On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: > Hi Andrew > > In case of no failover, SSO works for all web applications on the same host. > Upon failover [shutting down one node], a user is routed to the other node, > and TC is asking for a user to re-login when he/she tried to access password > protected area. > > I have checked many times on server.xml and session replication is working > fine upon failover, so I cannot think any misconfiguration on server.xml > The issue is SSO failover is not working. I think it might be related to my > apache virtual host setup, but could not figure it out. > > Thanks for your help, > yasushi > > I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3]
mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional but not perfect & there are many bugfixes and improvements since then, you should upgrade HTTPD. p > OS : Redhat Linux 64bit RHEL v5.5 > JDK : 1.6.0.20 > > === I created virtual host on port 9050 == > Httpd.conf > > <VirtualHost 10.250.200.57:9050> > ServerAdmin xyz > ServerName webclust1.xyz.com > ServerAlias webclust1 > ErrorLog logs/webclust_cluster_error.log > CustomLog logs/webclust-cluster-access_log common > > <Location /balancer-manager> > SetHandler balancer-manager > > Order Deny,Allow > Deny from all > Allow from all > </Location> > > ProxyRequests off > <Proxy balancer://webclust> > BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 > route=jvm1 > BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 > route=jvm2 > BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 > route=jvm3 > Order Deny,Allow > Allow from all > </Proxy> > > #Do not proxy balancer-manager > ProxyPass /balancer-manager ! > > <Location /examples> > ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid > ProxyPassReverse balancer://webclust/examples > Order Deny,Allow > Allow from all > </Location> > > <Location / > > ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid > ProxyPassReverse balancer://webclust/ > Order Deny,Allow > Allow from all > </Location> > > > === server.xml === > <!-- Define an AJP 1.3 Connector on port 8009 --> > <Connector port="9002" protocol="AJP/1.3" redirectPort="8443" /> > > <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> > > <Host name="localhost" appBase="webapps" > unpackWARs="true" autoDeploy="true" > xmlValidation="false" xmlNamespaceAware="false"> > > <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster" > channelSendOptions="4"> > > <Manager className="org.apache.catalina.ha.session.DeltaManager" > name="node2" > expireSessionsOnShutdown="false" > notifyListenersOnReplication="true"/> > > <Channel className="org.apache.catalina.tribes.group.GroupChannel"> > <Membership > className="org.apache.catalina.tribes.membership.McastService" > address="228.0.0.5" > port="45564" > frequency="500" > dropTime="3000"/> > <Receiver > className="org.apache.catalina.tribes.transport.nio.NioReceiver" > address="auto" > port="4020" > autoBind="100" > selectorTimeout="5000" > maxThreads="12"/> > <Sender > className="org.apache.catalina.tribes.transport.ReplicationTransmitter"> > <Transport > className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"/> > </Sender> > <Interceptor > className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"/> > <Interceptor > className="org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor"/> > <Interceptor > className="org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor"/> > </Channel> > > <Valve className="org.apache.catalina.ha.tcp.ReplicationValve" > > filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;.*\.xls;.*\.sdf;.*\.xml;"/> > <!-- only with jk_mod failover--> > <Valve > className="org.apache.catalina.ha.session.JvmRouteBinderValve" > enabled="true" sessionIdAttribute="takeoverSessionid" /> > <!-- > <Deployer className="org.apache.catalina.ha.deploy.FarmWarDeployer" > tempDir="/tmp/war-temp/" > deployDir="/usr/local/apache/node2-tomcat-6.0.26/webapps" > watchDir="/tmp/war-listen/" > watchEnabled="true"/> > --> > <!-- only with jk_mod and jvmroutebindervalve--> > <ClusterListener > className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener"/> > <ClusterListener > className="org.apache.catalina.ha.session.ClusterSessionListener"/> > </Cluster> > > <Valve className="org.apache.catalina.ha.authenticator.ClusterSingleSignOn" /> > > <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" > > prefix="webappqa_node2_access_log." suffix=".log" > pattern="common" resolveHosts="false"/> > > </Host> > </Engine> > > > -----Original Message----- > From: Andrew Bruno [mailto:andrew.br...