Sorry I should clarify few things: In case of no failover, SSO works for all web applications on the same node, not host. Then, session replication upon failover works for non-password protected area only.
-----Original Message----- From: Okubo, Yasushi (TSD) [mailto:yasushi.ok...@takedasd.com] Sent: Tuesday, June 22, 2010 7:57 AM To: Tomcat Users List Subject: RE: question for sso session replication in tomcat 6.0.26 Hi Andrew In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. Thanks for your help, yasushi I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] OS : Redhat Linux 64bit RHEL v5.5 JDK : 1.6.0.20 === I created virtual host on port 9050 == Httpd.conf <VirtualHost 10.250.200.57:9050> ServerAdmin xyz ServerName webclust1.xyz.com ServerAlias webclust1 ErrorLog logs/webclust_cluster_error.log CustomLog logs/webclust-cluster-access_log common <Location /balancer-manager> SetHandler balancer-manager Order Deny,Allow Deny from all Allow from all </Location> ProxyRequests off <Proxy balancer://webclust> BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 Order Deny,Allow Allow from all </Proxy> #Do not proxy balancer-manager ProxyPass /balancer-manager ! <Location /examples> ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/examples Order Deny,Allow Allow from all </Location> <Location / > ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid ProxyPassReverse balancer://webclust/ Order Deny,Allow Allow from all </Location> === server.xml === <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="9002" protocol="AJP/1.3" redirectPort="8443" /> <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster" channelSendOptions="4"> <Manager className="org.apache.catalina.ha.session.DeltaManager" name="node2" expireSessionsOnShutdown="false" notifyListenersOnReplication="true"/> <Channel className="org.apache.catalina.tribes.group.GroupChannel"> <Membership className="org.apache.catalina.tribes.membership.McastService" address="228.0.0.5" port="45564" frequency="500" dropTime="3000"/> <Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver" address="auto" port="4020" autoBind="100" selectorTimeout="5000" maxThreads="12"/> <Sender className="org.apache.catalina.tribes.transport.ReplicationTransmitter"> <Transport className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"/> </Sender> <Interceptor className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"/> <Interceptor className="org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor"/> <Interceptor className="org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor"/> </Channel> <Valve className="org.apache.catalina.ha.tcp.ReplicationValve" filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;.*\.xls;.*\.sdf;.*\.xml;"/> <!-- only with jk_mod failover--> <Valve className="org.apache.catalina.ha.session.JvmRouteBinderValve" enabled="true" sessionIdAttribute="takeoverSessionid" /> <!-- <Deployer className="org.apache.catalina.ha.deploy.FarmWarDeployer" tempDir="/tmp/war-temp/" deployDir="/usr/local/apache/node2-tomcat-6.0.26/webapps" watchDir="/tmp/war-listen/" watchEnabled="true"/> --> <!-- only with jk_mod and jvmroutebindervalve--> <ClusterListener className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener"/> <ClusterListener className="org.apache.catalina.ha.session.ClusterSessionListener"/> </Cluster> <Valve className="org.apache.catalina.ha.authenticator.ClusterSingleSignOn" /> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="webappqa_node2_access_log." suffix=".log" pattern="common" resolveHosts="false"/> </Host> </Engine> -----Original Message----- From: Andrew Bruno [mailto:andrew.br...@gmail.com] Sent: Monday, June 21, 2010 10:09 PM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 Oh sorry, I re-read your answer. Not sure why SSO is not working, be interested to find out though.. AB On Tue, Jun 22, 2010 at 3:04 PM, Andrew Bruno <andrew.br...@gmail.com> wrote: > Hi Yasushi > > In your serverl.xml have you added the jvmroute to the Engine? > > i.e. > > <Engine name="Catalina" defaultHost="localhost" jvmRoute="1"> > > Andrew > > On Tue, Jun 22, 2010 at 2:50 PM, Okubo, Yasushi (TSD) > <yasushi.ok...