Hi Pid My colleague found that a bunch of undocumented attributes for DeltaManager, and he started using them, then he told me that it looked like sso failover started working. So, I went to tomcat source code (v6.0.26) and checked the options he used.
It turned out that sendAllSessionsWaitTime attribute needs to be set to -1. But this trick did not always work. sso failover still does not work in my test cases. Could you tell me the implications for this flag when we set to -1? It looks like DeltaManager will send replication messages all the time continuously. I am not sure if we want to set this flag on production since it still fails sso failover and may cause network issues. Have you found anything yet? yasushi -----Original Message----- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, June 23, 2010 1:06 AM To: Tomcat Users List Subject: Re: question for sso session replication in tomcat 6.0.26 I'll have to look at the code, but maybe you're being affected by a recent bug whereby the session id changes after login but isn't then replicated. You might search bugzilla to see if this applies to 6.0.26. p On 22 Jun 2010, at 22:41, "Okubo, Yasushi (TSD)" <yasushi.ok...@takedasd.com> wrote: > > Hi > > There were two cookies created by Tomcat 6.0.26. One is for SSO, and the > other is for regular session between client and tomcat. JSESSIONID is > working fine : it means session replication and failover, but not > JSESSIONIDSSO. JSESSIONIDSSO is updated with new value upon relogin. > > yasushi > > > JSESSIONIDSSO > 65110434847FE0AA1F1EBF0EF0871D25 > > > JSESSIONID > 5CFE92814875C4DEFC554526147698A3.jvm2 > > -----Original Message----- > From: Jon Brisbin [mailto:jon.bris...@npcinternational.com] > Sent: Tuesday, June 22, 2010 2:17 PM > To: Tomcat Users List > Cc: Okubo, Yasushi (TSD) > Subject: Re: question for sso session replication in tomcat 6.0.26 > > Are you using a "jvmRoute" setting on your BalancerMember definition in > mod_proxy config and on the <Engine/> element in server.xml? Your cookie > would have the jvmRoute property added to the end of it (e.g. > ALONGMD5HASH.server1) if so. > > From the Almighty Google: > http://community.jboss.org/wiki/usingmodproxywithjboss > > Jon Brisbin > Portal Webmaster > NPC International, Inc. > > > > On Jun 22, 2010, at 3:48 PM, Okubo, Yasushi (TSD) wrote: > >> Hi >> >> I downloaded apache apache v2.2.15 and compiled and installed, but the >> result was the same. >> >> Session sso replication looked like failed. Upon shutting down the >> node, it kicked me out of password protected area and needed to > re-loin >> on the second node. >> >> On apache, I installed/enabled all modules including basic >> authentication etc. Is there any requirement on apache side or how > the >> virtual host should be set up in httpd.conf to make sso failover work? >> >> Thanks, >> yasushi >> >> -----Original Message----- >> From: Pid [mailto:p...@pidster.com] >> Sent: Tuesday, June 22, 2010 8:04 AM >> To: Tomcat Users List >> Subject: Re: question for sso session replication in tomcat 6.0.26 >> >> On 22/06/2010 15:56, Okubo, Yasushi (TSD) wrote: >>> Hi Andrew >>> >>> In case of no failover, SSO works for all web applications on the > same >> host. Upon failover [shutting down one node], a user is routed to the >> other node, and TC is asking for a user to re-login when he/she tried > to >> access password protected area. >>> >>> I have checked many times on server.xml and session replication is >> working fine upon failover, so I cannot think any misconfiguration on >> server.xml >>> The issue is SSO failover is not working. I think it might be > related >> to my apache virtual host setup, but could not figure it out. >>> >>> Thanks for your help, >>> yasushi >>> >>> I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3] >> >> mod_proxy_ajp appeared in 2.2.3 for the first time, it was functional >> but not perfect & there are many bugfixes and improvements since then, >> you should upgrade HTTPD. >> >> >> p >> >>> OS : Redhat Linux 64bit RHEL v5.5 >>> JDK : 1.6.0.20 >>> >>> === I created virtual host on port 9050 == >>> Httpd.conf >>> >>> <VirtualHost 10.250.200.57:9050> >>> ServerAdmin xyz >>> ServerName webclust1.xyz.com >>> ServerAlias webclust1 >>> ErrorLog logs/webclust_cluster_error.log >>> CustomLog logs/webclust-cluster-access_log common >>> >>> <Location /balancer-manager> >>> SetHandler balancer-manager >>> >>> Order Deny,Allow >>> Deny from all >>> Allow from all >>> </Location> >>> >>> ProxyRequests off >>> <Proxy balancer://webclust> >>> BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 > smax=145 >> route=jvm1 >>> BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 > smax=145 >> route=jvm2 >>> BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 > smax=145 >> route=jvm3 >>> Order Deny,Allow >>> Allow from all >>> </Proxy> >>> >>> #Do not proxy balancer-manager >>> ProxyPass /balancer-manager ! >>> >>> <Location /examples> >>> ProxyPass balancer://webclust/examples >> stickysession=JSESSIONID|jsessionid >>> ProxyPassReverse balancer://webclust/examples >>> Order Deny,Allow >>> Allow from all >>> </Location> >>> >>> <Location / > >>> ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid >>> ProxyPassReverse balancer://webclust/ >>> Order Deny,Allow >>> Allow from all >>> </Location> >>> >>> >>> === server.xml === >>> <!-- Define an AJP 1.3 Connector on port 8009 --> >>> <Connector port="9002" protocol="AJP/1.3" redirectPort="8443" /> >>> >>> <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> >>> >>> <Host name="localhost" appBase="webapps" >>> unpackWARs="true" autoDeploy="true" >>> xmlValidation="false" xmlNamespaceAware="false"> >>> >>> <Cluster >> className="org.apache.catalina.ha.tcp.SimpleTcpCluster" >>> channelSendOptions="4"> >>> >>> <Manager >> className="org.apache.catalina.ha.session.DeltaManager" >>> name="node2" >>> expireSessionsOnShutdown="false" >>> notifyListenersOnReplication="true"/> >>> >>> <Channel >> className="org.apache.catalina.tribes.group.GroupChannel"> >>> <Membership >> className="org.apache.catalina.tribes.membership.McastService" >>> address="228.0.0.5" >>> port="45564" >>> frequency="500" >>> dropTime="3000"/> >>> <Receiver >> className="org.apache.catalina.tribes.transport.nio.NioReceiver" >>> address="auto" >>> port="4020" >>> autoBind="100" >>> selectorTimeout="5000" >>> maxThreads="12"/> >>> <Sender >> > className="org.apache.catalina.tribes.transport.ReplicationTransmitter"> >>> <Transport >> > className="org.apache.catalina.tribes.transport.nio.PooledParallelSender >> "/> >>> </Sender> >>> <Interceptor >> > className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetec >> tor"/> >>> <Interceptor >> > className="org.apache.catalina.tribes.group.interceptors.MessageDispatch >> 15Interceptor"/> >>> <Interceptor >> > className="org.apache.catalina.tribes.group.interceptors.ThroughputInter >> ceptor"/> >>> </Channel> >>> >>> <Valve >> className="org.apache.catalina.ha.tcp.ReplicationValve" >>> >> > filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt; >> .*\.xls;.*\.sdf;.*\.xml;"/> >>> <!-- only with jk_mod failover--> >>> <Valve >> className="org.apache.catalina.ha.session.JvmRouteBinderValve" >>> enabled="true" sessionIdAttribute="takeoverSessionid" >> /> >>> <!-- >>> <Deployer >> className="org.apache.catalina.ha.deploy.FarmWarDeployer" >>> tempDir="/tmp/war-temp/" >>> >> deployDir="/usr/local/apache/node2-tomcat-6.0.26/webapps" >>> watchDir="/tmp/war-listen/" >>> watchEnabled="true"/> >>> --> >>> <!-- only with jk_mod and jvmroutebindervalve--> >>> <ClusterListener >> > className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListene >> r"/> >>> <ClusterListener >> className="org.apache.catalina.ha.session.ClusterSessionListener"/> >>> </Cluster> >>> >>> <Valve >> className="org.apache.catalina.ha.authenticator.ClusterSingleSignOn" > /> >>> >>> <Valve className="org.apache.catalina.valves.AccessLogValve" >> directory="logs" >>> prefix="webappqa_node2_access_log." suffix=".log" >> pattern="common" resolveHosts="false"/> >>> >>> </Host> >>> </Engine> >>> >>> >>> -----Original Message----- >>> From: Andrew Bruno [mailto:andrew.br...@gmail.com] >>> Sent: Monday, June 21, 2010 10:09 PM >>> To: Tomcat Users List >>> Subject: Re: question for sso session replication in tomcat 6.0.26 >>> >>> Oh sorry, I re-read your answer. Not sure why SSO is not working, be >>> interested to find out though.. >>> >>> AB >>> >>> On Tue, Jun 22, 2010 at 3:04 PM, Andrew Bruno > <andrew.br...@gmail.com> >> wrote: >>>> Hi Yasushi >>>> >>>> In your serverl.xml have you added the jvmroute to the Engine? >>>> >>>> i.e. >>>> >>>> <Engine name="Catalina" defaultHost="localhost" jvmRoute="1"> >>>> >>>> Andrew >>>> >>>> On Tue, Jun 22, 2010 at 2:50 PM, Okubo, Yasushi (TSD) >> <yasushi.ok...