Are you using a "jvmRoute" setting on your BalancerMember definition in mod_proxy config and on the <Engine/> element in server.xml? Your cookie would have the jvmRoute property added to the end of it (e.g. ALONGMD5HASH.server1) if so.
From the Almighty Google: http://community.jboss.org/wiki/usingmodproxywithjboss Jon Brisbin Portal Webmaster NPC International, Inc. On Jun 22, 2010, at 3:48 PM, Okubo, Yasushi (TSD) wrote: > Hi > > I downloaded apache apache v2.2.15 and compiled and installed, but the > result was the same. > > Session sso replication looked like failed. Upon shutting down the > node, it kicked me out of password protected area and needed to re-loin > on the second node. > > On apache, I installed/enabled all modules including basic > authentication etc. Is there any requirement on apache side or how the > virtual host should be set up in httpd.conf to make sso failover work? > > Thanks, > yasushi > > -----Original Message----- > From: Pid [mailto:p...@pidster.com] > Sent: Tuesday, June 22, 2010 8:04 AM > To: Tomcat Users List > Subject: Re: question for sso session replication in tomcat 6.0.26 > > On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: >> Hi Andrew >> >> In case of no failover, SSO works for all web applications on the same > host. Upon failover [shutting down one node], a user is routed to the > other node, and TC is asking for a user to re-login when he/she tried to > access password protected area. >> >> I have checked many times on server.xml and session replication is > working fine upon failover, so I cannot think any misconfiguration on > server.xml >> The issue is SSO failover is not working. I think it might be related > to my apache virtual host setup, but could not figure it out. >> >> Thanks for your help, >> yasushi >> >> I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] > > mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional > but not perfect & there are many bugfixes and improvements since then, > you should upgrade HTTPD. > > > p > >> OS : Redhat Linux 64bit RHEL v5.5 >> JDK : 1.6.0.20 >> >> === I created virtual host on port 9050 == >> Httpd.conf >> >> <VirtualHost 10.250.200.57:9050> >> ServerAdmin xyz >> ServerName webclust1.xyz.com >> ServerAlias webclust1 >> ErrorLog logs/webclust_cluster_error.log >> CustomLog logs/webclust-cluster-access_log common >> >> <Location /balancer-manager> >> SetHandler balancer-manager >> >> Order Deny,Allow >> Deny from all >> Allow from all >> </Location> >> >> ProxyRequests off >> <Proxy balancer://webclust> >> BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145 > route=jvm1 >> BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145 > route=jvm2 >> BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145 > route=jvm3 >> Order Deny,Allow >> Allow from all >> </Proxy> >> >> #Do not proxy balancer-manager >> ProxyPass /balancer-manager ! >> >> <Location /examples> >> ProxyPass balancer://webclust/examples > stickysession=JSESSIONID|jsessionid >> ProxyPassReverse balancer://webclust/examples >> Order Deny,Allow >> Allow from all >> </Location> >> >> <Location / > >> ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid >> ProxyPassReverse balancer://webclust/ >> Order Deny,Allow >> Allow from all >> </Location> >> >> >> === server.xml === >> <!