Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 44461 invoked from network); 24 Jun 2010 20:14:21 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 24 Jun 2010 20:14:21 -0000 Received: (qmail 144 invoked by uid 500); 24 Jun 2010 20:14:17 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 99950 invoked by uid 500); 24 Jun 2010 20:14:17 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 99941 invoked by uid 99); 24 Jun 2010 20:14:17 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Jun 2010 20:14:17 +0000 X-ASF-Spam-Status: No, hits=2.6 required=10.0 tests=AWL,FS_REPLICA,RCVD_IN_DNSWL_MED,SPF_SOFTFAIL,URIBL_BLACK X-Spam-Check-By: apache.org Received-SPF: softfail (athena.apache.org: transitioning domain of Yasushi.Okubo@takedasd.com does not designate 63.240.182.38 as permitted sender) Received: from [63.240.182.38] (HELO mail.tpna.com) (63.240.182.38) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Jun 2010 20:14:12 +0000 Received: from [172.29.0.120] by mail.tpna.com with ESMTP (ESMTP (Email Firewall v6.3.2)); Thu, 24 Jun 2010 15:13:40 -0500 X-Server-Uuid: 9BB8C732-96CC-4C8E-A598-503A2122C31A Received: from TSDPEML01.tsd.globaltakeda.com ([10.250.200.105]) by tpa720.takedapharm.tpna.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 24 Jun 2010 15:13:40 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Subject: RE: question for sso session replication in tomcat 6.0.26 Date: Thu, 24 Jun 2010 13:13:26 -0700 Message-ID: <27386FD838AA554FB62AF58A6F63BFD84CD956@TSDPEML01.tsd.globaltakeda.com> In-Reply-To: <81723F24-F7D1-4A5A-8A47-6349F718AAF7@pidster.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: question for sso session replication in tomcat 6.0.26 Thread-Index: AcsSrAcOatTlKRYSQbSmmb848EWi+wBLZSJg References: <27386FD838AA554FB62AF58A6F63BFD84CD945@TSDPEML01.tsd.globaltakeda.com> <81723F24-F7D1-4A5A-8A47-6349F718AAF7@pidster.com> From: "Okubo, Yasushi (TSD)" To: "Tomcat Users List" X-OriginalArrivalTime: 24 Jun 2010 20:13:40.0122 (UTC) FILETIME=[BC7B4FA0:01CB13D9] X-WSS-ID: 603D63FE0FW1165488-01-01 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hi Pid I started getting the following error upon login to one node onto cluster. Could you tell me what this mean is? Yasushi Jun 24, 2010 10:51:58 AM org.apache.catalina.ha.tcp.ReplicationValve sendReplicationMessage SEVERE: Unable to perform replication request. java.lang.NullPointerException at org.apache.catalina.ha.tcp.ReplicationValve.isRequestWithoutSessionChang e(ReplicationValve.java:590) at org.apache.catalina.ha.tcp.ReplicationValve.sendSessionReplicationMessag e(ReplicationValve.java:516) at org.apache.catalina.ha.tcp.ReplicationValve.sendReplicationMessage(Repli cationValve.java:430) at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java :363) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555 ) at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java: 421) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2 98) at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:427) at org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpApr Protocol.java:384) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1555) at java.lang.Thread.run(Thread.java:619) -----Original Message----- From: Pid [mailto:pid@pidster.com]=20 Sent: Wednesday, June 23, 2010 1:06 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 I'll have to look at the code, but maybe you're being affected by a recent bug whereby the session id changes after login but isn't then replicated. You might search bugzilla to see if this applies to 6.0.26. p On 22 Jun 2010, at 22:41, "Okubo, Yasushi (TSD)" wrote: >=20 > Hi >=20 > There were two cookies created by Tomcat 6.0.26. One is for SSO, and the > other is for regular session between client and tomcat. JSESSIONID is > working fine : it means session replication and failover, but not > JSESSIONIDSSO. JSESSIONIDSSO is updated with new value upon relogin. >=20 > yasushi >=20 >=20 > JSESSIONIDSSO > 65110434847FE0AA1F1EBF0EF0871D25 >=20 >=20 > JSESSIONID > 5CFE92814875C4DEFC554526147698A3.jvm2 >=20 > -----Original Message----- > From: Jon Brisbin [mailto:jon.brisbin@npcinternational.com]=20 > Sent: Tuesday, June 22, 2010 2:17 PM > To: Tomcat Users List > Cc: Okubo, Yasushi (TSD) > Subject: Re: question for sso session replication in tomcat 6.0.26 >=20 > Are you using a "jvmRoute" setting on your BalancerMember definition in > mod_proxy config and on the element in server.xml? Your cookie > would have the jvmRoute property added to the end of it (e.g. > ALONGMD5HASH.server1) if so. >=20 > From the Almighty Google: > http://community.jboss.org/wiki/usingmodproxywithjboss >=20 > Jon Brisbin > Portal Webmaster > NPC International, Inc. >=20 >=20 >=20 > On Jun 22, 2010, at 3:48 PM, Okubo, Yasushi (TSD) wrote: >=20 >> Hi >>=20 >> I downloaded apache apache v2.2.15 and compiled and installed, but the >> result was the same. >>=20 >> Session sso replication looked like failed. Upon shutting down the >> node, it kicked me out of password protected area and needed to > re-loin >> on the second node. >>=20 >> On apache, I installed/enabled all modules including basic >> authentication etc. Is there any requirement on apache side or how > the >> virtual host should be set up in httpd.conf to make sso failover work? >>=20 >> Thanks, >> yasushi >>=20 >> -----Original Message----- >> From: Pid [mailto:pid@pidster.com]=20 >> Sent: Tuesday, June 22, 2010 8:04 AM >> To: Tomcat Users List >> Subject: Re: question for sso session replication in tomcat 6.0.26 >>=20 >> On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: >>> Hi Andrew >>>=20 >>> In case of no failover, SSO works for all web applications on the > same >> host. Upon failover [shutting down one node], a user is routed to the >> other node, and TC is asking for a user to re-login when he/she tried > to >> access password protected area. =20 >>>=20 >>> I have checked many times on server.xml and session replication is >> working fine upon failover, so I cannot think any misconfiguration on >> server.xml >>> The issue is SSO failover is not working. I think it might be > related >> to my apache virtual host setup, but could not figure it out. >>>=20 >>> Thanks for your help, >>> yasushi >>>=20 >>> I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] >>=20 >> mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional >> but not perfect & there are many bugfixes and improvements since then, >> you should upgrade HTTPD. >>=20 >>=20 >> p >>=20 >>> OS : Redhat Linux 64bit RHEL v5.5 >>> JDK : 1.6.0.20=20 >>>=20 >>> =3D=3D=3D I created virtual host on port 9050 =3D=3D >>> Httpd.conf >>>=20 >>> >>> ServerAdmin xyz >>> ServerName webclust1.xyz.com >>> ServerAlias webclust1 >>> ErrorLog logs/webclust_cluster_error.log >>> CustomLog logs/webclust-cluster-access_log common >>>=20 >>> >>> SetHandler balancer-manager >>>=20 >>> Order Deny,Allow >>> Deny from all >>> Allow from all >>> >>>=20 >>> ProxyRequests off >>> >>> BalancerMember ajp://10.250.200.57:9001 loadfactor=3D10 max=3D150 > smax=3D145 >> route=3Djvm1 >>> BalancerMember ajp://10.250.200.57:9002 loadfactor=3D10 max=3D150 > smax=3D145 >> route=3Djvm2 >>> BalancerMember ajp://10.250.200.57:9003 loadfactor=3D10 max=3D150 > smax=3D145 >> route=3Djvm3 >>> Order Deny,Allow >>> Allow from all >>> >>>=20 >>> #Do not proxy balancer-manager >>> ProxyPass /balancer-manager ! >>>=20 >>> >>> ProxyPass balancer://webclust/examples >> stickysession=3DJSESSIONID|jsessionid >>> ProxyPassReverse balancer://webclust/examples >>> Order Deny,Allow >>> Allow from all >>> >>>=20 >>> >>> ProxyPass balancer://webclust/ stickysession=3DJSESSIONID|jsessionid >>> ProxyPassReverse balancer://webclust/ >>> Order Deny,Allow >>> Allow from all >>> >>>=20 >>>=20 >>> =3D=3D=3D server.xml =3D=3D=3D >>> >>> >>>=20 >>> >>>=20 >>> >> unpackWARs=3D"true" autoDeploy=3D"true" >>> xmlValidation=3D"false" xmlNamespaceAware=3D"false"> >>>=20 >>> > className=3D"org.apache.catalina.ha.tcp.SimpleTcpCluster" >>> channelSendOptions=3D"4"> >>>=20 >>> > className=3D"org.apache.catalina.ha.session.DeltaManager" >>> name=3D"node2" >>> expireSessionsOnShutdown=3D"false" >>> notifyListenersOnReplication=3D"true"/> >>>=20 >>> > className=3D"org.apache.catalina.tribes.group.GroupChannel"> >>> > className=3D"org.apache.catalina.tribes.membership.McastService" >>> address=3D"228.0.0.5" >>> port=3D"45564" >>> frequency=3D"500" >>> dropTime=3D"3000"/> >>> > className=3D"org.apache.catalina.tribes.transport.nio.NioReceiver" >>> address=3D"auto" >>> port=3D"4020" >>> autoBind=3D"100" >>> selectorTimeout=3D"5000" >>> maxThreads=3D"12"/> >>> >=20 > className=3D"org.apache.catalina.tribes.transport.ReplicationTransmitter"= > >>> >=20 > className=3D"org.apache.catalina.tribes.transport.nio.PooledParallelSende= r >> "/> >>> >>> >=20 > className=3D"org.apache.catalina.tribes.group.interceptors.TcpFailureDete= c >> tor"/> >>> >=20 > className=3D"org.apache.catalina.tribes.group.interceptors.MessageDispatc= h >> 15Interceptor"/> >>> >=20 > className=3D"org.apache.catalina.tribes.group.interceptors.ThroughputInte= r >> ceptor"/> >>> >>>=20 >>> > className=3D"org.apache.catalina.ha.tcp.ReplicationValve" >>>=20 >>=20 > filter=3D".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt= ; >> .*\.xls;.*\.sdf;.*\.xml;"/> >>> >>> > className=3D"org.apache.catalina.ha.session.JvmRouteBinderValve" >>> enabled=3D"true" = sessionIdAttribute=3D"takeoverSessionid" >> /> >>> >>> =20 >>> >=20 > className=3D"org.apache.catalina.ha.session.JvmRouteSessionIDBinderListen= e >> r"/> >>> > className=3D"org.apache.catalina.ha.session.ClusterSessionListener"/> >>> >>>=20 >>> > = className=3D"org.apache.catalina.ha.authenticator.ClusterSingleSignOn" > /> >>>=20 >>> > directory=3D"logs" =20 >>> prefix=3D"webappqa_node2_access_log." suffix=3D".log" >> pattern=3D"common" resolveHosts=3D"false"/> >>>=20 >>> >>> >>>=20 >>>=20 >>> -----Original Message----- >>> From: Andrew Bruno [mailto:andrew.bruno@gmail.com]=20 >>> Sent: Monday, June 21, 2010 10:09 PM >>> To: Tomcat Users List >>> Subject: Re: question for sso session replication in tomcat 6.0.26 >>>=20 >>> Oh sorry, I re-read your answer. Not sure why SSO is not working, be >>> interested to find out though.. >>>=20 >>> AB >>>=20 >>> On Tue, Jun 22, 2010 at 3:04 PM, Andrew Bruno > >> wrote: >>>> Hi Yasushi >>>>=20 >>>> In your serverl.xml have you added the jvmroute to the Engine? >>>>=20 >>>> i.e. >>>>=20 >>>> >>>>=20 >>>> Andrew >>>>=20 >>>> On Tue, Jun 22, 2010 at 2:50 PM, Okubo, Yasushi (TSD) >> wrote: >>>>> Hi Andrew >>>>>=20 >>>>> Thank for your post. When I checked the session id from firefox, >> sso session id [jsessionidsso] does not have jvmroute info, but only >> jsessionid has jvmroute. So, session replication upon failover is >> working fine, but singlesionon upon failover is not working on tomcat >> 6.0.x (including 6.0.26). >>>>>=20 >>>>> yasushi >>>>>=20 >>>>> -----Original Message----- >>>>> From: Andrew Bruno [mailto:andrew.bruno@gmail.com] >>>>> Sent: Monday, June 21, 2010 9:18 PM >>>>> To: Tomcat Users List >>>>> Subject: Re: question for sso session replication in tomcat 6.0.26 >>>>>=20 >>>>> Looking at the code I think this is wrong >>>>>=20 >>>>> if (!_ssoSessionId.contains("." + jvmRoute)) { >>>>> _ssoSessionId +=3D "." + jvmRoute; >>>>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, >> _ssoSessionId)); >>>>> } >>>>>=20 >>>>> The original sessionId will already have the > "."