Tomcat session replication via backmanager - attributes are not being saved on backup session
Hi, I'm using tomcat clustering of 2 tomcats, and session replication via backup manager. on session creation in one tomcat instance, the other tomcat replicates the session successfully but the attribute list is empty no matter how much i add to it. (the primary session attribute list is fine) any ideas why that happens?
Websockets with tomcat clustering and session replication
Hi, Ive asked here before about how do i get a session replication over websockets sessions. Mark Thomas answered me that i should try and link the httpsession with the websocket and then i will gain the replication abilities. So, I listended and implemented it just like in this url: http://stackoverflow.com/questions/17936440/accessing-httpsession-from-httpservletrequest-in-a-web-socket-socketendpoint So now, I'm able to get the session for each client. and I Do get replication! pretty nice! Only problem is, While i'm adding new attributes to the primary session (in tomcat#1 for example) , the replicated sessions (in tomcat#2 for example) does NOT contain any attribues. The session backup is there but no attributes at all. My POC web application has one html page with javascript web socket send\recieve messages. What i did notice that might shade light on whats the problem is the following scenario: If i press f5 on the browser, the web page is loaded and a new http handshake is taking place. when that happens all the attributes do replicate!!! Is there a way to make the attribute replicate without the need of refreshing the page? Thanks!
Re: multiple servers and digest authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Christophe, On 11/29/13, 8:55 PM, Dehaudt, Christophe wrote: 1/ Sticky session : yes, that is the way I have currently set my load balancer. But there is a drawback when the client is contineoulsy using the service = because it will never been load balanced again. When the sticky cookie expires, the client can be re-balanced. The worst is when one of the server is stopped and restarted = all the clients will be redistributed to the still alive servers, And when the server is restarted, it will not picked up any load It will pick-up new load. To work-around this problem, with sticky session on , I have patched my client to clear the sticky cookie every X minutes. That enforces the load balancer to give me the less used servers (possibly the one that have been restarted) This should be configurable on the server and/or the lb. You shouldn't have to modify the client. 2/ front-end load balancer solution: my configuration is with an F5 load balancer (citrix). I'm not sure what that means. F5 and Citrix are competitors AFAIK. From what I understand, the question is : can we configure the F5 to manage the nonce and then delegate the authentication to the servers (tomcat)- . That's not going to work unless you tell the (Tomcat) server that the (F5) client is trusted. If the client is trusted (as far as Tomcat is concerned), then there is no need for authentication. Tomcat will not implement such capabilities. You'll need to do that yourself. Any idea if this is feasible from F5/tomcat point of views? I don't believe you can have the F5 manage any part of the authentication. But you can use (expiring!) sticky load-balancing. I've never used an F5 but I suspect that you can use a combination of lb-generated cookie + server-generated cookie to achieve a unified stickiness. What you want is the following: 1. 2-step authentication has both steps going to the same server (can use F5's cookie for stickiness) 2. Subsequent authenticated requests go to that same server (can use Tomcat's cookie for stickiness) 3. All stickiness expires when the user's authenticated session expires. Since HTTP-DIGEST authentication does not have a standard way to de-authenticate a client, you'll have to figure out when this happens. I would use the invalidation of the session cookie to trigger a reset of the F5's stickiness cookie. I'm not sure how to actually do that with an F5. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSm0qrAAoJEBzwKT+lPKRY7UIQALorBonbQ6XeXPEK3q0G2RrU i34F82XlFXVwlGuupK4ROxaDYsPa+HJgSC3WH5J/+q5MjX2s8GfgJwp7WmCYNkNr 4vokKOHxwkWy8km/iEwNLbFu0SWJUEFNpfsgCwBvlKuiDr7uIZDGqOSDQlCY4p7G U0eql7Pi/L9hg45IiNUnYpqYij2/bsXNzi8kbLd7u84GOrn6UY6jQScsIGVxbNjV hvPck4Srmsh4OqicL/o98u7N9vbu7x+/leoSCkt2d6cPtQPhd2Pp0oOvmy0NX/j8 +R+JXapT7J6dT2jXI6bbUqJlP+5c2xRZoN79Rw3291ZHLBJ9+89XYazLcEdXyPVO JVUcJOwRvPLAF5vXwWyIkQGz9aeypfYWGQm5D2CK8A942Fhfnn4gGYn+LfQi3I/b SMRMTKQZpwB1jC4iEfbPJS682V2swHOySUzcSKXAnnO2BfvraA2/vGD/IW3FLcfl U4oU6teQ0NTIZTN6oCCpj4fzniQXhjKWAhZRL7jYzDoiPAGR5FdmGDBfCgky6+z/ fu4xSopN5a0otiX5IXizqn4zemewy779Shl6OiI6dbGGDIZ0nNlMPdfkauGz+sP5 cWG+COKG1lSajSPq1CWTWhYHLJ1+qeaUqVWvzCik9Z/NGhFmQf5KiPMCsPkREVs/ bpHvDjAQhBPjjyEDf4nV =Qs1j -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: multiple servers and digest authentication
