RE: JDBC authentication problem
Hi, The keep alive on postgres was already setup, but was not working. However, I finally found a workaround. I'm using the tomcat connexion pool, but For the authentication, Tomcat is creating its own connexion and does not use the pool (and seems to use the same connexion all along the session). So I think that's was why it was dropped by the firewall after a while, and when we restarted tomcat, the connexion was recreated and it worked again. To resolve this problem, we override Tomcat's authenticate method. We made our own open function which uses the postgres driver and is called in the authenticate. We do not use the getPassword and getRoles function, because they used the Tomcat's global connexion. With this, we are now able to connect to the site even after a long period of inactivity. Thank you for your help, and maybe this could help someone else. Regards, Luc. De : Felix Schumacher felix.schumac...@internetallee.de Envoyé : mercredi 4 février 2015 20:11 À : Tomcat Users List Objet : Re: JDBC authentication problem Am 04.02.2015 um 14:21 schrieb Luc DALLEMANE: Hi, I'm back again with the problem :) Firstly, I add the validationQuery and it works and I can see it in postgres logs. But still not able to login after a while of inactivity Now, after 15 min of waiting, I'm getting a socket connexion timeout, but seems logic after such a long period of trying to connect. Thank you again for your ideas and haven't found a solution. You might try to enable keepalive on your postgresql connection. Connection porperties can be specified with the attribute connectionProperties (at least according to http://commons.apache.org/proper/commons-dbcp/configuration.html) or in the jdbc url jdbc://...?tcpKeepAlive=true. You can even specify the timeout for connnecting to your database. Regards Felix Regards, Luc. De : Konstantin Kolinko knst.koli...@gmail.com Envoyé : mardi 3 février 2015 12:33 À : Tomcat Users List Objet : Re: JDBC authentication problem 2015-02-03 14:29 GMT+03:00 Luc DALLEMANE ldallem...@alaloop.com: Hi, Thanks for the reply, I tried to add the options you told me about (testWhileIdle, timeBetweenEvictionRunsMillis, and maxConnLifetimeMillis), but I'm still unable to log after un hour ... Do you have validationQuery configured? testOnBorrow, testWhileIdle do not work without it. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JDBC authentication problem
Hi, I'm back again with the problem :) Firstly, I add the validationQuery and it works and I can see it in postgres logs. But still not able to login after a while of inactivity Now, after 15 min of waiting, I'm getting a socket connexion timeout, but seems logic after such a long period of trying to connect. Thank you again for your ideas and haven't found a solution. Regards, Luc. De : Konstantin Kolinko knst.koli...@gmail.com Envoyé : mardi 3 février 2015 12:33 À : Tomcat Users List Objet : Re: JDBC authentication problem 2015-02-03 14:29 GMT+03:00 Luc DALLEMANE ldallem...@alaloop.com: Hi, Thanks for the reply, I tried to add the options you told me about (testWhileIdle, timeBetweenEvictionRunsMillis, and maxConnLifetimeMillis), but I'm still unable to log after un hour ... Do you have validationQuery configured? testOnBorrow, testWhileIdle do not work without it. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JDBC authentication problem
