11 Replies Latest reply on Jul 21, 2006 5:04 AM by roberto roberto

    ClusteredSingleSignOn problem

    roberto roberto Novice

      I try to setup a cluster with a SSO.
      Cluster seem works fine, but SSO not.

      Maybe i make some mistake in cfg..
      I'm using Apache 2.0.58 + Mod_jk2 + Jboss 4.0.4
      using sticky session

      I start from "all" server cfg and set jmvRoute, useJK, loopback for UDP connection (i'm using a windows environment), and also set



      to activate ClusteredSingleSignOn

      My war contains distributable tag and use a FORM based authentication method (based on users and roles properties file).

      The problem is that SSO doesn't works.

      E.g.:

      The user connect to my application (http://myapp:80/app)
      This request is routed to node1 (node2 is running also)
      The user execute login and works as usually
      Now node1 died
      When the user done a new request, the request is routed to node2 but the use must autheticate itself again .

      On the log i can see this message: "SSO cookie is not present"


      2006-07-13 15:34:38,781 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] SSO cookie is not present
      2006-07-13 15:34:38,781 DEBUG [org.jboss.web.tomcat.tc5.session.JBossCacheManager] check to see if needs to store and replicate session with id eMgnAW0y81sbuSJGlhp4-g**.node1
      2006-07-13 15:34:38,781 DEBUG [org.jboss.web.tomcat.tc5.session.ClusteredSession] processSessionRepl(): session is dirty. Will increment version from: 21 and replicate.

      so seems that SSO cookie is not propagated.. why? (my browser allow cookie)

      Any idea?
      Thank You
      Roberto

        • 1. Re: ClusteredSingleSignOn problem
          roberto roberto Novice

          I try to change FORM authentication to BASIC in web xml, and now it works. But i need to use FORM authentication.

          What this means? i need to do additional operation in my code or there is a bug or is not supported.... ?

          Best Regards,
          Roberto

          • 2. Re: ClusteredSingleSignOn problem
            Brian Stansberry Master

            There should be no problem with FORM authentication; our unit tests of Clustered SSO use FORM authentication.

            In your original post there was a piece that didn't come through where you showed what you did to activate ClusteredSingleSignOn. Please repost that bit, and use the [Code] button above the form to surround the XML; that will let the XML come through.

            • 3. Re: ClusteredSingleSignOn problem
              roberto roberto Novice

              This are my configuration steps for both node:

              Step #1: Download Apache2 Web Server version 2.0.58 and installed as default

              Step #2: Download mod_jk-apache-2.0.55.so


              Step #3: Setup Apache
              Add this line at the very bottom in APACHE_HOME/conf/httpd.conf :

              Include conf/mod-jk.conf
              


              create a new mod-jk.conf like this:


              # Load mod_jk module
              # Specify the filename of the mod_jk lib
              LoadModule jk_module modules/mod_jk.so
              
              # Where to find workers.properties
              JkWorkersFile conf/workers.properties
              
              # Where to put jk logs
              JkLogFile logs/mod_jk.log
              
              # Set the jk log level [debug/error/info]
              JkLogLevel info
              
              # Select the log format
              JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"
              
              # JkOptions indicates to send SSK KEY SIZE
              JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
              
              # JkRequestLogFormat
              JkRequestLogFormat "%w %V %T"
              
              # Mount your applications. /* means All application
              JkMount /* loadbalancer
              
              # You can use external file for mount points.
              # It will be checked for updates each 60 seconds.
              # The format of the file is: /url=worker
              # /examples/*=loadbalancer
              #JkMountFile conf/uriworkermap.properties
              
              # Add shared memory.
              # This directive is present with 1.2.10 and
              # later versions of mod_jk, and is needed for
              # for load balancing to work properly
              JkShmFile logs/jk.shm
              
              # Add jkstatus for managing runtime data
              <Location /jkstatus/>
               JkMount jkstatus
               Order deny,allow
               Deny from all
               Allow from 127.0.0.1
              </Location>
              


              Configure workers.properties using Sticky Session
              (i'm creating a cluster on the same machine)

              # Define list of workers that will be used
              # for mapping requests
              worker.list=loadbalancer,status
              # Define Cluster1
              worker.node1.port=8009
              worker.node1.host=127.0.0.1
              worker.node1.type=ajp13
              worker.node1.lbfactor=1
              #worker.node1.local_worker=1 (1)
              worker.node1.cachesize=10
              
