Hi I downloaded apache apache v2.2.15 and compiled and installed, but the result was the same.
Session sso replication looked like failed. Upon shutting down the node, it kicked me out of password protected area and needed to re-loin on the second node. On apache, I installed/enabled all modules including basic authentication etc. Is there any requirement on apache side or how the virtual host should be set up in httpd.conf to make sso failover work? Thanks, yasushi -----Original Message----- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:04 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: > Hi Andrew > > In case of no failover, SSO works for all web applications on the same host. Upon failover [shutting down one node], a user is routed to the other node, and TC is asking for a user to re-login when he/she tried to access password protected area. > > I have checked many times on server.xml and session replication is working fine upon failover, so I cannot think any misconfiguration on server.xml > The issue is SSO failover is not working. I think it might be related to my apache virtual host setup, but could not figure it out. > > Thanks for your help, > yasushi > > I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional but not perfect & there are many bugfixes and improvements since then, you should upgrade HTTPD. p > OS : Redhat Linux 64bit RHEL v5.5 > JDK : 1.6.0.20 > > === I created virtual host on port 9050 == > Httpd.conf > > <VirtualHost 10.250.200.57:9050> > ServerAdmin xyz > ServerName webclust1.xyz.com > ServerAlias webclust1 > ErrorLog logs/webclust_cluster_error.log > CustomLog logs/webclust-cluster-access_log common > > <Location /balancer-manager> > SetHandler balancer-manager > > Order Deny,Allow > Deny from all > Allow from all > </Location> > > ProxyRequests off > <Proxy balancer://webclust> > BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 route=jvm1 > BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 route=jvm2 > BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 route=jvm3 > Order Deny,Allow > Allow from all > </Proxy> > > #Do not proxy balancer-manager > ProxyPass /balancer-manager ! > > <Location /examples> > ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid > ProxyPassReverse balancer://webclust/examples > Order Deny,Allow > Allow from all > </Location> > > <Location / > > ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid > ProxyPassReverse balancer://webclust/ > Order Deny,Allow > Allow from all > </Location> > > > === server.xml === > <!-- Define an AJP 1.3 Connector on port 8009 --> > <Connector port="9002" protocol="AJP/1.3" redirectPort="8443" /> > > <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> > > <Host name="localhost" appBase="webapps" > unpackWARs="true" autoDeploy="true" > xmlValidation="false" xmlNamespaceAware="false"> > > <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster" > channelSendOptions="4"> > > <Manager className="org.apache.catalina.ha.session.DeltaManager" > name="node2" > expireSessionsOnShutdown="false" > notifyListenersOnReplication="true"/> > > <Channel className="org.apache.catalina.tribes.group.GroupChannel"> > <Membership className="org.apache.catalina.tribes.membership.McastService" > address="228.0.0.5" > port="45564" > frequency="500" > dropTime="3000"/> > <Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver" > address="auto" > port="4020" > autoBind="100" > selectorTimeout="5000" > maxThreads="12"/> > <Sender className="org.apache.catalina.tribes.transport.ReplicationTransmitter"> > <Transport className="org.apache.catalina.tribes.transport.nio.PooledParallelSender "/> > </Sender> > <Interceptor className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetec tor"/> > <Interceptor className="org.apache.catalina.tribes.group.interceptors.MessageDispatch 15Interceptor"/> > <Interceptor className="org.apache.catalina.tribes.group.interceptors.ThroughputInter ceptor"/> > </Channel> > > <Valve className="org.apache.catalina.ha.tcp.ReplicationValve" > filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt; .*\.xls;.*\.sdf;.*\.xml;"/> > <!-- only with jk_mod failover--> > <Valve className="org.apache.catalina.ha.session.JvmRouteBinderValve" > enabled="true" sessionIdAttribute="takeoverSessionid" /> > <!-- > <Deployer className="org.apache.catalina.ha.deploy.FarmWarDeployer" > tempDir="/tmp/war-temp/" > deployDir="/usr/local/apache/node2-tomcat-6.0.26/webapps" > watchDir="/tmp/war-listen/" > watchEnabled="true"/> > --> > <!-- only with jk_mod and jvmroutebindervalve--> > <ClusterListener className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListene r"/> > <ClusterListener className="org.apache.catalina.ha.session.ClusterSessionListener"/> > </Cluster> > > <Valve className="org.apache.catalina.ha.authenticator.ClusterSingleSignOn" /> > > <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" > prefix="webappqa_node2_access_log." suffix=".log" pattern="common" resolveHosts="false"/> > > </Host> > </Engine> > > > -----Original Message----- > From: Andrew Bruno [mailto:andrew.br...