JAAS login problem on JBoss 4.0.5.GA with clustered single s
We are running JBoss 4.0.5.GA with clustered single sign-on across 2 servers. These servers are round-robin load-balanced using Windows Network Load Balancing, so user requests are being processed by both servers. We are NOT using mod_jk, but have Apache servers in our DMZ that forward requests to a load-balanced IP that causes WNLB to cause the request to be handled by one of the servers based upon the load-balancing options.
About 75% of the time, users get the response "Invalid direct reference to form login page". At that point, the browser URL is http://server/context/admin/j_security_check. I am not trying to directly access the form login page. Instead, it appears that the FormAuthenticator cannot access the previous page for the user, so they get sent to the j_security_check page.
When one of the servers is taken out of the WNLB cluster, so that all requests go to the same server (even though HTTP session replication is still operating), it works 100% of the time.
From looking at the FormAuthenticator code, it appears that this is the relevant portion to this problem:
public boolean authenticate(Request request,
Response response,
LoginConfig config)
throws IOException {
...
// Redirect the user to the original request URI (which will cause
// the original request to be restored)
requestURI = savedRequestURL(session);
if (log.isDebugEnabled())
log.debug("Redirecting to original '" + requestURI + "'");
if (requestURI == null)
response.sendError(HttpServletResponse.SC_BAD_REQUEST,
sm.getString("authenticator.formlogin"));
else
response.sendRedirect(response.encodeRedirectURL(requestURI));
return (false);
}
The "then" if(requestURI == null) is returning the error page described above.
Here is where I make an assumption about the cause of the problem: Is the session being replicated based upon the replication-trigger in the jboss-web.xml? Please let me know if I can provide more information.
Here is the log file from server1:
2007-02-07 11:20:29,093 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /cms/admin/j_security_check 2007-02-07 11:20:29,249 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authenticating username 'keithc' 2007-02-07 11:20:29,265 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authentication of 'keithc' was successful 2007-02-07 11:20:29,265 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Redirecting to original '/cms/admin/mainMenu.do' 2007-02-07 11:20:29,265 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test ??/cms/admin/j_security_check
From the tomcat server.xml:
<Valve className="org.jboss.web.tomcat.tc5.sso.ClusteredSingleSignOn"/>
The SingleSignOn value is disabled.
Here are the relevant portions of the web.xml:
<distributable/> ... <security-constraint> <web-resource-collection> <web-resource-name>Administrator Area</web-resource-name> <url-pattern>/admin/addKiosk.jsp</url-pattern> ... </web-resource-collection> <auth-constraint> <role-name>Admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> ... <login-config> <auth-method>FORM</auth-method> <realm-name>CMSDbRealm</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login_error.jsp</form-error-page> </form-login-config> </login-config>
Here are the relevant portions of the login-config.xml:
<application-policy name="CMSDbRealm"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="unauthenticatedIdentity">guest</module-option> <module-option name="dsJndiName">java:/HibernateDS</module-option> <module-option name="unauthenticatedIdentity">guest</module-option> <module-option name="managedConnectionFactoryName"> jboss.jca:service=LocalTxCM,name=HibernateDS </module-option> <module-option name="principal">sa</module-option> <module-option name="userName">username</module-option> <module-option name="password">password</module-option> <module-option name="principalsQuery">select password from CMS_USER username where username=? </module-option> <module-option name="rolesQuery">select distinct role_name, 'Roles' from CMS_USER_PRIVILEGE inner join CMS_USER on user_id = fk_user_id where username=? </module-option> <module-option name="hashCharset">UTF-8</module-option> <module-option name="hashEncoding">base64</module-option> <module-option name="hashAlgorithm">MD5</module-option> </login-module> </authentication> </application-policy>
jboss-web.xml:
<jboss-web> <security-domain>java:/jaas/CMSDbRealm</security-domain> <context-root>/cms</context-root> <replication-config> <replication-trigger>SET</replication-trigger> <replication-granularity>SESSION</replication-granularity> </replication-config> </jboss-web>
tc5 jboss-service.xml
<server> <mbean code="org.jboss.cache.aop.TreeCacheAop" name="jboss.cache:service=TomcatClusteringCache"> <depends>jboss:service=Naming</depends> <depends>jboss:service=TransactionManager</depends> <depends>jboss.aop:service=AspectDeployer</depends> <attribute name="ClusterName">RT-CLUSTER</attribute> <attribute name="IsolationLevel">REPEATABLE_READ</attribute> <attribute name="CacheMode">REPL_SYNC</attribute> <attribute name="UseRegionBasedMarshalling">false</attribute> <attribute name="InactiveOnStartup">false</attribute> <attribute name="TransactionManagerLookupClass">org.jboss.cache.BatchModeTransactionManagerLookup</attribute> <attribute name="ClusterConfig">&jgroupsstack;</attribute> <attribute name="SyncReplTimeout">20000</attribute> <!-- Max number of milliseconds to wait for a lock acquisition --> <attribute name="LockAcquisitionTimeout">15000</attribute> </mbean> </server>