+_any_other_jvmRoute >>>>> included, so you need to substring it, and append the new jvmRoute. >>>>>=20 >>>>> _ssoSessionId=3D _ssoSessionId.substring(0, >> _ssoSessionId.indexOf(".")) >>>>>=20 >>>>> and then add >>>>>=20 >>>>> _ssoSessionId +=3D "." + jvmRoute; >>>>>=20 >>>>> AB >>>>>=20 >>>>> On Tue, Jun 22, 2010 at 1:03 PM, Okubo, Yasushi (TSD) >>>>> wrote: >>>>>> Hi experts >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>> I found this old email from archive in TC 5.5.23. >>>>>>=20 >>>>>> Does this problem still exist in tomcat 6.0.x or 6.0.26? >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>> When failover occurs, sso session id is updated with new number >> after >>>>>> forcing a user to relogin to the application since sso session id >> is not >>>>>> replicated and rewritten correctly. Could someone explain what is >>>>>> expected in current tomcat 6.0.x cluster upon failover? Should > sso >>>>>> session id is replicated correctly in tomcat 6.0.x? >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>> Thanks, >>>>>>=20 >>>>>> yasushi >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>> ROOKIE wrote: >>>>>> Hi, >>>>>> I have a problem with tomcat cluster + mod_proxy load balancer : >>>>>>=20 >>>>>> We have a main app which authenticate itself to a webapp and from >> this >>>>>> app one >>>>>> can launch embedded apps which use the SSO cookie to access other >>>>>> webapps on >>>>>> the server (Single-Sign-On for the user). >>>>>>=20 >>>>>> Things are working perfectly for the normal cookie but not for the >> sso >>>>>> cookie. >>>>>>=20 >>>>>>=20 >>>>>> The problem I have is that tomcat does not replicate SSO sessions >> so >>>>>> when these embedded apps route through the load balancer we get >> 401s on >>>>>> all the other cluster members except the one which actually >> generated >>>>>> the SSO cookie. >>>>>>=20 >>>>>> I wanted to know if we can edit the SSO cookie generated by tomcat >> to >>>>>> also >>>>>> contain the jvmRoute parameter so that the load balancer directly >> goes >>>>>> to the >>>>>> correct cluster member. >>>>>>=20 >>>>>>=20 >>>>>> I tried doing this in my code by fetching the SSO cookie and >> appending >>>>>> to it >>>>>> the jvmRoute as follows : >>>>>>=20 >>>>>> HttpServletRequest request =3D >>>>>> (HttpServletRequest)Security.getContext(HttpServletRequest.class); >>>>>> HttpServletResponse response =3D >>>>>>=20 >> (HttpServletResponse)Security.getContext(HttpServletResponse.class); >>>>>> if(request !=3D null) { >>>>>> String jvmRoute =3D "Vinod_Cluster_1"; // as = mentioned >> in >>>>>> server.xml >>>>>> Cookie[] cookies =3D request.getCookies(); >>>>>> for(int nc=3D0; cookies !=3D null && nc < = cookies.length; >> nc++) >>>>>> { >>>>>>=20 >> if(_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { >>>>>> _sessionId =3D cookies[nc].getValue(); >>>>>> } >>>>>>=20 >>>>>> else if(_SSO_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { >>>>>>=20 >>>>>> _ssoSessionId =3D cookies[nc].getValue(); >>>>>> if (!_ssoSessionId.contains("." + jvmRoute)) { >>>>>> _ssoSessionId +=3D "." + jvmRoute; >>>>>>=20 >>>>>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, >> _ssoSessionId)); >>>>>> } >>>>>>=20 >>>>>>=20 >>>>>> } >>>>>>=20 >>>>>>=20 >>>>>> But after this I started getting 401s from even the correct > cluster >>>>>> member. My guess is addCookie doesnt update the cookie in tomcat's >> cache >>>>>> which is reasonable. >>>>>>=20 >>>>>> Other thought was to edit tomcat's sso cookie generation code to >> append >>>>>> the >>>>>> jvmRoute to the sso cookie. >>>>>>=20 >>>>>>=20 >>>>>> Is there an better way to achieve this in my code base ? >>>>>>=20 >>>>>> Thanks In Advance, >>>>>> Vinod >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>=20 >>>>>=20 >> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>>> For additional commands, e-mail: users-help@tomcat.apache.org >>>>>=20 >>>>>=20 >>>>>=20 >>>>>=20 >>>>>=20 >> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>>> For additional commands, e-mail: users-help@tomcat.apache.org >>>>>=20 >>>>>=20 >>>>=20 >>>>=20 >>>=20 >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>> For additional commands, e-mail: users-help@tomcat.apache.org >>>=20 >>>=20 >>>=20 >>>=20 >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>> For additional commands, e-mail: users-help@tomcat.apache.org >>>=20 >>=20 >>=20 >>=20 >>=20 >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org >>=20 >=20 >=20 >=20 >=20 > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org >=20 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org