You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Denis Benoit <De...@fbn.ca> on 2002/07/04 17:53:15 UTC
[PROPOSAL] Single signon and loadbalancer
Hi,
With the current code (TC 4.1.6), the single signon does not work with the
loadbalancer connector.
If a user was logged in a given webapp, the loadbalancer looks at the
JSESSIONID cookie (or URL parameter) to dispatch the request properly to the
tomcat where the user was logged on. But if the user hits another webapp,
the JSESSIONID is not present anymore and the dispatcher applies its
round-robin logic to dispatch the request to any tomcat. It nullifies the
effect of the single signon. There is two problem that prevent it to work.
1. On the Tomcat side, the generateSessionId() method of
org.apache.catalina.authenticator.AuthenticatorBase does not append
the jvmRoute of the Engine if one is specified. So when a user changes
webapp, the web connector dispatcher does not have any information to
properly route the request;
2. The current loadbalancer code specifically look for the JSESSIONID cookie
and does not look for a JSESSIONIDSSO cookie.
I could provide a patch to org.apache.catalina.authenticator.AuthenticatorBase
to add the jvmRoute to the session id; in fact it is a copy of the code from
org.apache.catalina.session.ManagerBase.
The change in:
./jk/native/common/jk_lb_worker.c
./jk/native2/common/jk_requtil.c
is also trivial, first the connector must look for the JSESSIONID cookie (or
param), and if not found it should look for the JSESSIONIDSSO cookie (or
param). Then the same logic should be applied if either one is found.
Comments?
--
Denis Benoit
Denis.Benoit@fbn.ca
Tél: (514)879-5168
**********************************************************************
Financière Banque Nationale et NBCN n'assument
aucune responsabilité quant à la confidentialité et l'intégrité du
présent courriel en raison des risques d'interception inhérents à l'Internet.
Pour cette raison, toute opinion exprimée au terme des présentes
ne reflète pas nécessairement celle de Financière Banque Nationale
et de NBCN.
**********************************************************************
Due to the security risks involved in sending information over the
Internet, National Bank Financial and NBCN cannot
be held responsible for ensuring the confidentiality and integrity
of the present e-mail. For this reason, the opinions expressed herein
do not necessarily reflect those of National Bank Financial
and NBCN.
**********************************************************************
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [PROPOSAL] Single signon and loadbalancer
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Thu, 4 Jul 2002, Denis Benoit wrote:
> Date: Thu, 4 Jul 2002 17:07:33 -0400 (EDT)
> From: Denis Benoit <De...@fbn.ca>
> Reply-To: Tomcat Developers List <to...@jakarta.apache.org>,
> Denis.Benoit@fbn.ca
> To: Tomcat Developers List <to...@jakarta.apache.org>
> Subject: Re: [PROPOSAL] Single signon and loadbalancer
>
> On Thu, 4 Jul 2002, Henri Gomez wrote:
>
> > > With the current code (TC 4.1.6), the single signon does not work with the
> > > loadbalancer connector.
> > >
> > > If a user was logged in a given webapp, the loadbalancer looks at the
> > > JSESSIONID cookie (or URL parameter) to dispatch the request properly to the
> > > tomcat where the user was logged on. But if the user hits another webapp,
> > > the JSESSIONID is not present anymore and the dispatcher applies its
> > > round-robin logic to dispatch the request to any tomcat. It nullifies the
> >
> > > effect of the single signon. There is two problem that prevent it to work.
> >
> >
> > Another webapp or another tomcat ?
> >
> > JSESSIONID is related to session, and session from specs should be
> > uniq by webapp, ie a user on webappA shouldn't be seen on webappB.
> >
> > We fix that problem at works by playing with our own cookies, something
> > like what you propose.
>
> I'm talking about using the valve org.apache.catalina.authenticator.SingleSignOn
> with the "loadbalancer" of mod_jk. JSESSIONID is certainly specific to a webapp,
> but the JSESSIONIDSSO cookie generated by the valve is used across webapp. But
> since JSESSIONIDSSO does not have the jvmRoute of the engine apppended to its
> cookie, therefore JSESSIONIDSSO (the valve), does not work with the loadbalancer.
> When a user hits another webapp, the user is randomly sent to any Tomcat in
> the pool of the loadbalancer.
