Re: what does j_security_check do in clustering?
Rex Wang wrote: > Dear Tomcat, > > I meet a problem when config a web project which using the form based > security in clustering. Clustering or load-balancing? Whether or not session replication is configured between your Tomcat instance's is key. > When I set session affinity = true in my front http server, the security > check was done in single node, there is no problem with that. > But if I set affinity = false, the requests from the security check process > are sent to 2 nodes, and it is really strange.. eg: > > 1. From index.html(NodeA), try to access protected resouce > 2. Go to the logon.html(NodeB), I input the id/passwd, and then submit > 3. The request looks like sent to NodeA, but did not do any check operation. > > Does that work as design? that is, if I wanna use form check security, my > cluster must be session affinity? That depends on the answer to the question above. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: what does j_security_check do in clustering?
2009/9/17 Mark Thomas > Rex Wang wrote: > > Dear Tomcat, > > > > I meet a problem when config a web project which using the form based > > security in clustering. > > Clustering or load-balancing? Whether or not session replication is > configured between your Tomcat instance's is key. > I guess the j_security_check is not implemented by session. so the session replication does not work for security check, right? and I see the following in tomcat document: To run session replication in your Tomcat 6.0 container, the following steps should be completed: - All your session attributes must implement java.io.Serializable - Uncomment the Cluster element in server.xml - If you have defined custom cluster valves, make sure you have the ReplicationValve defined as well under the Cluster element in server.xml - If your Tomcat instances are running on the same machine, make sure the tcpListenPort attribute is unique for each instance, in most cases Tomcat is smart enough to resolve this on it's own by autodetecting available ports in the range 4000-4100 - Make sure your web.xml has the element or set at your - If you are using mod_jk, make sure that jvmRoute attribute is set at your Engine and that the jvmRoute attribute value matches your worker name in workers.properties - Make sure that all nodes have the same time and sync with NTP service! - *Make sure that your loadbalancer is configured for sticky session mode.* So the sticky session is the precondition of tomcat clustering? thanks a lot! -Rex > > > When I set session affinity = true in my front http server, the security > > check was done in single node, there is no problem with that. > > But if I set affinity = false, the requests from the security check > process > > are sent to 2 nodes, and it is really strange.. eg: > > > > 1. From index.html(NodeA), try to access protected resouce > > 2. Go to the logon.html(NodeB), I input the id/passwd, and then submit > > 3. The request looks like sent to NodeA, but did not do any check > operation. > > > > Does that work as design? that is, if I wanna use form check security, my > > cluster must be session affinity? > > That depends on the answer to the question above. > > Mark > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: what does j_security_check do in clustering?
Rex Wang wrote: > 2009/9/17 Mark Thomas > >> Rex Wang wrote: >>> Dear Tomcat, >>> >>> I meet a problem when config a web project which using the form based >>> security in clustering. >> Clustering or load-balancing? Whether or not session replication is >> configured between your Tomcat instance's is key. >> > > I guess the j_security_check is not implemented by session. so the session > replication does not work for security check, right? I thought it did - hence my question about whether you were using clustering or just load balancing. > So the sticky session is the precondition of tomcat clustering? No. It is strongly recommended, but it isn't required providing you set up your cluster appropriately. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: what does j_security_check do in clustering?
2009/9/18 Mark Thomas > Rex Wang wrote: > > 2009/9/17 Mark Thomas > > > >> Rex Wang wrote: > >>> Dear Tomcat, > >>> > >>> I meet a problem when config a web project which using the form based > >>> security in clustering. > >> Clustering or load-balancing? Whether or not session replication is > >> configured between your Tomcat instance's is key. > >> > > > > I guess the j_security_check is not implemented by session. so the > session > > replication does not work for security check, right? > > I thought it did - hence my question about whether you were using > clustering or just load balancing. > I am using clustering, and the security checking process can not complete if the session affinity = false. Looks like the login name and password are posted to another node, and some times I got a 400 error "HTTP Status 400 - Invalid direct reference to form login page". I just wanna know, how to do the form based security check if the session affinity = false in clustering. Many thanks -Rex > > > So the sticky session is the precondition of tomcat clustering? > > No. It is strongly recommended, but it isn't required providing you set > up your cluster appropriately. > > Mark > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: what does j_security_check do in clustering?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rex,
On 9/20/2009 11:26 PM, Rex Wang wrote:
> I am using clustering, and the security checking process can not complete if
> the session affinity = false.
> Looks like the login name and password are posted to another node, and some
> times I got a 400 error
> "HTTP Status 400 - Invalid direct reference to form login page".
Hmm... I don't know how Tomcat does clustering, but if you are getting
responses like that ("Invalid direct reference"), then either Tomcat
requires session affinity for clustered authentication or there is a bug
somewhere.
Technically, I believe that Tomcat requires a session in order to store
your original request so it can be re-played after successful
authentication. In that case, I would have expected the session to be
replicated across the cluster before the request for j_security_check
was submitted.
Could you please post your cluster configuration? Can you confirm that
your sessions are correctly replicated when you *are* able to login
successfully?