From: cdeha...@ebay.com To: users@tomcat.apache.org CC: cdeha...@ebay.com Subject: Re: multiple servers and digest authentication Date: Sat, 30 Nov 2013 01:55:32 + Hi, Thanks for your answers: 1/ Sticky session : yes, that is the way I have currently set my load balancer. But there is a drawback when the client is contineoulsy using the service = because it will never been load balanced again. The worst is when one of the server is stopped and restarted = all the clients will be redistributed to the still alive servers, And when the server is restarted, it will not picked up any load To work-around this problem, with sticky session on , I have patched my client to clear the sticky cookie every X minutes. That enforces the load balancer to give me the less used servers (possibly the one that have been restarted) 2/ front-end load balancer solution: my configuration is with an F5 load balancer (citrix). From what I understand, the question is : can we configure the F5 to manage the nonce and then delegate the authentication to the servers (tomcat)- . It will require: F5 to manage the nonce (will send back the 401 when nonce not valid) but MG here is the XSD element definition for noonce using wss4j MGxmlns:xenc=http://www.w3.org/2001/04/xmlenc#; MG!-- KANonce -- ObjectProvider qualifiedName=xenc:KA-Nonce BuilderClass className=org.opensaml.xml.encryption.impl.KANonceBuilder / MarshallingClass className=org.opensaml.xml.schema.impl.XSBase64BinaryMarshaller / UnmarshallingClass className=org.opensaml.xml.schema.impl.XSBase64BinaryUnmarshaller / /ObjectProvider MGso How would F5 build out a noonce such as EncryptedData EncryptionMethod Algorithm=Example:Block/Alg KeySize80/KeySize /EncryptionMethod ds:KeyInfo xmlns:ds=http://www.w3.org/2000/09/xmldsig#; AgreementMethod Algorithm=example:Agreement/Algorithm KA-NonceZm9v/KA-Nonce ds:DigestMethod Algorithm=http://www.w3.org/2001/04/xmlenc#sha1/ OriginatorKeyInfo ds:KeyValue/ds:KeyValue /OriginatorKeyInfo RecipientKeyInfo ds:KeyValue/ds:KeyValue /RecipientKeyInfo /AgreementMethod /ds:KeyInfo CipherData.../CipherData MG? not verify the user credential and pass that to servers Servers (tomcat) to not check the nonce but check the credential. I have read the description of tomcatAuthentication flag from André's link, but I'm not sure it does what I expect Any idea if this is feasible from F5/tomcat point of views? Any other suggestions? ;) Thanks, Xtof On 11/27/13 9:04 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 11/27/13, 5:15 AM, André Warnier wrote: Mark Thomas wrote: On 27/11/2013 07:34, Dehaudt, Christophe wrote: Is there a way to share the nonce between servers so they can act as one? No. You'd need to customise the DigestAuthenticator to do that. I would like to get your advices , how to make a multiple server deployment running with Http digest. Use sticky load-balancing. Or do the authentication at the front-end load-balancer level, and set Tomcat's authentication to accept what the front-end says ? (E.g. https://tomcat.apache.org/tomcat-8.0-doc/config/ajp.html#Standard_Impleme ntations #tomcatAuthentication) While it is popular to do so, I don't think anyone really uses httpd for industrial-strength load-balancing. Can an F5 do authentication (and forward it to Tomcat?). I suspect not in any way that would work well with the back-end application. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
j_security_check error
Im using Tomcat and a MySQL database that contains usernames/passwords/roles for form-based authentication. Logging in with correct username/password successfully directs to index.jsp (from login.jsp). Logging in with incorrect username/password successfully directs to error.jsp (from login.jsp). However, an unsuccessful login followed by attempting to login with the correct username/password leads to an HTTP Status 404 j_security_check error that says the requested resource is not available. Does anyone know what may be wrong? Here are the details of my configuration. Software -Windows 7 -MySQL 5.6 -Tomcat 7.042 context.xml ?xml version=1.0 encoding=UTF-8? Context antiJARLocking=true antiResourceLocking=true path=/webapp Realm className=org.apache.catalina.realm.JDBCRealm driverName=com.mysql.jdbc.Driver connectionURL=jdbc:mysql://localhost:3306/database connectionName=username connectionPassword=password userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name/ /Context login.jsp html head titlemywebapp demo/title meta http-equiv=ÓContent-TypeÓ content=Ótext/html; charset=UTF-8Ó /head body div class=ÓcontentÓ bPlease login to continue/b form method=post action=j_security_check table tr tdlabel for=usernameUsername:/label/td tdinput id=username type=text name=j_username /td /tr tr tdlabel for=passwordPassword:/label/td tdinput id=password type=password name=j_password /td tdinput type=submit value=Login //td /tr /table /form /div /body /html web.xml (for the webapp) ?xml version=1.0 encoding=ISO-8859-1? web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; version=2.4 display-namewebapp/display-name descriptionForm-Based Authentication with mySQL/description resource-ref descriptionmySQL Database/description res-ref-namejdbc/database/res-ref-name res-typejavax.sql.DataSource/res-type res-authContainer/res-auth /resource-ref security-constraint web-resource-collection web-resource-namewebapps/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namerolename/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/error.jsp/form-error-page /form-login-config /login-config /web-app