>
>
> >
> > > 1. On the Tomcat side, the generateSessionId() method of
> > > org.apache.catalina.authenticator.AuthenticatorBase does not append
> > > the jvmRoute of the Engine if one is specified. So when a user changes
> > > webapp, the web connector dispatcher does not have any information to
> > > properly route the request;
> > >
> > > 2. The current loadbalancer code specifically look for the JSESSIONID cookie
> > > and does not look for a JSESSIONIDSSO cookie.
> > >
> > > I could provide a patch to org.apache.catalina.authenticator.AuthenticatorBase
> > > to add the jvmRoute to the session id; in fact it is a copy of the code from
> > > org.apache.catalina.session.ManagerBase.
> > >
> > > The change in:
> > >
> > > ./jk/native/common/jk_lb_worker.c
> > > ./jk/native2/common/jk_requtil.c
> > >
> > > is also trivial, first the connector must look for the JSESSIONID cookie (or
> > > param), and if not found it should look for the JSESSIONIDSSO cookie (or
> > > param). Then the same logic should be applied if either one is found.
> > >
> > > Comments?
> >
> >
> > I'd like to heard others speak about that, since I'm not sure if it
> > respec the specs...
>
> I'd like too :)
>
The JSESSIONIDSSO cookie is not required by the specifications -- it just
happens to be part of how Tomcat 4 implements single sign on.
If you want to use SSO in a load balanced environment, you would need to
ensure that all requests with the same JSESSIONIDSSO cookie are routed
back to the same Tomcat instance -- even if the session ids are different
(as they would be, for different webapps), or even if the user is not
involved (or not yet involved) in a session so there is no JSESSIONID
cookie.
It sounds like the proposed patch would accomplish exactly these goals.
Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [PROPOSAL] Single signon and loadbalancer
Posted by Denis Benoit <De...@fbn.ca>.
On Thu, 4 Jul 2002, Henri Gomez wrote:
> > With the current code (TC 4.1.6), the single signon does not work with the
> > loadbalancer connector.
> >
> > If a user was logged in a given webapp, the loadbalancer looks at the
> > JSESSIONID cookie (or URL parameter) to dispatch the request properly to the
> > tomcat where the user was logged on. But if the user hits another webapp,
> > the JSESSIONID is not present anymore and the dispatcher applies its
> > round-robin logic to dispatch the request to any tomcat. It nullifies the
>
> > effect of the single signon. There is two problem that prevent it to work.
>
>
> Another webapp or another tomcat ?
>
> JSESSIONID is related to session, and session from specs should be
> uniq by webapp, ie a user on webappA shouldn't be seen on webappB.
>
> We fix that problem at works by playing with our own cookies, something
> like what you propose.
I'm talking about using the valve org.apache.catalina.authenticator.SingleSignOn
with the "loadbalancer" of mod_jk. JSESSIONID is certainly specific to a webapp,
but the JSESSIONIDSSO cookie generated by the valve is used across webapp. But
since JSESSIONIDSSO does not have the jvmRoute of the engine apppended to its
cookie, therefore JSESSIONIDSSO (the valve), does not work with the loadbalancer.
When a user hits another webapp, the user is randomly sent to any Tomcat in
the pool of the loadbalancer.
>
> > 1. On the Tomcat side, the generateSessionId() method of
> > org.apache.catalina.authenticator.AuthenticatorBase does not append
> > the jvmRoute of the Engine if one is specified. So when a user changes
> > webapp, the web connector dispatcher does not have any information to
> > properly route the request;
> >
> > 2. The current loadbalancer code specifically look for the JSESSIONID cookie
> > and does not look for a JSESSIONIDSSO cookie.
> >
> > I could provide a patch to org.apache.catalina.authenticator.AuthenticatorBase
> > to add the jvmRoute to the session id; in fact it is a copy of the code from
> > org.apache.catalina.session.ManagerBase.
> >
> > The change in:
> >
> > ./jk/native/common/jk_lb_worker.c
> > ./jk/native2/common/jk_requtil.c
> >
> > is also trivial, first the connector must look for the JSESSIONID cookie (or
> > param), and if not found it should look for the JSESSIONIDSSO cookie (or
> > param). Then the same logic should be applied if either one is found.
> >
> > Comments?
