On Thu, 4 Jul 2002, Denis Benoit wrote:
> Date: Thu, 4 Jul 2002 17:07:33 -0400 (EDT)
> From: Denis Benoit <[EMAIL PROTECTED]>
> Reply-To: Tomcat Developers List <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED]
> To: Tomcat Developers List <[EMAIL PROTECTED]>
> Subject: Re: [PROPOSAL] Single signon and loadbalancer
>
> On Thu, 4 Jul 2002, Henri Gomez wrote:
>
> > > With the current code (TC 4.1.6), the single signon does not work with the
> > > loadbalancer connector.
> > >
> > > If a user was logged in a given webapp, the loadbalancer looks at the
> > > JSESSIONID cookie (or URL parameter) to dispatch the request properly to the
> > > tomcat where the user was logged on. But if the user hits another webapp,
> > > the JSESSIONID is not present anymore and the dispatcher applies its
> > > round-robin logic to dispatch the request to any tomcat. It nullifies the
> >
> > > effect of the single signon. There is two problem that prevent it to work.
> >
> >
> > Another webapp or another tomcat ?
> >
> > JSESSIONID is related to session, and session from specs should be
> > uniq by webapp, ie a user on webappA shouldn't be seen on webappB.
> >
> > We fix that problem at works by playing with our own cookies, something
> > like what you propose.
>
> I'm talking about using the valve org.apache.catalina.authenticator.SingleSignOn
> with the "loadbalancer" of mod_jk. JSESSIONID is certainly specific to a webapp,
> but the JSESSIONIDSSO cookie generated by the valve is used across webapp. But
> since JSESSIONIDSSO does not have the jvmRoute of the engine apppended to its
> cookie, therefore JSESSIONIDSSO (the valve), does not work with the loadbalancer.
> When a user hits another webapp, the user is randomly sent to any Tomcat in
> the pool of the loadbalancer.
>
>
> >
> > > 1. On the Tomcat side, the generateSessionId() method of
> > > org.apache.catalina.authenticator.AuthenticatorBase does not append
> > > the jvmRoute of the Engine if one is specified. So when a user changes
> > > webapp, the web connector dispatcher does not have any information to
> > > properly route the request;
> > >
> > > 2. The current loadbalancer code specifically look for the JSESSIONID cookie
> > > and does not look for a JSESSIONIDSSO cookie.
> > >
> > > I could provide a patch to org.apache.catalina.authenticator.AuthenticatorBase
> > > to add the jvmRoute to the session id; in fact it is a copy of the code from
> > > org.apache.catalina.session.ManagerBase.
> > >
> > > The change in:
> > >
> > > ./jk/native/common/jk_lb_worker.c
> > > ./jk/native2/common/jk_requtil.c
> > >
> > > is also trivial, first the connector must look for the JSESSIONID cookie (or
> > > param), and if not found it should look for the JSESSIONIDSSO cookie (or
> > > param). Then the same logic should be applied if either one is found.
> > >
> > > Comments?
> >
> >
> > I'd like to heard others speak about that, since I'm not sure if it
> > respec the specs...
>
> I'd like too :)
>
The JSESSIONIDSSO cookie is not required by the specifications -- it just
happens to be part of how Tomcat 4 implements single sign on.
If you want to use SSO in a load balanced environment, you would need to
ensure that all requests with the same JSESSIONIDSSO cookie are routed
back to the same Tomcat instance -- even if the session ids are different
(as they would be, for different webapps), or even if the user is not
involved (or not yet involved) in a session so there is no JSESSIONID
cookie.
It sounds like the proposed patch would accomplish exactly these goals.
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
