Alright, success, multiple tomcats running, and sessions are persistent and
clustered.
I did have to add
if(!TurbineSession.getActiveSessions().contains(req.getSession()))
TurbineSession.addSession(req.getSession());
to Turbine.java. Right now, Sessions are only added in SessionListener.java
when they are created.
When the server restarts, it reloads the sessions - so they are not new.
So TurbineSession.getActiveSessions does not contain the existing sessions.
Also due to this bug
http://www.mail-archive.com/[email protected]/msg18838.html
That exists in the version of Tomcat my distro uses, I had to set change these
lines
// if (data.getSession().isNew())
// {
int timeout = configuration.getInt(SESSION_TIMEOUT_KEY,
SESSION_TIMEOUT_DEFAULT);
if (timeout != SESSION_TIMEOUT_DEFAULT &&
data.getSession().getMaxInactiveInterval() != timeout)
{
data.getSession().setMaxInactiveInterval(timeout);
}
// }
Just in case anyone else has issues replicating sessions.
Oh, and I had downloaded the Turbine 2.3.2 source in which the TorqueObject is
not serializable.
2.3.3 has this fixed.
> From: [email protected]
> To: [email protected]
> Subject: RE: ACL serialization.
> Date: Fri, 18 Dec 2009 20:33:59 +0000
>
>
> Alright, I solved the problem.
>
> The TorqueObject.java I had apparently was old. (I swear I just downloaded
> the source about a month ago)
>
> It didn't implement Serializable, therefore the
>
> obj in TorqueUser was not saving. Which was odd because I figured it should
> crash, but everything else about
> TorqueUser was serializing fine. How does half an object serialize, and the
> other parts not?
>
> Oh well, now I just have to figure out how to get the activesessions to save.
>
> My sessions restore, and I can perform actions/access pages correctly. But my
> admin list of who's logged on
> is empty.
>
> > Date: Fri, 18 Dec 2009 18:17:43 +0100
> > From: [email protected]
> > To: [email protected]
> > Subject: Re: ACL serialization.
> >
> > Sheldon Ross wrote:
> > > At the start it makes a distinction between permanent storage,
> > > and temporary. These appear to refer to (database) and (session)
> > > respectively. The problem lies with the fact that there is no link between
> > > the two.
> >
> > I cannot confirm this. data.getUser() provides the user object from the
> > session, where it is stored as User.SESSION_KEY.
> >
> > Likewise, the ACL for the user that you get with data.getACL() is stored
> > in the session as AccessControlList.SESSION_KEY.
> >
> > > The underlying user account object is stored in permanent storage
> > > and as such, if you update it's name, email, etc, it updates the permanent
> > > storage object in memory. However, the session has no record of this.
> >
> > It would have, if you manipulate the user object in the session. The
> > user object has a save()-method.
> >
> > > This appears to be a serious limitation for sharing sessions across
> > > server nodes.
> >
> > I guess the problem is just that the user/acl implementation is not
> > serializable for some reason.
> >
> > >> So I set the user and acl when someone logs in via
> > >>
> > >> user = TurbineSecurity.getAuthenticatedUser( username, password );
> > >> data.setUser(user);
> > >>
> > >> and the aforementioned ACL code.
> >
> > This is actually part of the session validator code.
> >
> > >>> data.save();
> >
> > This only saves the user object to the session, not the ACL. The ACL is
> > built and saved to the session by the AccessController.
> >
> > >>> Any thoughts as to what I'm doing wrong, and how I can get the ACL to
> > >>> persist with the
> > >>> session?
> >
> > If objects stored in the session are not serializable, Tomcat will log
> > that during shutdown or during startup. See your Tomcat logs for what
> > really happens.
> >
> > This problem looks strange to me. What session validators,
> > ACL-implementations or other security-related settings do you have in place?
> >
> > Bye, Thomas.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [email protected]
> > For additional commands, e-mail: [email protected]
> >
>
> _________________________________________________________________
> Hotmail: Powerful Free email with security by Microsoft.
> http://clk.atdmt.com/GBL/go/171222986/direct/01/
_________________________________________________________________
Hotmail: Trusted email with powerful SPAM protection.
http://clk.atdmt.com/GBL/go/177141665/direct/01/