@takedasd.com> wrote: >> Hi Andrew >> >> Thank for your post. When I checked the session id from firefox, sso >> session id [jsessionidsso] does not have jvmroute info, but only jsessionid >> has jvmroute. So, session replication upon failover is working fine, but >> singlesionon upon failover is not working on tomcat 6.0.x (including 6.0.26). >> >> yasushi >> >> -----Original Message----- >> From: Andrew Bruno [mailto:andrew.br...@gmail.com] >> Sent: Monday, June 21, 2010 9:18 PM >> To: Tomcat Users List >> Subject: Re: question for sso session replication in tomcat 6.0.26 >> >> Looking at the code I think this is wrong >> >> if (!_ssoSessionId.contains("." + jvmRoute)) { >> _ssoSessionId += "." + jvmRoute; >> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId)); >> } >> >> The original sessionId will already have the "."+_any_other_jvmRoute >> included, so you need to substring it, and append the new jvmRoute. >> >> _ssoSessionId= _ssoSessionId.substring(0, _ssoSessionId.indexOf(".")) >> >> and then add >> >> _ssoSessionId += "." + jvmRoute; >> >> AB >> >> On Tue, Jun 22, 2010 at 1:03 PM, Okubo, Yasushi (TSD) >> <yasushi.ok...@takedasd.com> wrote: >>> Hi experts >>> >>> >>> >>> I found this old email from archive in TC 5.5.23. >>> >>> Does this problem still exist in tomcat 6.0.x or 6.0.26? >>> >>> >>> >>> When failover occurs, sso session id is updated with new number after >>> forcing a user to relogin to the application since sso session id is not >>> replicated and rewritten correctly. Could someone explain what is >>> expected in current tomcat 6.0.x cluster upon failover? Should sso >>> session id is replicated correctly in tomcat 6.0.x? >>> >>> >>> >>> Thanks, >>> >>> yasushi >>> >>> >>> >>> >>> >>> >>> >>> ROOKIE wrote: >>> Hi, >>> I have a problem with tomcat cluster + mod_proxy load balancer : >>> >>> We have a main app which authenticate itself to a webapp and from this >>> app one >>> can launch embedded apps which use the SSO cookie to access other >>> webapps on >>> the server (Single-Sign-On for the user). >>> >>> Things are working perfectly for the normal cookie but not for the sso >>> cookie. >>> >>> >>> The problem I have is that tomcat does not replicate SSO sessions so >>> when these embedded apps route through the load balancer we get 401s on >>> all the other cluster members except the one which actually generated >>> the SSO cookie. >>> >>> I wanted to know if we can edit the SSO cookie generated by tomcat to >>> also >>> contain the jvmRoute parameter so that the load balancer directly goes >>> to the >>> correct cluster member. >>> >>> >>> I tried doing this in my code by fetching the SSO cookie and appending >>> to it >>> the jvmRoute as follows : >>> >>> HttpServletRequest request = >>> (HttpServletRequest)Security.getContext(HttpServletRequest.class); >>> HttpServletResponse response = >>> (HttpServletResponse)Security.getContext(HttpServletResponse.class); >>> if(request != null) { >>> String jvmRoute = "Vinod_Cluster_1"; // as mentioned in >>> server.xml >>> Cookie[] cookies = request.getCookies(); >>> for(int nc=0; cookies != null && nc < cookies.length; nc++) >>> { >>> if(_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { >>> _sessionId = cookies[nc].getValue(); >>> } >>> >>> else if(_SSO_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { >>> >>> _ssoSessionId = cookies[nc].getValue(); >>> if (!_ssoSessionId.contains("." + jvmRoute)) { >>> _ssoSessionId += "." + jvmRoute; >>> >>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId)); >>> } >>> >>> >>> } >>> >>> >>> But after this I started getting 401s from even the correct cluster >>> member. My guess is addCookie doesnt update the cookie in tomcat's cache >>> which is reasonable. >>> >>> Other thought was to edit tomcat's sso cookie generation code to append >>> the >>> jvmRoute to the sso cookie. >>> >>> >>> Is there an better way to achieve this in my code base ? >>> >>> Thanks In Advance, >>> Vinod >>> >>> >>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