Hi, Thanks for the reply, I tried to add the options you told me about (testWhileIdle, timeBetweenEvictionRunsMillis, and maxConnLifetimeMillis), but I'm still unable to log after un hour ... I'm having this problem for 2 weeks and still unable to find a way to go around this problem... I thought that the firewall dropped my connexions, but no solutions for this problem seems to work. (again I assume it is the firewall, that corrupts your connections and I assume you are using a connection pool managed by tomcat). You were right, I'm using it. The only thing I haven't test is to not use the pool, but this doesn't seems a really good option for me. I'm new to Tomcat so I don't know it very well, but this should have worked... We are thinking of asking a guy from another company (who knows tomcat and network better than I), because nobody have a solution for this in mine. Thank you for your help !! And if you have another idea... you're welcome again. Regards, Luc. De : Felix Schumacher felix.schumac...@internetallee.de Envoyé : lundi 2 février 2015 18:59 À : Tomcat Users List Objet : Re: JDBC authentication problem Am 02.02.2015 um 17:03 schrieb Luc DALLEMANE: Thanks for the reply, No I haven't got any exceptions, and there is no more logs until I restart tomcat manually. From the web page, you can see that it keeps loading the page indefinitely... and never tells if the authentication fails or not. (This part works when I restart tomcat). I'm using the DataSourceRealm provided with Tomcat7. First of all, I wouldn't trust the network guys :) The firewall might be OK, but OK might mean, that it drops connections, when they are idle for too long. That said, you have a few options to drive around such a limitation. You could set testWhileIdle to true, so that you generate network traffic and thus keep open the firewall (again I assume it is the firewall, that corrupts your connections and I assume you are using a connection pool managed by tomcat). I believe you have to set timeBetweenEvictionRunsMillis to a postive value, or no idle testing will be done. You might try the maxConnLifetimeMillis setting, so that old connections from the pool will not be used. You might try to size the pool, so that it keeps no idle connections (but why should I use a pool then?). Hope this helps Felix -Message d'origine- De : Christopher Schultz [mailto:ch...@christopherschultz.net] Envoyé : lundi 2 février 2015 16:19 À : Tomcat Users List Objet : Re: JDBC authentication problem -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Luc, On 2/2/15 6:11 AM, Luc DALLEMANE wrote: I tried to switch to DataSourceRealm but my problem is here again. After a while, the authentication is still impossible. Maybe i have missed something about the DataSource in the doc but I'm able to login several times. It's only after about one hour of inactivity. The network admin looked the firewall config and told me the config was OK ... Are there any exceptions in the log files? Or do you simply get a refused authentication? Are you using Tomcat's built-in authenticator? Which one? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUz5VWAAoJEBzwKT+lPKRY7i8P/jS1NIa4jKCrONMdyxSpibQo Ce+s6EO3li8LY8TqTvcB6F6lABHMvFu7izDkA9K5wdAfUX0zqNTliUnfEUy+rf2C 92NEeyoXKVkphaFnhYhfBXU6c4DQDhSvq+ZNb8r3exH0y7fbclZzDG/6d6YnxL3i DHUiq/iPG5xB+5H4a6WQgudQoKiMC+rEmrXhkYGnAbTscw43tkQqkyW7KlkIF610 CUultPN3gw1coAVSHXulzW+AqIUCM1GOtsY2qT5xobGTM3oO/YsE6YCRCQC6s8ZJ Sa6TC1sMCnqALS1T5rJrwHU9jCN7pPRT0SjToU6gPF8rIzVzejAunJpiwKtTNwW3 8tuAfaTLOwBTAq1ddF8rwk93pFB2EYM3htWQ0u6GzLsWHDqBU0zkAkYz6m/6qvfR egZMFuCkPjmxmoObbuAwHZ73HfosXeGUwkGeXgeD3a6DD5g7wXlSXGixkZ65Hifi FyM/RmUat4IVOiIXe2poVmwiOnFL9hDarkWCrybpTH4xlPhgv98feKvKxudkJsM/ o6U3lpB/q//SEQ3PGuddJX1znCjXkIWFlfqZ3avrB5OTIuxAdTrSC5GaSiTK+L48 ieN8K6SxnOo5pmdgoTcFiYXiH0qvIOFJ0Ez36+ZE3X987ysTvylxMJdpP4y81miO TY2PAwTlHfFyUFLQahlg =3+Xk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JDBC authentication problem