@gmail.com] > Sent: Monday, June 21, 2010 10:09 PM > To: Tomcat Users List > Subject: Re: question for sso session replication in tomcat 6.0.26 > > Oh sorry, I re-read your answer. Not sure why SSO is not working, be > interested to find out though.. > > AB > > On Tue, Jun 22, 2010 at 3:04 PM, Andrew Bruno <andrew.br...@gmail.com> wrote: >> Hi Yasushi >> >> In your serverl.xml have you added the jvmroute to the Engine? >> >> i.e. >> >> <Engine name="Catalina" defaultHost="localhost" jvmRoute="1"> >> >> Andrew >> >> On Tue, Jun 22, 2010 at 2:50 PM, Okubo, Yasushi (TSD) >> <yasushi.ok...@takedasd.com> wrote: >>> Hi Andrew >>> >>> Thank for your post. When I checked the session id from firefox, sso >>> session id [jsessionidsso] does not have jvmroute info, but only jsessionid >>> has jvmroute. So, session replication upon failover is working fine, but >>> singlesionon upon failover is not working on tomcat 6.0.x (including >>> 6.0.26). >>> >>> yasushi >>> >>> -----Original Message----- >>> From: Andrew Bruno [mailto:andrew.br...@gmail.com] >>> Sent: Monday, June 21, 2010 9:18 PM >>> To: Tomcat Users List >>> Subject: Re: question for sso session replication in tomcat 6.0.26 >>> >>> Looking at the code I think this is wrong >>> >>> if (!_ssoSessionId.contains("." + jvmRoute)) { >>> _ssoSessionId += "." + jvmRoute; >>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId)); >>> } >>> >>> The original sessionId will already have the "."+_any_other_jvmRoute >>> included, so you need to substring it, and append the new jvmRoute. >>> >>> _ssoSessionId= _ssoSessionId.substring(0, _ssoSessionId.indexOf(".")) >>> >>> and then add >>> >>> _ssoSessionId += "." + jvmRoute; >>> >>> AB >>> >>> On Tue, Jun 22, 2010 at 1:03 PM, Okubo, Yasushi (TSD) >>> <yasushi.ok...@takedasd.com> wrote: >>>> Hi experts >>>> >>>> >>>> >>>> I found this old email from archive in TC 5.5.23. >>>> >>>> Does this problem still exist in tomcat 6.0.x or 6.0.26? >>>> >>>> >>>> >>>> When failover occurs, sso session id is updated with new number after >>>> forcing a user to relogin to the application since sso session id is not >>>> replicated and rewritten correctly. Could someone explain what is >>>> expected in current tomcat 6.0.x cluster upon failover? Should sso >>>> session id is replicated correctly in tomcat 6.0.x? >>>> >>>> >>>> >>>> Thanks, >>>> >>>> yasushi >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> ROOKIE wrote: >>>> Hi, >>>> I have a problem with tomcat cluster + mod_proxy load balancer : >>>> >>>> We have a main app which authenticate itself to a webapp and from this >>>> app one >>>> can launch embedded apps which use the SSO cookie to access other >>>> webapps on >>>> the server (Single-Sign-On for the user). >>>> >>>> Things are working perfectly for the normal cookie but not for the sso >>>> cookie. >>>> >>>> >>>> The problem I have is that tomcat does not replicate SSO sessions so >>>> when these embedded apps route through the load balancer we get 401s on >>>> all the other cluster members except the one which actually generated >>>> the SSO cookie. >>>> >>>> I wanted to know if we can edit the SSO cookie generated by tomcat to >>>> also >>>> contain the jvmRoute parameter so that the load balancer directly goes >>>> to the >>>> correct cluster member. >>>> >>>> >>>> I tried doing this in my code by fetching the SSO cookie and appending >>>> to it >>>> the jvmRoute as follows : >>>> >>>> HttpServletRequest request = >>>> (HttpServletRequest)Security.getContext(HttpServletRequest.class); >>>> HttpServletResponse response = >>>> (HttpServletResponse)Security.getContext(HttpServletResponse.class); >>>> if(request != null) { >>>> String jvmRoute = "Vinod_Cluster_1"; // as mentioned in >>>> server.xml >>>> Cookie[] cookies = request.getCookies(); >>>> for(int nc=0; cookies != null && nc < cookies.length; nc++) >>>> { >>>> if(_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { >>>> _sessionId = cookies[nc].getValue(); >>>> } >>>> >>>> else if(_SSO_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { >>>> >>>> _ssoSessionId = cookies[nc].getValue(); >>>> if (!_ssoSessionId.contains("." + jvmRoute)) { >>>> _ssoSessionId += "." + jvmRoute; >>>> >>>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId)); >>>> } >>>> >>>> >>>> } >>>> >>>> >>>> But after this I started getting 401s from even the correct cluster >>>> member. My guess is addCookie doesnt update the cookie in tomcat's cache >>>> which is reasonable. >>>> >>>> Other thought was to edit tomcat's sso cookie generation code to append >>>> the >>>> jvmRoute to the sso cookie. >>>> >>>> >>>> Is there an better way to achieve this in my code base ? >>>> >>>> Thanks In Advance, >>>> Vinod >>>> >>>> >>>> >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
signature.asc
Description: OpenPGP digital signature