Hi Andrew
In case of no failover, SSO works for all web applications on the same host.
Upon failover [shutting down one node], a user is routed to the other node, and
TC is asking for a user to re-login when he/she tried to access password
protected area.
I have checked many times on server.xml and session replication is working fine
upon failover, so I cannot think any misconfiguration on server.xml
The issue is SSO failover is not working. I think it might be related to my
apache virtual host setup, but could not figure it out.
Thanks for your help,
yasushi
I am using mod_proxy_ajp, mod_proxy_balancer [v2.2.3]
OS : Redhat Linux 64bit RHEL v5.5
JDK : 1.6.0.20
=== I created virtual host on port 9050 ==
Httpd.conf
<VirtualHost 10.250.200.57:9050>
ServerAdmin xyz
ServerName webclust1.xyz.com
ServerAlias webclust1
ErrorLog logs/webclust_cluster_error.log
CustomLog logs/webclust-cluster-access_log common
<Location /balancer-manager>
SetHandler balancer-manager
Order Deny,Allow
Deny from all
Allow from all
</Location>
ProxyRequests off
<Proxy balancer://webclust>
BalancerMember ajp://10.250.200.57:9001 loadfactor=10 max=150 smax=145
route=jvm1
BalancerMember ajp://10.250.200.57:9002 loadfactor=10 max=150 smax=145
route=jvm2
BalancerMember ajp://10.250.200.57:9003 loadfactor=10 max=150 smax=145
route=jvm3
Order Deny,Allow
Allow from all
</Proxy>
#Do not proxy balancer-manager
ProxyPass /balancer-manager !
<Location /examples>
ProxyPass balancer://webclust/examples stickysession=JSESSIONID|jsessionid
ProxyPassReverse balancer://webclust/examples
Order Deny,Allow
Allow from all
</Location>
<Location / >
ProxyPass balancer://webclust/ stickysession=JSESSIONID|jsessionid
ProxyPassReverse balancer://webclust/
Order Deny,Allow
Allow from all
</Location>
=== server.xml ===
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="9002" protocol="AJP/1.3" redirectPort="8443" />
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"
channelSendOptions="4">
<Manager className="org.apache.catalina.ha.session.DeltaManager"
name="node2"
expireSessionsOnShutdown="false"
notifyListenersOnReplication="true"/>
<Channel className="org.apache.catalina.tribes.group.GroupChannel">
<Membership
className="org.apache.catalina.tribes.membership.McastService"
address="228.0.0.5"
port="45564"
frequency="500"
dropTime="3000"/>
<Receiver
className="org.apache.catalina.tribes.transport.nio.NioReceiver"
address="auto"
port="4020"
autoBind="100"
selectorTimeout="5000"
maxThreads="12"/>
<Sender className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
<Transport
className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"/>
</Sender>
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"/>
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor"/>
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor"/>
</Channel>
<Valve className="org.apache.catalina.ha.tcp.ReplicationValve"
filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;.*\.xls;.*\.sdf;.*\.xml;"/>
<!-- only with jk_mod failover-->
<Valve className="org.apache.catalina.ha.session.JvmRouteBinderValve"
enabled="true" sessionIdAttribute="takeoverSessionid" />
<!--
<Deployer className="org.apache.catalina.ha.deploy.FarmWarDeployer"
tempDir="/tmp/war-temp/"
deployDir="/usr/local/apache/node2-tomcat-6.0.26/webapps"
watchDir="/tmp/war-listen/"
watchEnabled="true"/>
-->
<!-- only with jk_mod and jvmroutebindervalve-->
<ClusterListener
className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener"/>
<ClusterListener
className="org.apache.catalina.ha.session.ClusterSessionListener"/>
</Cluster>
<Valve className="org.apache.catalina.ha.authenticator.ClusterSingleSignOn" />
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="webappqa_node2_access_log." suffix=".log"
pattern="common" resolveHosts="false"/>
</Host>
</Engine>
-----Original Message-----
From: Andrew Bruno [mailto:[email protected]]
Sent: Monday, June 21, 2010 10:09 PM
To: Tomcat Users List
Subject: Re: question for sso session replication in tomcat 6.0.26
Oh sorry, I re-read your answer. Not sure why SSO is not working, be
interested to find out though..
AB
On Tue, Jun 22, 2010 at 3:04 PM, Andrew Bruno <[email protected]> wrote:
> Hi Yasushi
>
> In your serverl.xml have you added the jvmroute to the Engine?
>
> i.e.
