-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Luc,
On 1/30/15 9:05 AM, Luc DALLEMANE wrote: > Thanks for the reply, it is the JDBCRealm not the data source. Your Resource configuration is therefore ignored. The JDBCRealm should really not be used at all. Switch to DataSourceRealm. If you don't like using your application's DataSource for authentication (some folks don't), then create a second DataSource just for authentication. The DataSourceRealm has some significant advantages, such as being able to use a configurable pool of Connections, instead of a single Connection like JDBCRealm does. This improved performance and allows for re-connections, etc. I think this will fix your immediate problem plus eliminate some other problems down the line (like performance). > I have set this password for test only but it will be changed when > everything will be ok and in production . (But didn't saw i had > paste it ...) Good. :) - -chris > -----Message d'origine----- De : Konstantin Kolinko > [mailto:knst.koli...@gmail.com] Envoyé : vendredi 30 janvier 2015 > 14:52 À : Tomcat Users List Objet : Re: JDBC authentication > problem > > 2015-01-30 16:45 GMT+03:00 Luc DALLEMANE <ldallem...@alaloop.com>: >> Hi, >> >> >> I'm facing a problem with my web application. >> >> >> I'm using Tomcat 7.0.56, Java 1.8, Postgres 9.4 and Debian 7. >> >> The application is configured as followed : >> >> >> The web server is located in a DMZ. >> >> The database server is located in our LAN. >> >> To communicate with each other, a firewall has been setup (Cisco >> asa firewall) >> >> >> To authenticate an user to the website, I use the tomcat JDBC >> Realm. > > 1. Realm configuration =? Is it JDBCRealm or DataSourceRealm? If it > is the former, then your <Resource> is not used at all. > > 2. Posting the actual password on a public mailing list? Consider > it compromised. > > >> At the beginning, everything works fine, but after about an hour >> of inactivity, its impossible to authenticate again : >> >> Tomcat process seems to be running but doesn't log anything and >> doesn't answer any other requests. >> >> >> The firewall is rejecting the connection with the following >> message : Deny TCP (no connection) from WEB/50790 to DB/5432 FIN >> ACK on interface DMZ_clients >> >> >> I thought, the problem was after a while, if tomcat connexions >> were not used, the firewall would drop them. >> >> So, I tried to add "keepAlive" time-outs (tomcat site, postgres >> side, ) but none of them worked : >> >> >> Here is the tomcat context.xml : >> >> >> <Resource name="jdbc/elkar" auth="Container" >> type="javax.sql.DataSource" >> driverClassName="org.postgresql.Driver" > [...] >> /> >> >> >> The postgresql.conf : >> >> >> # - TCP Keepalives - # see "man 7 tcp" for details >> >> #tcp_keepalives_idle = 300 # TCP_KEEPIDLE, in >> seconds; # 0 selects the system default #tcp_keepalives_interval >> = 0 # TCP_KEEPINTVL, in seconds; # 0 selects the >> system default #tcp_keepalives_count = 0 >> >> >> And finally, the Sysctl.conf : >> >> >> net.ipv4.tcp_keepalive_time = 900 net.ipv4.tcp_keepalive_intvl = >> 60 net.ipv4.tcp_keepalive_probes = 9 >> >> >> >> Before that, the application was tested without using the >> firewall and everything worked fine. >> >> >> If you have any idea of why this is happening, I haven't found a >> solution yet. >> >> >> Regards, Luc D. >> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUy5PtAAoJEBzwKT+lPKRYqI4P/0kZuZuJCopHe88BXTNj/1O7 cEdmsoJq/7Ba/kLZ3/xqElzAjOQfnWK22GTCVGdsEou95MB4MspAcD8unGJgKiKs b1Ko/ixTN8irY7w5QGbXAv52NX9N/h9vrsr/EASxe/A8nSCSP9sjdh9Qr2OAOXBC 2FAMcpS3blpik78nFBBPkwJY5L3nhbkcEq0AMSqGGsfo+WJPFUtXBtzPO4JoAtGJ 8d1HxDd8PsL0tOMsqdIbJ9EqfW7Fano7ajk2Cu4gczGA3G3XlwsuHo5Glq9MSkzW DZYqxW3JwpgvMQO2o/vZyZcK7aqADqaMNE+sgaaAvRYbHzMtOTqCLebfLHqst17q eg+85Pm/5815SVvbW7kQX2Pv2bAs+bzyz7zdWk4KFdUaU1sD3bwNtkgWewNB/Gex jbZXLbKK27EFPd8M8W8PWd0x11veJ5hHEPyCWwM2njF5OoB3OSumY+yPUTWg/9oD 7xcFWjntybTHWpOcE5uxtPSzZqz1ctijiBvYo5DI8qh0W0CVsFYGGYmBucPcMc5M PapWz+jYPgqzxDIHq27jpqmDqch6h1EQCmj3rGriWifxl9qTw4WtDgL/9sEmmkjd NfysWjaNW+nqkt8qg6pmuHs0K1PLp2IO7C9jftE3jJ/lIZCy+yo+LSe2U7mhUvn9 Qj6PY8Ds4aaN0GzgUan/ =8zAr -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
