8 Replies Latest reply on Jan 11, 2014 12:29 PM by faxe13

Clustering with CachedAuthenticatedSessionMechanism

faxe13 Dec 30, 2013 8:09 AM

Hi,

I am trying to get session clustering with wildfly.Beta1 and FORM based authentication working in my web application. I am using the standalone-full-ha config to start my server. I am also using sticky sessions on my load balancer and everything works perfect as long as all cluster nodes are online.

When the node currently serving the sticky session is stopped I am facing problems when the session fails over to another node in the cluster. I am redirected to the login page again on the other node although I was already logged in successfully.

After some hours of debugging I have found the following JIRA issue WFLY-1910 that includes a pull request from which I can guess that the java/org/wildfly/clustering/web/undertow/session/SessionAdapter has a special treatment for already authenticated sessions so that the authentication information is not replicated among all cluster nodes because it is held in a local context. All other session attributes are replicated on the other cluster nodes without any problem.

Now my question is how to prevent users from having to re-login after a clustered session failover. I think it should have worked before the fix of WFLY-1910 but what is the suggested approach now.

Cheers, Gert

1. Re: Clustering with CachedAuthenticatedSessionMechanism

pferraro Jan 2, 2014 4:37 PM (in response to faxe13)

With BASIC, DIGEST, and CERT authentication mechanisms, the user credentials are always available in the request - so reauthentication on failover happens automatically. With FORM authentication, the username/password are only made available to the request during login. Consequently, auto-reauthentication on failover requires an additional server-side mechanism to store the j_username/j_password values from the login form. In AS7 and earlier, this mechanism was provided by clustered SSO. We don't have such a mechanism for WildFly yet.

I've filed a jira to track this issue:
[WFLY-2704] FORM authentication credentials lost on failover - JBoss Issue Tracker

Until this is fixed, you should be able to workaround this issue by using BASIC or DIGEST authentication.
1 of 1 people found this helpful
Actions
2. Re: Clustering with CachedAuthenticatedSessionMechanism

faxe13 Jan 3, 2014 4:04 AM (in response to pferraro)

Thanks for your response Paul. I will take a look into DIGEST authentication because BASIC seems not to be an option for us. As you have created the issue for the final version maybe I will wait for that.
Actions
3. Re: Clustering with CachedAuthenticatedSessionMechanism

pferraro Jan 3, 2014 9:42 AM (in response to faxe13)

BTW, even though users are currently forced to reauthenticate on failover when using FORM authentication, their web session data should still be preserved.
Actions
4. Re: Clustering with CachedAuthenticatedSessionMechanism

faxe13 Jan 3, 2014 12:54 PM (in response to pferraro)

Yes, thats what I noticed. All session data were replicated correctly except the FORM authentication data.
Actions
5. Re: Clustering with CachedAuthenticatedSessionMechanism

pferraro Jan 8, 2014 12:40 PM (in response to faxe13)

FYI - this pull request should fix the issue:
WFLY-2704 FORM authenticated identity lost on failover by pferraro · Pull Request #5685 · wildfly/wildfly · GitHub
1 of 1 people found this helpful
Actions
6. Re: Clustering with CachedAuthenticatedSessionMechanism

faxe13 Jan 9, 2014 11:26 AM (in response to pferraro)

Excellent, storing the Account again in the clustered web session when using FORM authentication should solve the problem. Is there a way I can test this with a nightly build or do I have to wait until the Final version comes out ?
Actions
7. Re: Re: Clustering with CachedAuthenticatedSessionMechanism

pferraro Jan 9, 2014 2:00 PM (in response to faxe13)
The pull request hasn't been merged yet. Until then you can test it via:

git clone https://github.com/wildfly/wildfly.git cd wildfly git remote add pferraro https://github.com/pferraro/wildfly.git git fetch pferraro git cherry-pick 0c4175c75f407eeb973faa6c6d72a099c172a398 mvn install

Once the pull request is merged, you can skip steps 3-5.
Actions
8. Re: Re: Clustering with CachedAuthenticatedSessionMechanism

faxe13 Jan 11, 2014 12:29 PM (in response to pferraro)

Thanks Paul. The fix works as expected. No additional login required after a failover any more.
Actions

Go to original post