Hello Henri,
On 24.06.2013 17:09, Henri Gomez wrote:
> I'm faced a weird problem with a web application who didn't keep JSESSIONID
> generated by Apache Tomcat (via jvmRoute).
>
> This application is using ASF Shiro who in turn regenerate its own
> JSESSIONID (and replace one from Tomcat).
>
> It completly broke mod_jk/ajp load-balancing and sticky session.
>
> Did some of you allready encountered such problem ?
>
>
> For mod_jk, could we imagine to add support for another cookie, ie
> ROUTE_ID, who will be set by mod_jk and evaluated by its lb worker ?
>
> As temporary fix, I used mod_proxy like this :
>
> # JkMount /* nexus
>
> Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_
> ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
>
> <Proxy balancer://nxcluster>
> BalancerMember http://nexus1.mycorp.org:8080 route=nx
> BalancerMember http://nexus2.mycorp.org:8080 route=nx2
> ProxySet stickysession=ROUTEID
> </Proxy>
>
> ProxyPreserveHost On
> ProxyPass /balancer-manager !
> ProxyPass / balancer://nxcluster/
>
> <Location /balancer-manager>
> SetHandler balancer-manager
> Order Deny,Allow
> Deny from all
> Allow from localhost
> </Location>
>
> BTW, I'd like to keep jk for this configuration to stay consistent with
> other settings.
It seems Shiro recommend to extend
https://svn.apache.org/viewvc/shiro/trunk/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java
in order to add the needed suffix to a new id when creating a session
cookie and to subtract it before forwarding the id to the shiro internals.
Some of the things you need are already implemented in recent mod_jk:
Strategy 1:
You can let mod_jk know about using another cookie by setting the worker
load balancer attribute "session_cookie" e.g. to "mycookie". You might
also want to change session_path to something non-standard such that an
occasional path encoding with the busted session id doesn't interfere
with mod_jk.
See "session_cookie" and "session_path" in
http://tomcat.apache.org/connectors-doc/reference/workers.html.
Strategy 2:
Directly set the route with Apache means into the Apache environment
variable JK_ROUTE. See "JK_ROUTE" in
http://tomcat.apache.org/connectors-doc/reference/apache.html.
The problem is how to set the cookie. You could do it using a servlet
filter on the Tomcat side. Such a simple filter could be added to the
webapp, without the need of changing the webapp sources. The filter is
independent and would just be added to web.xml and the WEB-INF/lib.
Letting mod_jk itself set the cookie could be a nice addition, because
it would be easy for it to do. It knows the correct route name, whether
the cookie was already received with the request and whether a failover
happened. Would be easy to add. The configuration would need to wire the
"HttpOnly" and "Secure" flags for the cookie.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
