0 Replies Latest reply on Jun 18, 2007 2:37 PM by Jesse Y

    Unable to login properly to a clustered JBoss environment us

    Jesse Y Newbie

      Hello. I'm not sure if this is the right place to post this question but if it's not you can direct me to the correct message board. I'm having some difficulty using form based authentication in a JBoss cluster. Sorry in advance for the long post I just want to get enough information down for you to be able to diagnose the problem.

      I have a small Java application that I?m deploying to a JBoss Cluster. There are currently 2 JBoss servers running in the cluster (I'll refer to them as JBossServer1 and JBossServer2). They are running on two different machines (actually they are running on two separate VM ware instances on the same machine but to the outside world they appear to be two totally separate machines). Both JBoss servers are version 4.0.5 and they are both running on computers running FreeBSD version 6.2. The JBoss cluster is fronted by an Apache Server. The Apache Server is doing some URL rewriting so that requests to multiple URLs (about 10) will be directed to the same JBoss cluster. The Apache server also performs load balancing using the RoundRobbin method. We do NOT have sticky sessions setup.

      The web application contains several different servlets (SignupServlet, CustAdminServlet, AdminServlet, etc.) Each of these would be accessed through URL's such as (http://hostname/MyApp/SignupServlet, http://hostname/MyApp/CustAdminServlet, http://hostname/MyApp/AdminServlet) where "hostname" is one of the 10 URL's that the Apache Server maps to the actual JBoss Servers. All of the servlets EXCEPT for the AdminServlet are completely open and don't require a username or password to access. The AdminServlet however requires the user to login. I?m using form based authentication as my authentication method (set in the web.xml file that gets deployed in my applications ear file).

      I have made several JBoss configuration changes to try and get everything working. I have read through the JBoss clustering section of the JBoss documentation (http://docs.jboss.org/jbossas/jboss4guide/r4/html/cluster.chapt.html) and have followed the instructions in section 16.5 (the HTTP Services section). I configured HTTP session state replication and this seems to be working correctly. When I go my server's jmx console and invoke the printDetails operation on the TomcatClusteringCache I can see that there is session information that is being replicated. I've also gone into the file jbossweb-tomcat5x.sar/server.xml and setup the ClusteredSingleSignOn valve as shown on the SingleSignOn Wiki page (http://www.jboss.org/wiki/Wiki.jsp?page=SingleSignOn):



      I thought that maybe I just had single sign-on or clustering configured wrong on one of the servers so I did some testing to find out. Note: I was using Mozilla Firefox as my browser.

      Test 1: (Success)
      First I started up ONLY JBossServer1. I entered the URL http://hostname/MyApp/AdminServlet in my browser and was taken to the login page as I would suspect. I checked my cookies and there was a JSESSIONID cookie for this site. I invoked the printDetails operation on the TomcatClusteringCache and saw there was nothing replicated yet.

      Then I enter my username and password and press the login button. I'm logged into my application as I should be. I checked my cookies and there was a JSESSIONID cookie AND a JSESSIONIDSSO cookie for this site. I invoked the printDetails operation on the TomcatClusteringCache and saw there was information replicated (for a sample of what this looked like see the bottom of my post).

      Everything worked the way I would expect it.

      Test 2: (Success)
      For the next test I started up ONLY JBossServer2. I entered the URL http://hostname/MyApp/AdminServlet in my browser and was taken to the login page. I checked my cookies and there was a JSESSIONID cookie for this site. I invoked the printDetails operation on the TomcatClusteringCache and saw there was nothing replicated yet.

      Then I entered my username and password and pressed the login button. I got logged into my application as I should be. I checked my cookies and there was a JSESSIONID cookie AND a JSESSIONIDSSO cookie for this site. I invoked the printDetails operation on the TomcatClusteringCache and saw there was information replicated (for a sample of what this looked like see the bottom of my post).

      Everything worked the way I would expect it.


      Test 3: (Fail)
      This is the test where I started having problems. I started up both of the JBoss servers. I again entered the URL http://hostname/MyApp/AdminServlet in my browser and was taken to the login page. I checked the cookies and there as a JSESSIONID cookie for this site. The invoked the printDetails operation on the TomcatClusteringCache (on both JBossServer1 and JBossServer2) and saw that nothing was replicated yet.

      I entered my username and password and pressed the login button. But instead of being logged into the application like I should have been I was simply sent back to the login page! I checked the cookies and there was still just a JSESSIONID cookie for this site. I then invoked the printDetails operation on the TomcatClusteringCache (on both JBossServer1 and JBossServer2) and saw that nothing was replicated yet.

      I entered my username and password for the second time and again pressed the login button. Again I was NOT logged into my application. Instead I got HTTP error 404 (the requested resource is not available). In the address bar I saw http://hostname/MyApp/j_security_check. I check the cookies in my browser and this time there was both the JSESSIONID and JSESSIONIDSSO cookies. I invoked the printDetails operation on the TomcatClusteringCache on both JBossServer1 and JBossServer2 and saw there was information replicated (for a sample of what this looked like see the bottom of my post).

      Now if I hit my browsers back button (to get back to the login page) and hit the refresh button I get logged into my application and everything works fine!

      Here is something even stranger. I shutdown both JBoss Servers and bring them both back up. I entered the URL http://hostname/MyApp/AdminServlet and got taken to the login page. I entered my username and password and pressed login and again I was not logged in. But if I press the refresh button I do get successfully logged in! At first I thought this indicated that when I was logging in I was only being logged into one of the JBoss servers. However when I get to the admin servlet I can perform many actions without any problem. Since I am using RoundRobbin load balancing with no sticky sessions I would expect that every operation would hit a different JBoss server and thus I would expect that every other operation would challenge me for my login credentials but this never happens!

      I also thought that maybe my session information wasn't replicating fast enough and that was why I was being shown the second login screen. To try and rule out this possibility I changed the session replication to be synchronous and still got the same results.

      Another idea I had was that the apache server wasn't passing along the cookies properly but then I would expect I wouldn't be able to view them from within my browser and I would also expect that I wouldn?t be able to login when I only used a single JBoss server (which was not the case).

      I have searched everywhere for an answer to this problem but so far have come up with nothing. I'm sure it's just a configuration problem but I don't know what. If anyone has any ideas I would really appreciate it because I'm stumped.

      Thanks in advance for your help!
      Jesse

      Sample of the output from invoking the printDetails operation on the TomcatClusteringCache
      /SSO

      /27972A1982A8087F39CC1AAF8E9707EA

      /sessions
      key: [org.jboss.web.tomcat.tc5.sso.TreeCacheSSOClusterManager$SessionAddress@c0c5d546]

      /credentials
      key: org.jboss.web.tomcat.tc5.sso.TreeCacheSSOClusterManager$SSOCredentials@4a7629

      /JSESSION

      /localhost

      /RecipientSignups

      /Ho8xjWEb06K4-AFiMLfVHw**
      VERSION: 2
      Ho8xjWEb06K4-AFiMLfVHw**: [B@1635a89