Hi, I tried to switch to DataSourceRealm but my problem is here again. After a while, the authentication is still impossible. Maybe i have missed something about the DataSource in the doc but I'm able to login several times. It's only after about one hour of inactivity. The network admin looked the firewall config and told me the config was OK ... So, if you have any idea, you're welcome ! Regards, Luc. De : Luc DALLEMANE ldallem...@alaloop.com Envoyé : vendredi 30 janvier 2015 15:39 À : Tomcat Users List Objet : RE: JDBC authentication problem Ok, I'm going to try this. Hope this will help to solve my problem. Regards Luc D. -Message d'origine- De : Christopher Schultz [mailto:ch...@christopherschultz.net] Envoyé : vendredi 30 janvier 2015 15:24 À : Tomcat Users List Objet : Re: JDBC authentication problem -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Luc, On 1/30/15 9:05 AM, Luc DALLEMANE wrote: Thanks for the reply, it is the JDBCRealm not the data source. Your Resource configuration is therefore ignored. The JDBCRealm should really not be used at all. Switch to DataSourceRealm. If you don't like using your application's DataSource for authentication (some folks don't), then create a second DataSource just for authentication. The DataSourceRealm has some significant advantages, such as being able to use a configurable pool of Connections, instead of a single Connection like JDBCRealm does. This improved performance and allows for re-connections, etc. I think this will fix your immediate problem plus eliminate some other problems down the line (like performance). - -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JDBC authentication problem
Thanks for the reply, No I haven't got any exceptions, and there is no more logs until I restart tomcat manually. From the web page, you can see that it keeps loading the page indefinitely... and never tells if the authentication fails or not. (This part works when I restart tomcat). I'm using the DataSourceRealm provided with Tomcat7. -Message d'origine- De : Christopher Schultz [mailto:ch...@christopherschultz.net] Envoyé : lundi 2 février 2015 16:19 À : Tomcat Users List Objet : Re: JDBC authentication problem -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Luc, On 2/2/15 6:11 AM, Luc DALLEMANE wrote: I tried to switch to DataSourceRealm but my problem is here again. After a while, the authentication is still impossible. Maybe i have missed something about the DataSource in the doc but I'm able to login several times. It's only after about one hour of inactivity. The network admin looked the firewall config and told me the config was OK ... Are there any exceptions in the log files? Or do you simply get a refused authentication? Are you using Tomcat's built-in authenticator? Which one? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUz5VWAAoJEBzwKT+lPKRY7i8P/jS1NIa4jKCrONMdyxSpibQo Ce+s6EO3li8LY8TqTvcB6F6lABHMvFu7izDkA9K5wdAfUX0zqNTliUnfEUy+rf2C 92NEeyoXKVkphaFnhYhfBXU6c4DQDhSvq+ZNb8r3exH0y7fbclZzDG/6d6YnxL3i DHUiq/iPG5xB+5H4a6WQgudQoKiMC+rEmrXhkYGnAbTscw43tkQqkyW7KlkIF610 CUultPN3gw1coAVSHXulzW+AqIUCM1GOtsY2qT5xobGTM3oO/YsE6YCRCQC6s8ZJ Sa6TC1sMCnqALS1T5rJrwHU9jCN7pPRT0SjToU6gPF8rIzVzejAunJpiwKtTNwW3 8tuAfaTLOwBTAq1ddF8rwk93pFB2EYM3htWQ0u6GzLsWHDqBU0zkAkYz6m/6qvfR egZMFuCkPjmxmoObbuAwHZ73HfosXeGUwkGeXgeD3a6DD5g7wXlSXGixkZ65Hifi FyM/RmUat4IVOiIXe2poVmwiOnFL9hDarkWCrybpTH4xlPhgv98feKvKxudkJsM/ o6U3lpB/q//SEQ3PGuddJX1znCjXkIWFlfqZ3avrB5OTIuxAdTrSC5GaSiTK+L48 ieN8K6SxnOo5pmdgoTcFiYXiH0qvIOFJ0Ez36+ZE3X987ysTvylxMJdpP4y81miO TY2PAwTlHfFyUFLQahlg =3+Xk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JDBC authentication problem
Thanks for the reply, it is the JDBCRealm not the data source. I have set this password for test only but it will be changed when everything will be ok and in production . (But didn't saw i had paste it ...) -Message d'origine- De : Konstantin Kolinko [mailto:knst.koli...@gmail.com] Envoyé : vendredi 30 janvier 2015 14:52 À : Tomcat Users List Objet : Re: JDBC authentication problem 2015-01-30 16:45 GMT+03:00 Luc DALLEMANE ldallem...@alaloop.com: Hi, I'm facing a problem with my web application. I'm using Tomcat 7.0.56, Java 1.8, Postgres 9.4 and Debian 7. The application is configured as followed : The web server is located in a DMZ. The database server is located in our LAN. To communicate with each other, a firewall has been setup (Cisco asa firewall) To authenticate an user to the website, I use the tomcat JDBC Realm. 