              # Define Cluster2
              worker.node2.port=8309
              worker.node2.host=127.0.0.1
              worker.node2.type=ajp13
              worker.node2.lbfactor=1
              #worker.node2.local_worker=1 (1)
              worker.node2.cachesize=10
              
              # Load-balancing behaviour
              worker.loadbalancer.type=lb
              worker.loadbalancer.balanced_workers=node1, node2
              worker.loadbalancer.sticky_session=1
              worker.loadbalancer.local_worker_only=1
              worker.list=loadbalancer
              
              # Status worker for managing load balancer
              worker.status.type=status
              




              Step #4: Setup Tomcato inside JBoss

              in JBOSS_HOME\server\<my node>\deploy\jbossweb-tomcat55.sar\server.xml
              added jvmRoute to match workers (node1 and node2)

               <Engine name="jboss.web" defaultHost="localhost" jvmRoute="node1">
              ....
               </Engine>
              


              and uncomment ClusteredSingleSignOn valve
              ...
               <!-- Uncomment to enable single sign-on across web apps
               deployed to this host AND to all other hosts in the cluster.
              
               If this valve is used, do not use the standard Tomcat SingleSignOn
               valve shown above.
              
               Valve uses a JBossCache instance to support SSO credential
               caching and replication across the cluster. The JBossCache
               instance must be configured separately. By default, the valve
               shares a JBossCache with the service that supports HttpSession
               replication. See the "tc5-cluster-service.xml" file in the
               server/all/deploy directory for cache configuration details.
              
               Besides the attributes supported by the standard Tomcat
               SingleSignOn valve (see the Tomcat docs), this version also
               supports the following attributes:
              
               cookieDomain see above
              
               treeCacheName JMX ObjectName of the JBossCache MBean used to
               support credential caching and replication across
               the cluster. If not set, the default value is
               "jboss.cache:service=TomcatClusteringCache", the
               standard ObjectName of the JBossCache MBean used
               to support session replication.
               -->
               <!-- -->
               <Valve className="org.jboss.web.tomcat.tc5.sso.ClusteredSingleSignOn" debug="2" />
               ....
              
              



              Step #5: Setup Tomcato inside JBoss

              in JBOSS_HOME\server\<my node>\deploy\jbossweb-tomcat55.sar\META-INF\jboss-service.xml

              Finally, I need to tell Tomcat to add the jvmRoute value to its session cookies so that mod_jk can route incoming requests.
              So I change UseJK from false to true

              ...
               <attribute name="UseJK">true</attribute>
              ...
              



              Step #6: Set loopback to true for UDP problem on windows machine


              Step #7: in my web.xml

              ...
               <distributable></distributable>
              ...
              


              and on my jboss-web.xml

              ...
               <replication-config>
               <replication-trigger>SET_AND_NON_PRIMITIVE_GET</replication-trigger>
               <replication-granularity>SESSION</replication-granularity>
               </replication-config>
              ...
              


              • 4. Re: ClusteredSingleSignOn problem
                Brian Stansberry Master

                This looks correct.

                1) Do you have cookies enabled, or are you trying to use URL rewriting (which won't work w/ Clustered SSO)?

                2) I suspect you get the same "DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] SSO cookie is not present" message when using BASIC; it's just that with BASIC the browser presents your credential so the logon happens transparently. Please confirm.

                • 5. Re: ClusteredSingleSignOn problem
                  roberto roberto Novice

                  1) I have cookies enabled

                  2) The message "SSO cookies is not present" occurs also with BASIC Authentication


                  Maybe can be useful know that i'm running on Windows Server 2003 Enterprise x64 Edition SP1 with JDK 1.5.0_07 64 bit edition

                  Instead Apache and mod-Jk is 32 bit version

                  Thank You

                  • 6. Re: ClusteredSingleSignOn problem
                    Brian Stansberry Master

                    Is there any logging from the 1st server showing the SSO being established and the cookie being issued?

