Hey Jim, Finally got a chance to play with your wars, and things work as I expect -- but not as you want :(
The issue is that the Principal does not get propagated around the cluster; the username and password do. Two reasons for this: 1) Principal does not extend Serializable, thus you can't count on being able to replicate it. 2) The security layer requires an authentication on each server -- replicating around a Principal that is the result of an authentication on another server won't cut it. If when a failover occurs you request one of your wars w/ a login config, the replicated username/password can be used to transparently authenticate you. Thereafter you have a Principal on that server and all is well. If you fail over to a war w/o a login config, there is no way to authenticate you on the new server. Hence a 403. If I uncomment the error page element in the hello/hello2 web.xml, and then do a failover to one of those pages, I get redirected to main. I do not, however, have to log in to main -- the sso valve is able to log in for me, since main has a login config. Perhaps you can create a custom authenticator for hello/hello2. In 4.0.4.CR2 there is the ability to pretty easily add your own authenticators. See jbossweb-tomcat55.sar's server.xml and META-INF/jboss-service.xml for ideas on how to configure that (there is probably a wiki page too). Get the org.apache.catalina.authenticator.NonLoginAuthenticator as a template to create your own, and replace the authenticate method with this: public boolean authenticate(Request request, | Response response, | LoginConfig config) | throws IOException { | | // Have we already authenticated someone? | Principal principal = request.getUserPrincipal(); | String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE); | if (principal != null) { | if (log.isDebugEnabled()) | log.debug("Already authenticated '" + | principal.getName() + "'"); | // Associate the session with any existing SSO session | if (ssoId != null) | associate(ssoId, request.getSessionInternal(true)); | return (true); | } | | // Is there an SSO session against which we can try to reauthenticate? | if (ssoId != null) { | if (log.isDebugEnabled()) | log.debug("SSO Id " + ssoId + " set; attempting " + | "reauthentication"); | // Try to reauthenticate using data cached by SSO. | if (reauthenticateFromSSO(ssoId, request)) | return true; | } | | // No principal + no SSO = reject! | return false; | | } Note I haven't tried that; just a suggestion :) View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3935706#3935706 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3935706 ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user