>
>
> I'd like to heard others speak about that, since I'm not sure if it
> respec the specs...
I'd like too :)
**********************************************************************
Financiere Banque Nationale et NBCN n'assument
aucune responsabilite quant a la confidentialite et l'integrite du
present courriel en raison des risques d'interception inherents
a l'Internet. Pour cette raison, toute opinion exprimee au terme
des presentes ne reflete pas necessairement celle de
Financiere Banque Nationale et de NBCN.
**********************************************************************
Due to the security risks involved in sending information over the
Internet, National Bank Financial and NBCN cannot be held responsible
for ensuring the confidentiality and integrity of the present e-mail. For this
reason, the opinions expressed herein do not necessarily reflect those of
National Bank Financial and NBCN.
**********************************************************************
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [PROPOSAL] Single signon and loadbalancer
Posted by Henri Gomez <hg...@apache.org>.
> With the current code (TC 4.1.6), the single signon does not work with the
> loadbalancer connector.
>
> If a user was logged in a given webapp, the loadbalancer looks at the
> JSESSIONID cookie (or URL parameter) to dispatch the request properly to the
> tomcat where the user was logged on. But if the user hits another webapp,
> the JSESSIONID is not present anymore and the dispatcher applies its
> round-robin logic to dispatch the request to any tomcat. It nullifies the
> effect of the single signon. There is two problem that prevent it to work.
Another webapp or another tomcat ?
JSESSIONID is related to session, and session from specs should be
uniq by webapp, ie a user on webappA shouldn't be seen on webappB.
We fix that problem at works by playing with our own cookies, something
like what you propose.
> 1. On the Tomcat side, the generateSessionId() method of
> org.apache.catalina.authenticator.AuthenticatorBase does not append
> the jvmRoute of the Engine if one is specified. So when a user changes
> webapp, the web connector dispatcher does not have any information to
> properly route the request;
>
> 2. The current loadbalancer code specifically look for the JSESSIONID cookie
> and does not look for a JSESSIONIDSSO cookie.
>
> I could provide a patch to org.apache.catalina.authenticator.AuthenticatorBase
> to add the jvmRoute to the session id; in fact it is a copy of the code from
> org.apache.catalina.session.ManagerBase.
>
> The change in:
>
> ./jk/native/common/jk_lb_worker.c
> ./jk/native2/common/jk_requtil.c
>
> is also trivial, first the connector must look for the JSESSIONID cookie (or
> param), and if not found it should look for the JSESSIONIDSSO cookie (or
> param). Then the same logic should be applied if either one is found.
>
> Comments?
I'd like to heard others speak about that, since I'm not sure if it
respec the specs...
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [PROPOSAL] Single signon and loadbalancer
Posted by Denis Benoit <De...@fbn.ca>.
Sure, the idea is to apply the same logic for the "Single Signon" than
for regular session. Currently, a distinct cookie (or parameter) is
created for this. The discussion is wether it should reuse in some
way the "regular session" cookie (or parameter) or continue to use
the distinct cookie (or parameter).
The problem I see with using the "JSESSIONID" cookie (or parameter) for
the "single signon" is that there would be a clash between the SSO
identifier and the identifier for the "ROOT" webapp. If you look at it
from the "cookie side". Both cookie would have the "JSESSIONID" name
and apply to the "/" path. So if somebody hits a webapp accessible from
the "/foo" URL, we would need to create two cookies (if the SingleSignon
valve is activated of course). We would need to create a "JSESSIONID"
cookie for the "/foo" URL and a "JSESSIONID" for "/" URL for the single
signon purpose. Now, after that, if the user hits the "ROOT" webapp,
Tomcat would look for a session whose ID was the "JSESSIONID" given
for the "single signgon" and it would not find the session, or worse,
find another session. At that point, all hell break loose...
On Mon, 8 Jul 2002, Tim Funk wrote:
> Would this new solution be compatible with URL rewriting? (No cookies
> being used)
>
> costinm@covalent.net wrote:
> > On Mon, 8 Jul 2002, Denis Benoit wrote:
> >
> >
> >>I think it would be difficult, since JSESSIONID is distinct for each
> >>webapp on a Tomcat, only JSESSIONIDSSO (if the SingleSignon valve
> >>is activated) is common to all webapps.
