> <Engine name="Catalina" defaultHost="localhost" jvmRoute="1">
>>> 
>>> Andrew
>>> 
>>> On Tue, Jun 22, 2010 at 2:50 PM, Okubo, Yasushi (TSD)
> <Yasushi.Okubo@takedasd.com> wrote:
>>>> Hi Andrew
>>>> 
>>>> Thank for your post.  When I checked the session id from firefox,
> sso session id [jsessionidsso] does not have jvmroute info, but only
> jsessionid has jvmroute.  So, session replication upon failover is
> working fine, but singlesionon upon failover is not working on tomcat
> 6.0.x (including 6.0.26).
>>>> 
>>>> yasushi
>>>> 
>>>> -----Original Message-----
>>>> From: Andrew Bruno [mailto:andrew.bruno@gmail.com]
>>>> Sent: Monday, June 21, 2010 9:18 PM
>>>> To: Tomcat Users List
>>>> Subject: Re: question for sso session replication in tomcat 6.0.26
>>>> 
>>>> Looking at the code I think this is wrong
>>>> 
>>>> if (!_ssoSessionId.contains("." + jvmRoute)) {
>>>>  _ssoSessionId += "." + jvmRoute;
>>>>  response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME,
> _ssoSessionId));
>>>> }
>>>> 
>>>> The original sessionId will already have the "."+_any_other_jvmRoute
>>>> included, so you need to substring it, and append the new jvmRoute.
>>>> 
>>>> _ssoSessionId= _ssoSessionId.substring(0,
> _ssoSessionId.indexOf("."))
>>>> 
>>>> and then add
>>>> 
>>>> _ssoSessionId += "." + jvmRoute;
>>>> 
>>>> AB
>>>> 
>>>> On Tue, Jun 22, 2010 at 1:03 PM, Okubo, Yasushi (TSD)
>>>> <Yasushi.Okubo@takedasd.com> wrote:
>>>>> Hi experts
>>>>> 
>>>>> 
>>>>> 
>>>>> I found this old email from archive in TC 5.5.23.
>>>>> 
>>>>> Does this problem still exist in tomcat 6.0.x or 6.0.26?
>>>>> 
>>>>> 
>>>>> 
>>>>> When failover occurs, sso session id is updated with new number
> after
>>>>> forcing a user to relogin to the application since sso session id
> is not
>>>>> replicated and rewritten correctly.  Could someone explain what is
>>>>> expected in current tomcat 6.0.x cluster upon failover?  Should sso
>>>>> session id is replicated correctly in tomcat 6.0.x?
>>>>> 
>>>>> 
>>>>> 
>>>>> Thanks,
>>>>> 
>>>>> yasushi
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> ROOKIE wrote:
>>>>> Hi,
>>>>> I have a problem with tomcat cluster + mod_proxy load balancer :
>>>>> 
>>>>> We have a main app which authenticate itself to a webapp and from
> this
>>>>> app one
>>>>> can launch embedded apps which use the SSO cookie to access other
>>>>> webapps on
>>>>> the server (Single-Sign-On for the user).
>>>>> 
>>>>> Things are working perfectly for the normal cookie but not for the
> sso
>>>>> cookie.
>>>>> 
>>>>> 
>>>>> The problem I have is that tomcat does not replicate SSO sessions
> so
>>>>> when these embedded apps route through the load balancer we get
> 401s on
>>>>> all the other cluster members except the one which actually
> generated
>>>>> the SSO cookie.
>>>>> 
>>>>> I wanted to know if we can edit the SSO cookie generated by tomcat
> to
>>>>> also
>>>>> contain the jvmRoute parameter so that the load balancer directly
> goes
>>>>> to the
>>>>> correct cluster member.
>>>>> 
>>>>> 
>>>>> I tried doing this in my code by fetching the SSO cookie and
> appending
>>>>> to it
>>>>> the jvmRoute as follows :
>>>>> 
>>>>>       HttpServletRequest request =
>>>>> (HttpServletRequest)Security.getContext(HttpServletRequest.class);
>>>>>       HttpServletResponse response =
>>>>> 
> (HttpServletResponse)Security.getContext(HttpServletResponse.class);
>>>>>       if(request != null) {
>>>>>           String jvmRoute = "Vinod_Cluster_1";    // as mentioned
> in
>>>>> server.xml
>>>>>           Cookie[] cookies = request.getCookies();
>>>>>           for(int nc=0; cookies != null && nc < cookies.length;
> nc++)
>>>>> {
>>>>> 
> if(_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) {
>>>>>                   _sessionId = cookies[nc].getValue();
>>>>>               }
>>>>> 
>>>>> else if(_SSO_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) {
>>>>> 
>>>>>                   _ssoSessionId = cookies[nc].getValue();
>>>>>                   if (!_ssoSessionId.contains("." + jvmRoute)) {
>>>>>                       _ssoSessionId += "." + jvmRoute;
>>>>> 
>>>>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME,
> _ssoSessionId));
>>>>> }
>>>>> 
>>>>> 
>>>>>               }
>>>>> 
>>>>> 
>>>>> But after this I started getting 401s from even the correct cluster
>>>>> member. My guess is addCookie doesnt update the cookie in tomcat's
> cache
>>>>> which is reasonable.
>>>>> 
>>>>> Other thought was to edit tomcat's sso cookie generation code to
> append
>>>>> the
>>>>> jvmRoute to the sso cookie.
>>>>> 
>>>>> 
>>>>> Is there an better way to achieve this in my code base ?
>>>>> 
>>>>> Thanks In Advance,
>>>>> Vinod
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>> 
>>>> 
> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>> 
>>>> 
>>> 
>>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message