@gmail.com] > Sent: Monday, June 21, 2010 10:09 PM > To: Tomcat Users List > Subject: Re: question for sso session replication in tomcat 6.0.26 > > Oh sorry, I re-read your answer. Not sure why SSO is not working, be > interested to find out though.. > > AB > > On Tue, Jun 22, 2010 at 3:04 PM, Andrew Bruno <andrew.br...@gmail.com> wrote: >> Hi Yasushi >> >> In your serverl.xml have you added the jvmroute to the Engine? >> >> i.e. >> >> <Engine name="Catalina" defaultHost="localhost" jvmRoute="1"> >> >> Andrew >> >> On Tue, Jun 22, 2010 at 2:50 PM, Okubo, Yasushi (TSD) <yasushi.ok...@takedasd.com> wrote: >>> Hi Andrew >>> >>> Thank for your post. When I checked the session id from firefox, sso session id [jsessionidsso] does not have jvmroute info, but only jsessionid has jvmroute. So, session replication upon failover is working fine, but singlesionon upon failover is not working on tomcat 6.0.x (including 6.0.26). >>> >>> yasushi >>> >>> -----Original Message----- >>> From: Andrew Bruno [mailto:andrew.br...@gmail.com] >>> Sent: Monday, June 21, 2010 9:18 PM >>> To: Tomcat Users List >>> Subject: Re: question for sso session replication in tomcat 6.0.26 >>> >>> Looking at the code I think this is wrong >>> >>> if (!_ssoSessionId.contains("." + jvmRoute)) { >>> _ssoSessionId += "." + jvmRoute; >>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId)); >>> } >>> >>> The original sessionId will already have the "."+_any_other_jvmRoute >>> included, so you need to substring it, and append the new jvmRoute. >>> >>> _ssoSessionId= _ssoSessionId.substring(0, _ssoSessionId.indexOf(".")) >>> >>> and then add >>> >>> _ssoSessionId += "." + jvmRoute; >>> >>> AB >>> >>> On Tue, Jun 22, 2010 at 1:03 PM, Okubo, Yasushi (TSD) >>> <yasushi.ok...@takedasd.com> wrote: >>>> Hi experts >>>> >>>> >>>> >>>> I found this old email from archive in TC 5.5.23. >>>> >>>> Does this problem still exist in tomcat 6.0.x or 6.0.26? >>>> >>>> >>>> >>>> When failover occurs, sso session id is updated with new number after >>>> forcing a user to relogin to the application since sso session id is not >>>> replicated and rewritten correctly. Could someone explain what is >>>> expected in current tomcat 6.0.x cluster upon failover? Should sso >>>> session id is replicated correctly in tomcat 6.0.x? >>>> >>>> >>>> >>>> Thanks, >>>> >>>> yasushi >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> ROOKIE wrote: >>>> Hi, >>>> I have a problem with tomcat cluster + mod_proxy load balancer : >>>> >>>> We have a main app which authenticate itself to a webapp and from this >>>> app one >>>> can launch embedded apps which use the SSO cookie to access other >>>> webapps on >>>> the server (Single-Sign-On for the user). >>>> >>>> Things are working perfectly for the normal cookie but not for the sso >>>> cookie. >>>> >>>> >>>> The problem I have is that tomcat does not replicate SSO sessions so >>>> when these embedded apps route through the load balancer we get 401s on >>>> all the other cluster members except the one which actually generated >>>> the SSO cookie. >>>> >>>> I wanted to know if we can edit the SSO cookie generated by tomcat to >>>> also >>>> contain the jvmRoute parameter so that the load balancer directly goes >>>> to the >>>> correct cluster member. >>>> >>>> >>>> I tried doing this in my code by fetching the SSO cookie and appending >>>> to it >>>> the jvmRoute as follows : >>>> >>>> HttpServletRequest request = >>>> (HttpServletRequest)Security.getContext(HttpServletRequest.class); >>>> HttpServletResponse response = >>>> (HttpServletResponse)Security.getContext(HttpServletResponse.class); >>>> if(request != null) { >>>> String jvmRoute = "Vinod_Cluster_1"; // as mentioned in >>>> server.xml >>>> Cookie[] cookies = request.getCookies(); >>>> for(int nc=0; cookies != null && nc < cookies.length; nc++) >>>> { >>>> if(_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { >>>> _sessionId = cookies[nc].getValue(); >>>> } >>>> >>>> else if(_SSO_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { >>>> >>>> _ssoSessionId = cookies[nc].getValue(); >>>> if (!_ssoSessionId.contains("." + jvmRoute)) { >>>> _ssoSessionId += "." + jvmRoute; >>>> >>>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId)); >>>> } >>>> >>>> >>>> } >>>> >>>> >>>> But after this I started getting 401s from even the correct cluster >>>> member. My guess is addCookie doesnt update the cookie in tomcat's cache >>>> which is reasonable. >>>> >>>> Other thought was to edit tomcat's sso cookie generation code to append >>>> the >>>> jvmRoute to the sso cookie. >>>> >>>> >>>> Is there an better way to achieve this in my code base ? >>>> >>>> Thanks In Advance, >>>> Vinod >>>> >>>> >>>> >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org