> >>
> >>I'll try to think of something, but if you think of something first,
> >>let me know :)
> >
> >
> > Well, my thinking is that in order to have 'single signon' you need
> > a way to have a single cookie ( or path param if cookies are disabled )
> > across all webapps. Whatever mean to get that as JSESSIONIDSSO,
> > it can be used for JSESSIONID as well.
> >
> > So I would add a hook into the session id generator - and have
> > the single signon use the hook to push session ids.
> >
> > If we want to have distinct sessions in each webapp - the session
> > id would consist of the 'common' part and a per-webapp part.
> >
> > In general, my view of single signon is that each app must
> > redirect to an auth application ( similar with kerberos for example)
> > and use the certificate as session id for all webapps.
> >
> > Costin
--
Denis Benoit
**********************************************************************
Financiere Banque Nationale et NBCN n'assument
aucune responsabilite quant a la confidentialite et l'integrite du
present courriel en raison des risques d'interception inherents
a l'Internet. Pour cette raison, toute opinion exprimee au terme
des presentes ne reflete pas necessairement celle de
Financiere Banque Nationale et de NBCN.
**********************************************************************
Due to the security risks involved in sending information over the
Internet, National Bank Financial and NBCN cannot be held responsible
for ensuring the confidentiality and integrity of the present e-mail. For this
reason, the opinions expressed herein do not necessarily reflect those of
National Bank Financial and NBCN.
**********************************************************************
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [PROPOSAL] Single signon and loadbalancer
Posted by Tim Funk <fu...@joedog.org>.
Would this new solution be compatible with URL rewriting? (No cookies
being used)
costinm@covalent.net wrote:
> On Mon, 8 Jul 2002, Denis Benoit wrote:
>
>
>>I think it would be difficult, since JSESSIONID is distinct for each
>>webapp on a Tomcat, only JSESSIONIDSSO (if the SingleSignon valve
>>is activated) is common to all webapps.
>>
>>I'll try to think of something, but if you think of something first,
>>let me know :)
>
>
> Well, my thinking is that in order to have 'single signon' you need
> a way to have a single cookie ( or path param if cookies are disabled )
> across all webapps. Whatever mean to get that as JSESSIONIDSSO,
> it can be used for JSESSIONID as well.
>
> So I would add a hook into the session id generator - and have
> the single signon use the hook to push session ids.
>
> If we want to have distinct sessions in each webapp - the session
> id would consist of the 'common' part and a per-webapp part.
>
> In general, my view of single signon is that each app must
> redirect to an auth application ( similar with kerberos for example)
> and use the certificate as session id for all webapps.
>
> Costin
>
>
>
>>On Mon, 8 Jul 2002 costinm@covalent.net wrote:
>>
>>
>>>+1
>>>
>>>But before doing that - would it be possible to replace JSESSIONIDSSO
>>>with a mechanism relying only on JSESSIONID ?
>>>
>>>Even if we patch mod_jk, there are other load balancing solutions
>>>( hardware, etc ) - it would be much simpler if from 'outside'
>>>we would only use the standard JSESSIONID cookie / path param.
>>>
>>>Costin
>>>
>>>On Thu, 4 Jul 2002, Denis Benoit wrote:
>>>
>>>
>>>>Hi,
>>>>
>>>>With the current code (TC 4.1.6), the single signon does not work with the
>>>>loadbalancer connector.
>>>>
>>>>If a user was logged in a given webapp, the loadbalancer looks at the
>>>>JSESSIONID cookie (or URL parameter) to dispatch the request properly to the
>>>>tomcat where the user was logged on. But if the user hits another webapp,
>>>>the JSESSIONID is not present anymore and the dispatcher applies its
>>>>round-robin logic to dispatch the request to any tomcat. It nullifies the
>>>>effect of the single signon. There is two problem that prevent it to work.
>>>>
>>>>1. On the Tomcat side, the generateSessionId() method of
>>>> org.apache.catalina.authenticator.AuthenticatorBase does not append
>>>> the jvmRoute of the Engine if one is specified. So when a user changes
>>>> webapp, the web connector dispatcher does not have any information to
>>>> properly route the request;
>>>>
>>>>2. The current loadbalancer code specifically look for the JSESSIONID cookie
>>>> and does not look for a JSESSIONIDSSO cookie.
