-
1. Re: JBoss clustering when using form-based authentication
slaboure Apr 1, 2003 4:20 AM (in response to tkitchens)Can you please fill-in a bug on SF for that?
http://www.sf.net/projects/jboss
Cheers,
Sacha -
2. Re: JBoss clustering when using form-based authentication
tkitchens Apr 2, 2003 6:11 PM (in response to tkitchens)Sacha,
I searched the bug list two days ago and didn't find any related bug reports. So, I just went back and logged a bug report, then searched again and noticed that someone else had just yesterday logged the same bug - the only difference was that he was doing basic authentication, instead of form-based.
Seems odd to me that no one has run into this. Could it really be that we are the first to try to use any type of container-managed authentication AND clustering together? Kind of strange. Anyway, I took a quick look at the class that's causing the problem - org.jboss.jetty.security.JBossUserRealm - to see whether I could make the necessary changes. Looks like there are quite a number of classes that need to be made either Serializable or their references made transient, if in fact this is even possible.
In the meantime, any pointers or thoughts are welcome, as we'd have to completely change our architecture, since there's a huge difference between delegating authentication and session management to the container and having to manage that in your own code. Changing our architecture is really not an option at this point.
Thanks,
Tim -
3. Re: JBoss clustering when using form-based authentication
slaboure Apr 3, 2003 10:07 AM (in response to tkitchens)Hello Tim,
Yes, this absolutely needs to be fixed. People don't see it maybe because it works when using session based auth (and not form-based). Have you checked if the same occurs with Tomcat clustering or not?
Cheers,
sacha -
4. Re: JBoss clustering when using form-based authentication
tkitchens Apr 10, 2003 7:53 AM (in response to tkitchens)Sacha,
Haven't actually tried it with Tomcat, but if I'm correct in that the Tomcat equivalent of JBossUserRealm is JBossSecurityMgrRealm, then it appears that you'd have the same problem with Tomcat.
BTW, I see that a fix for Jetty has been added to the 3.2 code base. I'll check into that and see whether it fixes the problem for Jetty. However, from the description of the fix - i.e. made the JBossUserPrincipal Serializable - I'm not very hopeful, as the server needs to serialize much more than just this object for authentication replication.
Thanks,
Tim -
5. Re: JBoss clustering when using form-based authentication
slaboure Apr 13, 2003 7:28 PM (in response to tkitchens)Any feedback? Was the fix ok for you?
-
6. Re: JBoss clustering when using form-based authentication
tkitchens Apr 17, 2003 12:47 PM (in response to tkitchens)Sacha,
I checked out the 3.2 branch and tried the fix that Scott Stark made. Looks like the serialization errors are gone, but I sent Scott an email that a NullPointerException problem was introduced when an instance variable, which was marked as "transient" in the JBossUserPrinciple class, was referenced on a node other than the one that the user originally logged in on. He plans to fix that, but I believe these changes still need to be merged into the 3.0 branch (we currently plan to use 3.0.6 for our current project).
However, while this fix makes the user's HTTP session available across the cluster (i.e. replication doesn't break), users are still forced to login on any new node that their session fails over to when the primary goes down. According to Scott, this is because there is no distributed single sign-on and there are no short-term plans to implement this. So, I guess the best we can get in the near-term is to have any state we're persisting in the session replicated to other nodes, but require the user to login again should a node fail. However, we can't even get there until Scott's fixes are merged into a 3.0 release.
Thanks,
Tim -
7. Re: JBoss clustering when using form-based authentication
juhalindfors Apr 22, 2003 1:56 PM (in response to tkitchens)Can you please add a bug report for this on sf.net? thank you. Cheers,,
sacha