@takedasd.com> wrote: >>>>> Hi Andrew >>>>> >>>>> Thank for your post. When I checked the session id from firefox, >> sso session id [jsessionidsso] does not have jvmroute info, but only >> jsessionid has jvmroute. So, session replication upon failover is >> working fine, but singlesionon upon failover is not working on tomcat >> 6.0.x (including 6.0.26). >>>>> >>>>> yasushi >>>>> >>>>> -----Original Message----- >>>>> From: Andrew Bruno [mailto:andrew.br...@gmail.com] >>>>> Sent: Monday, June 21, 2010 9:18 PM >>>>> To: Tomcat Users List >>>>> Subject: Re: question for sso session replication in tomcat 6.0.26 >>>>> >>>>> Looking at the code I think this is wrong >>>>> >>>>> if (!_ssoSessionId.contains("." + jvmRoute)) { >>>>> _ssoSessionId += "." + jvmRoute; >>>>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, >> _ssoSessionId)); >>>>> } >>>>> >>>>> The original sessionId will already have the > "."+_any_other_jvmRoute >>>>> included, so you need to substring it, and append the new jvmRoute. >>>>> >>>>> _ssoSessionId= _ssoSessionId.substring(0, >> _ssoSessionId.indexOf(".")) >>>>> >>>>> and then add >>>>> >>>>> _ssoSessionId += "." + jvmRoute; >>>>> >>>>> AB >>>>> >>>>> On Tue, Jun 22, 2010 at 1:03 PM, Okubo, Yasushi (TSD) >>>>> <yasushi.ok...@takedasd.com> wrote: >>>>>> Hi experts >>>>>> >>>>>> >>>>>> >>>>>> I found this old email from archive in TC 5.5.23. >>>>>> >>>>>> Does this problem still exist in tomcat 6.0.x or 6.0.26? >>>>>> >>>>>> >>>>>> >>>>>> When failover occurs, sso session id is updated with new number >> after >>>>>> forcing a user to relogin to the application since sso session id >> is not >>>>>> replicated and rewritten correctly. Could someone explain what is >>>>>> expected in current tomcat 6.0.x cluster upon failover? Should > sso >>>>>> session id is replicated correctly in tomcat 6.0.x? >>>>>> >>>>>> >>>>>> >>>>>> Thanks, >>>>>> >>>>>> yasushi >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ROOKIE wrote: >>>>>> Hi, >>>>>> I have a problem with tomcat cluster + mod_proxy load balancer : >>>>>> >>>>>> We have a main app which authenticate itself to a webapp and from >> this >>>>>> app one >>>>>> can launch embedded apps which use the SSO cookie to access other >>>>>> webapps on >>>>>> the server (Single-Sign-On for the user). >>>>>> >>>>>> Things are working perfectly for the normal cookie but not for the >> sso >>>>>> cookie. >>>>>> >>>>>> >>>>>> The problem I have is that tomcat does not replicate SSO sessions >> so >>>>>> when these embedded apps route through the load balancer we get >> 401s on >>>>>> all the other cluster members except the one which actually >> generated >>>>>> the SSO cookie. >>>>>> >>>>>> I wanted to know if we can edit the SSO cookie generated by tomcat >> to >>>>>> also >>>>>> contain the jvmRoute parameter so that the load balancer directly >> goes >>>>>> to the >>>>>> correct cluster member. >>>>>> >>>>>> >>>>>> I tried doing this in my code by fetching the SSO cookie and >> appending >>>>>> to it >>>>>> the jvmRoute as follows : >>>>>> >>>>>> HttpServletRequest request = >>>>>> (HttpServletRequest)Security.getContext(HttpServletRequest.class); >>>>>> HttpServletResponse response = >>>>>> >> (HttpServletResponse)Security.getContext(HttpServletResponse.class); >>>>>> if(request != null) { >>>>>> String jvmRoute = "Vinod_Cluster_1"; // as mentioned >> in >>>>>> server.xml >>>>>> Cookie[] cookies = request.getCookies(); >>>>>> for(int nc=0; cookies != null && nc < cookies.length; >> nc++) >>>>>> { >>>>>> >> if(_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { >>>>>> _sessionId = cookies[nc].getValue(); >>>>>> } >>>>>> >>>>>> else if(_SSO_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) { >>>>>> >>>>>> _ssoSessionId = cookies[nc].getValue(); >>>>>> if (!_ssoSessionId.contains("." + jvmRoute)) { >>>>>> _ssoSessionId += "." + jvmRoute; >>>>>> >>>>>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, >> _ssoSessionId)); >>>>>> } >>>>>> >>>>>> >>>>>> } >>>>>> >>>>>> >>>>>> But after this I started getting 401s from even the correct > cluster >>>>>> member. My guess is addCookie doesnt update the cookie in tomcat's >> cache >>>>>> which is reasonable. >>>>>> >>>>>> Other thought was to edit tomcat's sso cookie generation code to >> append >>>>>> the >>>>>> jvmRoute to the sso cookie. >>>>>> >>>>>> >>>>>> Is there an better way to achieve this in my code base ? >>>>>> >>>>>> Thanks In Advance, >>>>>> Vinod >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>> >>>>> >>>>> >>>>> >>>>> >> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>> >>>>> >>>> >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