>
> <Engine name="Catalina" defaultHost="localhost" jvmRoute="1">
>
> Andrew
>
> On Tue, Jun 22, 2010 at 2:50 PM, Okubo, Yasushi (TSD)
> <[email protected]> wrote:
>> Hi Andrew
>>
>> Thank for your post. When I checked the session id from firefox, sso
>> session id [jsessionidsso] does not have jvmroute info, but only jsessionid
>> has jvmroute. So, session replication upon failover is working fine, but
>> singlesionon upon failover is not working on tomcat 6.0.x (including 6.0.26).
>>
>> yasushi
>>
>> -----Original Message-----
>> From: Andrew Bruno [mailto:[email protected]]
>> Sent: Monday, June 21, 2010 9:18 PM
>> To: Tomcat Users List
>> Subject: Re: question for sso session replication in tomcat 6.0.26
>>
>> Looking at the code I think this is wrong
>>
>> if (!_ssoSessionId.contains("." + jvmRoute)) {
>> _ssoSessionId += "." + jvmRoute;
>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId));
>> }
>>
>> The original sessionId will already have the "."+_any_other_jvmRoute
>> included, so you need to substring it, and append the new jvmRoute.
>>
>> _ssoSessionId= _ssoSessionId.substring(0, _ssoSessionId.indexOf("."))
>>
>> and then add
>>
>> _ssoSessionId += "." + jvmRoute;
>>
>> AB
>>
>> On Tue, Jun 22, 2010 at 1:03 PM, Okubo, Yasushi (TSD)
>> <[email protected]> wrote:
>>> Hi experts
>>>
>>>
>>>
>>> I found this old email from archive in TC 5.5.23.
>>>
>>> Does this problem still exist in tomcat 6.0.x or 6.0.26?
>>>
>>>
>>>
>>> When failover occurs, sso session id is updated with new number after
>>> forcing a user to relogin to the application since sso session id is not
>>> replicated and rewritten correctly. Could someone explain what is
>>> expected in current tomcat 6.0.x cluster upon failover? Should sso
>>> session id is replicated correctly in tomcat 6.0.x?
>>>
>>>
>>>
>>> Thanks,
>>>
>>> yasushi
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ROOKIE wrote:
>>> Hi,
>>> I have a problem with tomcat cluster + mod_proxy load balancer :
>>>
>>> We have a main app which authenticate itself to a webapp and from this
>>> app one
>>> can launch embedded apps which use the SSO cookie to access other
>>> webapps on
>>> the server (Single-Sign-On for the user).
>>>
>>> Things are working perfectly for the normal cookie but not for the sso
>>> cookie.
>>>
>>>
>>> The problem I have is that tomcat does not replicate SSO sessions so
>>> when these embedded apps route through the load balancer we get 401s on
>>> all the other cluster members except the one which actually generated
>>> the SSO cookie.
>>>
>>> I wanted to know if we can edit the SSO cookie generated by tomcat to
>>> also
>>> contain the jvmRoute parameter so that the load balancer directly goes
>>> to the
>>> correct cluster member.
>>>
>>>
>>> I tried doing this in my code by fetching the SSO cookie and appending
>>> to it
>>> the jvmRoute as follows :
>>>
>>> HttpServletRequest request =
>>> (HttpServletRequest)Security.getContext(HttpServletRequest.class);
>>> HttpServletResponse response =
>>> (HttpServletResponse)Security.getContext(HttpServletResponse.class);
>>> if(request != null) {
>>> String jvmRoute = "Vinod_Cluster_1"; // as mentioned in
>>> server.xml
>>> Cookie[] cookies = request.getCookies();
>>> for(int nc=0; cookies != null && nc < cookies.length; nc++)
>>> {
>>> if(_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) {
>>> _sessionId = cookies[nc].getValue();
>>> }
>>>
>>> else if(_SSO_SESSION_COOKIE_NAME.equals(cookies[nc].getName())) {
>>>
>>> _ssoSessionId = cookies[nc].getValue();
>>> if (!_ssoSessionId.contains("." + jvmRoute)) {
>>> _ssoSessionId += "." + jvmRoute;
>>>
>>> response.addCookie(new Cookie(_SSO_SESSION_COOKIE_NAME, _ssoSessionId));
>>> }
>>>
>>>
>>> }
>>>
>>>
>>> But after this I started getting 401s from even the correct cluster
>>> member. My guess is addCookie doesnt update the cookie in tomcat's cache
>>> which is reasonable.
>>>
>>> Other thought was to edit tomcat's sso cookie generation code to append
>>> the
>>> jvmRoute to the sso cookie.
>>>
>>>
>>> Is there an better way to achieve this in my code base ?
>>>
>>> Thanks In Advance,
>>> Vinod
>>>
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