1. Realm configuration =? Is it JDBCRealm or DataSourceRealm? If it is the former, then your Resource is not used at all. 2. Posting the actual password on a public mailing list? Consider it compromised. At the beginning, everything works fine, but after about an hour of inactivity, its impossible to authenticate again : Tomcat process seems to be running but doesn't log anything and doesn't answer any other requests. The firewall is rejecting the connection with the following message : Deny TCP (no connection) from WEB/50790 to DB/5432 FIN ACK on interface DMZ_clients I thought, the problem was after a while, if tomcat connexions were not used, the firewall would drop them. So, I tried to add keepAlive time-outs (tomcat site, postgres side, ) but none of them worked : Here is the tomcat context.xml : Resource name=jdbc/elkar auth=Container type=javax.sql.DataSource driverClassName=org.postgresql.Driver [...] / The postgresql.conf : # - TCP Keepalives - # see man 7 tcp for details #tcp_keepalives_idle = 300 # TCP_KEEPIDLE, in seconds; # 0 selects the system default #tcp_keepalives_interval = 0# TCP_KEEPINTVL, in seconds; # 0 selects the system default #tcp_keepalives_count = 0 And finally, the Sysctl.conf : net.ipv4.tcp_keepalive_time = 900 net.ipv4.tcp_keepalive_intvl = 60 net.ipv4.tcp_keepalive_probes = 9 Before that, the application was tested without using the firewall and everything worked fine. If you have any idea of why this is happening, I haven't found a solution yet. Regards, Luc D. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JDBC authentication problem
Ok, I'm going to try this. Hope this will help to solve my problem. Regards Luc D. -Message d'origine- De : Christopher Schultz [mailto:ch...@christopherschultz.net] Envoyé : vendredi 30 janvier 2015 15:24 À : Tomcat Users List Objet : Re: JDBC authentication problem -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Luc, On 1/30/15 9:05 AM, Luc DALLEMANE wrote: Thanks for the reply, it is the JDBCRealm not the data source. Your Resource configuration is therefore ignored. The JDBCRealm should really not be used at all. Switch to DataSourceRealm. If you don't like using your application's DataSource for authentication (some folks don't), then create a second DataSource just for authentication. The DataSourceRealm has some significant advantages, such as being able to use a configurable pool of Connections, instead of a single Connection like JDBCRealm does. This improved performance and allows for re-connections, etc. I think this will fix your immediate problem plus eliminate some other problems down the line (like performance). I have set this password for test only but it will be changed when everything will be ok and in production . (But didn't saw i had paste it ...) Good. :) - -chris -Message d'origine- De : Konstantin Kolinko [mailto:knst.koli...@gmail.com] Envoyé : vendredi 30 janvier 2015 14:52 À : Tomcat Users List Objet : Re: JDBC authentication problem 2015-01-30 16:45 GMT+03:00 Luc DALLEMANE ldallem...@alaloop.com: Hi, I'm facing a problem with my web application. I'm using Tomcat 7.0.56, Java 1.8, Postgres 9.4 and Debian 7. The application is configured as followed : The web server is located in a DMZ. The database server is located in our LAN. To communicate with each other, a firewall has been setup (Cisco asa firewall) To authenticate an user to the website, I use the tomcat JDBC Realm. 