Re: j_security_check error
J. Brian Hall wrote: I’m using Tomcat and a MySQL database that contains usernames/passwords/roles for form-based authentication. Logging in with correct username/password successfully directs to index.jsp (from login.jsp). Logging in with incorrect username/password successfully directs to error.jsp (from login.jsp). However, an unsuccessful login followed by attempting to login with the correct username/password leads to an HTTP Status 404 j_security_check error that says the requested resource is not available. Does anyone know what may be wrong? Here are the details of my configuration. To understand what is going on there, I suggest that you install a browser plugin such as HttpFox, Live HTTP headers, or Fiddler2(for IE), and that you have a look at which request URLs and HTTP headers are really being sent by the browser to the server (and vice-versa), at each step. Probably what happens is that the original URL requested by the browser is lost somewhere when you go through the error page, and that by the time you do the second (correct) authentication, the server does not know anymore where to forward the (now authenticated) request to. So it ends up being forwarded to some invalid URL, and you get back a 404 error. What does your error.jsp page really look like ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: install war with xml and define environment values
Hello, Am 01.12.2013 um 15:31 schrieb Martin Gainty mgai...@hotmail.com: MG I was going to suggest using ln but since your docBase is based on the value of base folder ${user.home} MGany change to user.home will automatically rebase your war after context redeploy I have got a precomiled war file and in the web.xml exists some values e.g.: init-param param-namedatabase.location/param-name param-value${user.home}/sysdata/param-value /init-param The Tomcat runs under root, so it creates under /root/sysdata the data files, but I would like to change the directory, the data should be stored in /home/mywar/sysdata Phil
Re: install war with xml and define environment values
On 12/1/2013 1:55 PM, Philipp Kraus wrote: Hello, I have got a precomiled war file and in the web.xml exists some values e.g.: init-param param-namedatabase.location/param-name param-value${user.home}/sysdata/param-value /init-param The Tomcat runs under root, so it creates under /root/sysdata the data files, but I would like to change the directory, the data should be stored in /home/mywar/sysdata Phil Run Tomcat as an unprivileged user. If you need to have Tomcat serve on port 80, use jsvc, iptables to map port 80 to port 8080, or place an Apache HTTPD server in front of Tomcat using mod_proxy_http, mod_proxy_ajp, or mod_jk. You could also unpack the WAR file, change the param value, and repackage the WAR file. Of course, the user Tomcat is running under will need to have privileges to the directory you change the param value to. . . . just my two cents. /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: install war with xml and define environment values
Hello, Am 01.12.2013 um 23:40 schrieb Mark Eggers its_toas...@yahoo.com: Run Tomcat as an unprivileged user. If you need to have Tomcat serve on port 80, use jsvc, iptables to map port 80 to port 8080, or place an Apache HTTPD server in front of Tomcat using mod_proxy_http, mod_proxy_ajp, or mod_jk. You could also unpack the WAR file, change the param value, and repackage the WAR file. Of course, the user Tomcat is running under will need to have privileges to the directory you change the param value to. On my test system Tomcat 7 runs with root access, but on my production system it runs with an unprivileged user on port 9090 and a Nginx works like a proxy for https. This works fine, but on the Tomcat runs Jenkins and a project planning system. My Jenkins installation is configures by a XML file in the /etc/tomcat7 directory with this content: Context docBase=/usr/share/jenkins/jenkins.war privileged=true allowLinking=true crossContext=true autoDeploy=true Environment name=JENKINS_HOME value=/home/jenkins/ type=java.lang.String/ /Context With the value JENKINS_HOME I can change the data directory of Jenkins. The project planning system uses only ${user.home}, so I would like to redefine this environment value for this war only (because the backup system runs over the /home dir). I'm working the first time with tomcat but not with java. Thanks Phil - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org