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkq44RsACgkQ9CaO5/Lv0PAWogCfXV66Um820X7bmrwzi7/N81vH
/5QAni16WrBB28m+jbXm+fS6cEs6qN1/
=IFe7
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: what does j_security_check do in clustering?
j_security_check is stored as a note with the user session, but that data is not being replicated. Filip On 09/17/2009 12:05 AM, Rex Wang wrote: Dear Tomcat, I meet a problem when config a web project which using the form based security in clustering. When I set session affinity = true in my front http server, the security check was done in single node, there is no problem with that. But if I set affinity = false, the requests from the security check process are sent to 2 nodes, and it is really strange.. eg: 1. From index.html(NodeA), try to access protected resouce 2. Go to the logon.html(NodeB), I input the id/passwd, and then submit 3. The request looks like sent to NodeA, but did not do any check operation. Does that work as design? that is, if I wanna use form check security, my cluster must be session affinity? Thanks in advance! -Rex - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: what does j_security_check do in clustering?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Filip, On 9/23/2009 10:12 AM, Filip Hanik - Dev Lists wrote: > j_security_check is stored as a note with the user session, but that > data is not being replicated. So, the session notes specifically are not replicated? That seems to indicate that session stickiness is required for correct container-managed authentication, yes? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkq6XXMACgkQ9CaO5/Lv0PBFDQCgmRABH2LXf4OSeU5J0m+oeMqK 7pEAn16z/7nSEesFYlqeE2A21rEAYdis =P0+3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: what does j_security_check do in clustering?
On 09/23/2009 11:40 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Filip, On 9/23/2009 10:12 AM, Filip Hanik - Dev Lists wrote: j_security_check is stored as a note with the user session, but that data is not being replicated. So, the session notes specifically are not replicated? That seems to indicate that session stickiness is required for correct container-managed authentication, yes? yes and yes Chris Filip - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkq6XXMACgkQ9CaO5/Lv0PBFDQCgmRABH2LXf4OSeU5J0m+oeMqK 7pEAn16z/7nSEesFYlqeE2A21rEAYdis =P0+3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: what does j_security_check do in clustering?
What is a"note"? I am quite understanding its definition.. thanks 2009/9/23 Filip Hanik - Dev Lists > j_security_check is stored as a note with the user session, but that data > is not being replicated. > > Filip > > > > On 09/17/2009 12:05 AM, Rex Wang wrote: > >> Dear Tomcat, >> >> I meet a problem when config a web project which using the form based >> security in clustering. >> >> When I set session affinity = true in my front http server, the security >> check was done in single node, there is no problem with that. >> But if I set affinity = false, the requests from the security check >> process >> are sent to 2 nodes, and it is really strange.. eg: >> >> 1. From index.html(NodeA), try to access protected resouce >> 2. Go to the logon.html(NodeB), I input the id/passwd, and then submit >> 3. The request looks like sent to NodeA, but did not do any check >> operation. >> >> Does that work as design? that is, if I wanna use form check security, my >> cluster must be session affinity? >> >> Thanks in advance! >> >> -Rex >> >> >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: what does j_security_check do in clustering?
> From: Rex Wang [mailto:rwo...@gmail.com] > Subject: Re: what does j_security_check do in clustering? > > What is a"note"? I am quite understanding its definition.. Look at the code. The notes field in a StandardSession is just a Hashtable containing an arbitrary set of key/value pairs, some of them related to authentication. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: what does j_security_check do in clustering?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rex, On 9/24/2009 3:15 AM, Rex Wang wrote: > What is a"note"? I am quite understanding its definition.. Just to clarify Chuck's comments: a "note" has nothing to do with the Servlet API. It's an implementation detail specific to Tomcat where, among other things, authentication information is attached to the session, yet not in a session attribute. According to Filip, session "note" items are /not/ replicated around clusters, so the information about a user being challenged for credentials is also not replicated. This is the cause of your problem. Filip confirms that session stickiness is the only easy solution. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkq7kXUACgkQ9CaO5/Lv0PAIPwCgo7YSupenEQwKIcmED+Kfn3QD WmQAn2CZhbwlvCVRoaByrfvMAzLR26bE =GWO9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: what does j_security_check do in clustering?
Thanks a lot to all your guys!! -Rex 2009/9/24 Christopher Schultz > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Rex, > > On 9/24/2009 3:15 AM, Rex Wang wrote: > > What is a"note"? I am quite understanding its definition.. > > Just to clarify Chuck's comments: a "note" has nothing to do with the > Servlet API. It's an implementation detail specific to Tomcat where, > among other things, authentication information is attached to the > session, yet not in a session attribute. > > According to Filip, session "note" items are /not/ replicated around > clusters, so the information about a user being challenged for > credentials is also not replicated. This is the cause of your problem. > > Filip confirms that session stickiness is the only easy solution. > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkq7kXUACgkQ9CaO5/Lv0PAIPwCgo7YSupenEQwKIcmED+Kfn3QD > WmQAn2CZhbwlvCVRoaByrfvMAzLR26bE > =GWO9 > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