                    • 7. Re: ClusteredSingleSignOn problem
                      roberto roberto Novice

                      Please tell me how to turn on log for that kind of informations.
                      It's enought log for ContainerBase? This is the only one that I add to the standard log4j

                      At this moment,
                      in my log related to SSO i found only:

                      ...
                      2006-07-19 16:08:17,140 DEBUG [org.jboss.web.tomcat.tc5.sso.TreeCacheSSOClusterManager] Successfully integrated with cache service jboss.cache:service=TomcatClusteringCache
                      ...
                      2006-07-19 16:35:17,578 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Process request for '/now/Main.jsp'
                      2006-07-19 16:35:17,578 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Checking for cached principal for 5FA6BEF297272CD734130D4DAC707A4B
                      2006-07-19 16:35:17,578 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Found cached principal 'user2' with auth type 'FORM'
                      2006-07-19 16:35:17,578 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Associate sso id 5FA6BEF297272CD734130D4DAC707A4B with session SessionBasedClusteredSession[id: g+2eoqxmkoLfW7IYqRpxWQ**.node1 lastAccessedTime: 1153319717328 version: 3 lastOutdated: 0]
                      2006-07-19 16:35:17,578 DEBUG [org.jboss.web.tomcat.tc5.session.JvmRouteValve] checkJvmRoute(): check if need to re-route based on JvmRoute. Session id: g+2eoqxmkoLfW7IYqRpxWQ**.node1 jvmRoute: node1
                      2006-07-19 16:35:17,578 DEBUG [org.jboss.web.tomcat.tc5.session.JBossCacheManager] check to see if needs to store and replicate session with id g+2eoqxmkoLfW7IYqRpxWQ**.node1
                      2006-07-19 16:35:17,578 DEBUG [org.jboss.web.tomcat.tc5.session.ClusteredSession] processSessionRepl(): session is dirty. Will increment version from: 3 and replicate.
                      2006-07-19 16:35:17,703 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Process request for '/now/ABSMenuIndex.jsp'
                      2006-07-19 16:35:17,703 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Checking for cached principal for 5FA6BEF297272CD734130D4DAC707A4B
                      2006-07-19 16:35:17,703 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Found cached principal 'user2' with auth type 'FORM'
                      2006-07-19 16:35:17,703 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Associate sso id 5FA6BEF297272CD734130D4DAC707A4B with session SessionBasedClusteredSession[id: g+2eoqxmkoLfW7IYqRpxWQ**.node1 lastAccessedTime: 1153319717578 version: 4 lastOutdated: 0]
                      2006-07-19 16:35:17,703 DEBUG [org.jboss.web.tomcat.tc5.session.JvmRouteValve] checkJvmRoute(): check if need to re-route based on JvmRoute. Session id: g+2eoqxmkoLfW7IYqRpxWQ**.node1 jvmRoute: node1
                      2006-07-19 16:35:17,703 DEBUG [org.jboss.web.tomcat.tc5.session.JBossCacheManager] check to see if needs to store and replicate session with id g+2eoqxmkoLfW7IYqRpxWQ**.node1
                      2006-07-19 16:35:17,703 DEBUG [org.jboss.web.tomcat.tc5.session.ClusteredSession] processSessionRepl(): session is dirty. Will increment version from: 4 and replicate.
                      200
                      .....
                      


                      I hope this is useful
                      Thanks
                      Roberto

                      • 8. Re: ClusteredSingleSignOn problem
                        Brian Stansberry Master

                        OK, messages like "Associate sso id 5FA6BEF297272CD734130D4DAC707A4B with session SessionBasedClusteredSession" are telling me the SSO has been established.

                        I'm not really sure what to tell you; everything you are doing seems fine. All I can think of is to check your browser to make sure it has a JSESSIONIDSSO cookie and a jsessionid cookie.

                        • 9. Re: ClusteredSingleSignOn problem
                          roberto roberto Novice

                          Please , can you please tell me how check my browser to make sure that it has JSESSIONIDSSO and jsessionid cookies?


                          Thanks

                          • 10. Re: ClusteredSingleSignOn problem
                            Brian Stansberry Master

                            For Firefox, go into Tools -- Options -- Privacy -- Cookies and there is a View Cookies button.

                            I don't recall how w/ IE, other than poking around in some subfolder of your folder in Documents and Settings and finding the file where they are stored.

                            • 11. Re: ClusteredSingleSignOn problem
                              roberto roberto Novice

                              I check cockies using Firefox 2.0 Beta.
                              and cookies are present.

                              Both JSESSIONIDSSO and JSESSIONID (all in uppercase) exist from the right site.

                              :(

                              http://img225.imageshack.us/my.php?image=jsessionidjv2.png

                              [url]http://img213.imageshack.us/my.php?image=jsessionidssocp4.png/url]