-- Define an AJP 1.3 Connector on port 8009 --> >> <Connector port="9002" protocol="AJP/1.3" redirectPort="8443" /> >> >> <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> >> >> <Host name="localhost" appBase="webapps" >> unpackWARs="true" autoDeploy="true" >> xmlValidation="false" xmlNamespaceAware="false"> >> >> <Cluster > className="org.apache.catalina.ha.tcp.SimpleTcpCluster" >> channelSendOptions="4"> >> >> <Manager > className="org.apache.catalina.ha.session.DeltaManager" >> name="node2" >> expireSessionsOnShutdown="false" >> notifyListenersOnReplication="true"/> >> >> <Channel > className="org.apache.catalina.tribes.group.GroupChannel"> >> <Membership > className="org.apache.catalina.tribes.membership.McastService" >> address="228.0.0.5" >> port="45564" >> frequency="500" >> dropTime="3000"/> >> <Receiver > className="org.apache.catalina.tribes.transport.nio.NioReceiver" >> address="auto" >> port="4020" >> autoBind="100" >> selectorTimeout="5000" >> maxThreads="12"/> >> <Sender > className="org.apache.catalina.tribes.transport.ReplicationTransmitter"> >> <Transport > className="org.apache.catalina.tribes.transport.nio.PooledParallelSender > "/> >> </Sender> >> <Interceptor > className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetec > tor"/> >> <Interceptor > className="org.apache.catalina.tribes.group.interceptors.MessageDispatch > 15Interceptor"/> >> <Interceptor > className="org.apache.catalina.tribes.group.interceptors.ThroughputInter > ceptor"/> >> </Channel> >> >> <Valve > className="org.apache.catalina.ha.tcp.ReplicationValve" >> > filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt; > .*\.xls;.*\.sdf;.*\.xml;"/> >> <!-- only with jk_mod failover--> >> <Valve > className="org.apache.catalina.ha.session.JvmRouteBinderValve" >> enabled="true" sessionIdAttribute="takeoverSessionid" > /> >> <!-- >> <Deployer > className="org.apache.catalina.ha.deploy.FarmWarDeployer" >> tempDir="/tmp/war-temp/" >> > deployDir="/usr/local/apache/node2-tomcat-6.0.26/webapps" >> watchDir="/tmp/war-listen/" >> watchEnabled="true"/> >> --> >> <!-- only with jk_mod and jvmroutebindervalve--> >> <ClusterListener > className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListene > r"/> >> <ClusterListener > className="org.apache.catalina.ha.session.ClusterSessionListener"/> >> </Cluster> >> >> <Valve > className="org.apache.catalina.ha.authenticator.ClusterSingleSignOn" /> >> >> <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="logs" >> prefix="webappqa_node2_access_log." suffix=".log" > pattern="common" resolveHosts="false"/> >> >> </Host> >> </Engine> >> >> >> -----Original Message----- >> From: Andrew Bruno [mailto:andrew.br...@gmail.com] >> Sent: Monday, June 21, 2010 10:09 PM >> To: Tomcat Users List >> Subject: Re: question for sso session replication in tomcat 6.0.26 >> >> Oh sorry, I re-read your answer. Not sure why SSO is not working, be >> interested to find out though.. >> >> AB >> >> On Tue, Jun 22, 2010 at 3:04 PM, Andrew Bruno <andrew.br...@gmail.com> > wrote: >>> Hi Yasushi >>> >>> In your serverl.xml have you added the jvmroute to the Engine? >>> >>> i.e. >>> >>> <Engine name="Catalina" defaultHost="localhost" jvmRoute="1"> >>> >>> Andrew >>> >>> On Tue, Jun 22, 2010 at 2:50 PM, Okubo, Yasushi (TSD) > <yasushi.ok...@takedasd.com> wrote: >>>> Hi Andrew >>>> >>>> Thank for your post. When I checked the session id from firefox, > sso session id [jsessionidsso] does not have jvmroute info, but only > jsessionid has jvmroute. So, session replication upon failover is > working fine, but singlesionon upon failover is not working on tomcat > 6.0.x (including 6.0.26). >>>> >>>> yasushi >>>> >>>> -----Original Message----- >>>> From: Andrew Bruno [mailto:andrew.br...@gmail.com] >>>> Sent: Monday, June 21, 2010 9:18 PM >>>> To: Tomcat Users List >>>> Subject: Re: question for sso session replication in tomcat 6.0.26 >>>> >>>> Looking at the code I think this is wrong >>>> >>>> if (!