1. Realm configuration =? Is it JDBCRealm or DataSourceRealm? If it is the former, then your Resource is not used at all. 2. Posting the actual password on a public mailing list? Consider it compromised. At the beginning, everything works fine, but after about an hour of inactivity, its impossible to authenticate again : Tomcat process seems to be running but doesn't log anything and doesn't answer any other requests. The firewall is rejecting the connection with the following message : Deny TCP (no connection) from WEB/50790 to DB/5432 FIN ACK on interface DMZ_clients I thought, the problem was after a while, if tomcat connexions were not used, the firewall would drop them. So, I tried to add keepAlive time-outs (tomcat site, postgres side, ) but none of them worked : Here is the tomcat context.xml : Resource name=jdbc/elkar auth=Container type=javax.sql.DataSource driverClassName=org.postgresql.Driver [...] / The postgresql.conf : # - TCP Keepalives - # see man 7 tcp for details #tcp_keepalives_idle = 300 # TCP_KEEPIDLE, in seconds; # 0 selects the system default #tcp_keepalives_interval = 0# TCP_KEEPINTVL, in seconds; # 0 selects the system default #tcp_keepalives_count = 0 And finally, the Sysctl.conf : net.ipv4.tcp_keepalive_time = 900 net.ipv4.tcp_keepalive_intvl = 60 net.ipv4.tcp_keepalive_probes = 9 Before that, the application was tested without using the firewall and everything worked fine. If you have any idea of why this is happening, I haven't found a solution yet. Regards, Luc D. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUy5PtAAoJEBzwKT+lPKRYqI4P/0kZuZuJCopHe88BXTNj/1O7 cEdmsoJq/7Ba/kLZ3/xqElzAjOQfnWK22GTCVGdsEou95MB4MspAcD8unGJgKiKs b1Ko/ixTN8irY7w5QGbXAv52NX9N/h9vrsr/EASxe/A8nSCSP9sjdh9Qr2OAOXBC 2FAMcpS3blpik78nFBBPkwJY5L3nhbkcEq0AMSqGGsfo+WJPFUtXBtzPO4JoAtGJ 8d1HxDd8PsL0tOMsqdIbJ9EqfW7Fano7ajk2Cu4gczGA3G3XlwsuHo5Glq9MSkzW DZYqxW3JwpgvMQO2o/vZyZcK7aqADqaMNE+sgaaAvRYbHzMtOTqCLebfLHqst17q eg+85Pm/5815SVvbW7kQX2Pv2bAs+bzyz7zdWk4KFdUaU1sD3bwNtkgWewNB/Gex jbZXLbKK27EFPd8M8W8PWd0x11veJ5hHEPyCWwM2njF5OoB3OSumY+yPUTWg/9oD 7xcFWjntybTHWpOcE5uxtPSzZqz1ctijiBvYo5DI8qh0W0CVsFYGGYmBucPcMc5M PapWz+jYPgqzxDIHq27jpqmDqch6h1EQCmj3rGriWifxl9qTw4WtDgL/9sEmmkjd NfysWjaNW+nqkt8qg6pmuHs0K1PLp2IO7C9jftE3jJ/lIZCy+yo+LSe2U7mhUvn9 Qj6PY8Ds4aaN0GzgUan/ =8zAr -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users
JDBC authentication problem
Hi, I'm facing a problem with my web application. I'm using Tomcat 7.0.56, Java 1.8, Postgres 9.4 and Debian 7. The application is configured as followed : The web server is located in a DMZ. The database server is located in our LAN. To communicate with each other, a firewall has been setup (Cisco asa firewall) To authenticate an user to the website, I use the tomcat JDBC Realm. At the beginning, everything works fine, but after about an hour of inactivity, its impossible to authenticate again : Tomcat process seems to be running but doesn't log anything and doesn't answer any other requests. The firewall is rejecting the connection with the following message : Deny TCP (no connection) from WEB/50790 to DB/5432 FIN ACK on interface DMZ_clients I thought, the problem was after a while, if tomcat connexions were not used, the firewall would drop them. So, I tried to add keepAlive time-outs (tomcat site, postgres side, ) but none of them worked : Here is the tomcat context.xml : Resource name=jdbc/elkar auth=Container type=javax.sql.DataSource driverClassName=org.postgresql.Driver url=jdbc:postgresql://10.2.1.128/elkar username=asa password=mei!z60Hm maxActive=100 maxIdle=20 maxWait=1 maxAge=6 removeAbandonned=true removeAbandonnedTimeout=60 keepAlive=true autoReconnect=true / The postgresql.conf : # - TCP Keepalives - # see man 7 tcp for details #tcp_keepalives_idle = 300 # TCP_KEEPIDLE, in seconds; # 0 selects the system default #tcp_keepalives_interval = 0# TCP_KEEPINTVL, in seconds; # 0 selects the system default #tcp_keepalives_count = 0 And finally, the Sysctl.conf : net.ipv4.tcp_keepalive_time = 900 net.ipv4.tcp_keepalive_intvl = 60 net.ipv4.tcp_keepalive_probes = 9 Before that, the application was tested without using the firewall and everything worked fine. If you have any idea of why this is happening, I haven't found a solution yet. Regards, Luc D.