6 Replies Latest reply on Mar 27, 2009 3:42 PM by sureshrk19

Login problem with JAAS and sticky_session=false

toso.dario Feb 25, 2008 5:17 AM

Hi all,
I am using following architecture:
- Jboss cluster based on two instances (both using standard all configuration).
- Apache (mod_jk) as load balancer.
- JAAS to authenticate users
- Jboss clustered SSO support

When Apache is configured with sticky_session=1 it works fine: I can use my application without errors and if I shutdown the node of the cluster that is serving my session the other node loads the session correctly and I can go on working.
But, If set sticky_session=0 I can not login and I receive following error:

Status= 400
Message= Invalid direct reference to form login page
Description= The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).

What I doing wrong?
Thanks.
Dario.

1. Re: Login problem with JAAS and sticky_session=false

ragavgomatam Mar 6, 2008 8:21 PM (in response to toso.dario)
what version of jboss is it ? it appears to be a known tomcat issue...
It can be solved as follows :-

<% // Hack to get around bug in tomcat: // http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8976 if (session.isNew()) { response.sendRedirect("index.jsp"); return; } %>
Actions
2. Re: Login problem with JAAS and sticky_session=false

toso.dario Mar 7, 2008 3:55 AM (in response to toso.dario)

Thank you very much for your answer.
I am using jboss 4.0.2.

I also think that it is a Tomcat problem: I have had a look to org.apache.catalina.authenticator.FormAuthenticator class and I have seen that the requested URI is saved into an HashMap of an object that implements org.apache.catalina.Session.

Data are saved using setNote method. This HashMap is not replicated between cluster nodes (because it is not saved into an HttpSession attribute)

Actually I use following workaround: I have configured Apache to use sticky session for the login process.

I will try your solution as soon as possible.

Thank you very much.
Dario.
Actions
3. Re: Login problem with JAAS and sticky_session=false

ragavgomatam Mar 7, 2008 1:59 PM (in response to toso.dario)

Doesn't sticky sessions defeat load balancing ?
Actions
4. Re: Login problem with JAAS and sticky_session=false

toso.dario Mar 10, 2008 10:57 AM (in response to toso.dario)

No, I have no problem with load balancig and sticky session: Apache send request between two servers.
Actions
5. Re: Login problem with JAAS and sticky_session=false

trulore Aug 12, 2008 2:24 PM (in response to toso.dario)

Yes, sticky sessions DOES defeat at least one of the goals of load balancing.

If you have to have sticky sessions turned on in order to use a JBoss Clustering (and apparently you do), then I would consider this a very serious bug with Tomcat and/or JBoss.

JBoss should provide an alternate login module that allows you use clustering without sticky sessions.

Unless there is some actual benefit to sticky sessions that I'm missing?

Robert
Actions
6. Re: Login problem with JAAS and sticky_session=false

sureshrk19 Mar 27, 2009 3:42 PM (in response to toso.dario)

Hi,

I'm facing the similar issue in clustered environment.
I configured sticky-session but, still the login doesn't work for first time (Invalid direct reference to form login page)... If i refresh the page and re-enter the credentials then, it works fine.

Here is my entry for sticky session in 'workers.properties'
worker.loadbalancer.sticky_session=1

Please let me know if i miss anything.

Thanks,
Suresh
Actions

Go to original post