_ssoSessionId.contains("." + jvmRoute)) { >>>> _ssoSessionId += "." + jvmRoute; >>>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, > _ssoSessionId)); >>>> } >>>> >>>> The original sessionId will already have the "."+_any_other_jvmRoute >>>> included, so you need to substring it, and append the new jvmRoute. >>>> >>>> _ssoSessionId= _ssoSessionId.substring(0, > _ssoSessionId.indexOf(".")) >>>> >>>> and then add >>>> >>>> _ssoSessionId += "." + jvmRoute; >>>> >>>> AB >>>> >>>> On Tue, Jun 22, 2010 at 1:03 PM, Okubo, Yasushi (TSD) >>>> <yasushi.ok...@takedasd.com> wrote: >>>>> Hi experts >>>>> >>>>> >>>>> >>>>> I found this old email from archive in TC 5.5.23. >>>>> >>>>> Does this problem still exist in tomcat 6.0.x or 6.0.26? >>>>> >>>>> >>>>> >>>>> When failover occurs, sso session id is updated with new number > after >>>>> forcing a user to relogin to the application since sso session id > is not >>>>> replicated and rewritten correctly. Could someone explain what is >>>>> expected in current tomcat 6.0.x cluster upon failover? Should sso >>>>> session id is replicated correctly in tomcat 6.0.x? >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> yasushi >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ROOKIE wrote: >>>>> Hi, >>>>> I have a problem with tomcat cluster + mod_proxy load balancer : >>>>> >>>>> We have a main app which authenticate itself to a webapp and from > this >>>>> app one >>>>> can launch embedded apps which use the SSO cookie to access other >>>>> webapps on >>>>> the server (Single-Sign-On for the user). >>>>> >>>>> Things are working perfectly for the normal cookie but not for the > sso >>>>> cookie. >>>>> >>>>> >>>>> The problem I have is that tomcat does not replicate SSO sessions > so >>>>> when these embedded apps route through the load balancer we get > 401s on >>>>> all the other cluster members except the one which actually > generated >>>>> the SSO cookie. >>>>> >>>>> I wanted to know if we can edit the SSO cookie generated by tomcat > to >>>>> also >>>>> contain the jvmRoute parameter so that the load balancer directly > goes >>>>> to the >>>>> correct cluster member. >>>>> >>>>> >>>>> I tried doing this in my code by fetching the SSO cookie and > appending >>>>> to it >>>>> the jvmRoute as follows : >>>>> >>>>> HttpServletRequest request = >>>>> (HttpServletRequest)Security.getContext(HttpServletRequest.class); >>>>> HttpServletResponse response = >>>>> > (HttpServletResponse)Security.getContext(HttpServletResponse.class); >>>>> if(request != null) { >>>>> String jvmRoute = "Vinod_Cluster_1"; // as mentioned > in >>>>> server.xml >>>>> Cookie[] cookies = request.getCookies(); >>>>> for(int nc=0; cookies != null && nc < cookies.length; > nc++) >>>>> { >>>>> > if(_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { >>>>> _sessionId = cookies[nc].getValue(); >>>>> } >>>>> >>>>> else if(_SSO_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { >>>>> >>>>> _ssoSessionId = cookies[nc].getValue(); >>>>> if (!_ssoSessionId.contains("." + jvmRoute)) { >>>>> _ssoSessionId += "." + jvmRoute; >>>>> >>>>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, > _ssoSessionId)); >>>>> } >>>>> >>>>> >>>>> } >>>>> >>>>> >>>>> But after this I started getting 401s from even the correct cluster >>>>> member. My guess is addCookie doesnt update the cookie in tomcat's > cache >>>>> which is reasonable. >>>>> >>>>> Other thought was to edit tomcat's sso cookie generation code to > append >>>>> the >>>>> jvmRoute to the sso cookie. >>>>> >>>>> >>>>> Is there an better way to achieve this in my code base ? >>>>> >>>>> Thanks In Advance, >>>>> Vinod >>>>> >>>>> >>>>> >>>>> >>>> >>>> > --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >>>> >>>> >>>> > --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