>>>>
>>>>I could provide a patch to org.apache.catalina.authenticator.AuthenticatorBase
>>>>to add the jvmRoute to the session id; in fact it is a copy of the code from
>>>>org.apache.catalina.session.ManagerBase.
>>>>
>>>>The change in:
>>>>
>>>> ./jk/native/common/jk_lb_worker.c
>>>> ./jk/native2/common/jk_requtil.c
>>>>
>>>>is also trivial, first the connector must look for the JSESSIONID cookie (or
>>>>param), and if not found it should look for the JSESSIONIDSSO cookie (or
>>>>param). Then the same logic should be applied if either one is found.
>>>>
>>>>Comments?
>>>>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [PROPOSAL] Single signon and loadbalancer
Posted by Denis Benoit <De...@fbn.ca>.
Hi Constin,
I thought about your idea yesterday night. I understand it and see your
point. As I see it, currently the cookie are build as such:
<session ID>.<jvmroute>
And with the SSO patch proposed we would have also:
<SSO session ID>.<jvmroute>
Currently, the SSO cookie does not have the <jvmroute> appended.
But, the way I understand what you say, we would have either:
<SSO session ID>.<jvmroute>
<SSO session ID> being used as the <session ID> in each webapp, or:
<session ID>.<SSO session ID>.<jvmroute>
I think the first alternative would be superior. But since it would mean
to substantially modify the way the session IDs are generated, it may be
more appropriate to wait for a stable release of 4.1.X. At that point,
I would be willing to propose a patch if everybody agrees on this approach.
For now, I'm more eager to see a stable 4.1.X, than to have SSO work in all
scenarios :)
Agreed?
On Mon, 8 Jul 2002 costinm@covalent.net wrote:
> On Mon, 8 Jul 2002, Denis Benoit wrote:
>
> > I think it would be difficult, since JSESSIONID is distinct for each
> > webapp on a Tomcat, only JSESSIONIDSSO (if the SingleSignon valve
> > is activated) is common to all webapps.
> >
> > I'll try to think of something, but if you think of something first,
> > let me know :)
>
> Well, my thinking is that in order to have 'single signon' you need
> a way to have a single cookie ( or path param if cookies are disabled )
> across all webapps. Whatever mean to get that as JSESSIONIDSSO,
> it can be used for JSESSIONID as well.
>
> So I would add a hook into the session id generator - and have
> the single signon use the hook to push session ids.
>
> If we want to have distinct sessions in each webapp - the session
> id would consist of the 'common' part and a per-webapp part.
>
> In general, my view of single signon is that each app must
> redirect to an auth application ( similar with kerberos for example)
> and use the certificate as session id for all webapps.
>
> Costin
--
Denis Benoit
Denis.Benoit@fbn.ca
Tél: (514)879-5168
**********************************************************************
Financière Banque Nationale et NBCN n'assument
aucune responsabilité quant à la confidentialité et l'intégrité du
présent courriel en raison des risques d'interception inhérents à l'Internet.
Pour cette raison, toute opinion exprimée au terme des présentes
ne reflète pas nécessairement celle de Financière Banque Nationale
et de NBCN.
**********************************************************************
Due to the security risks involved in sending information over the
Internet, National Bank Financial and NBCN cannot
be held responsible for ensuring the confidentiality and integrity
of the present e-mail. For this reason, the opinions expressed herein
do not necessarily reflect those of National Bank Financial
and NBCN.
**********************************************************************
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [PROPOSAL] Single signon and loadbalancer
Posted by co...@covalent.net.
On Mon, 8 Jul 2002, Denis Benoit wrote:
> I think it would be difficult, since JSESSIONID is distinct for each
> webapp on a Tomcat, only JSESSIONIDSSO (if the SingleSignon valve
> is activated) is common to all webapps.
>
> I'll try to think of something, but if you think of something first,
> let me know :)
Well, my thinking is that in order to have 'single signon' you need
a way to have a single cookie ( or path param if cookies are disabled )
across all webapps. Whatever mean to get that as JSESSIONIDSSO,
it can be used for JSESSIONID as well.
So I would add a hook into the session id generator - and have
the single signon use the hook to push session ids.
If we want to have distinct sessions in each webapp - the session
id would consist of the 'common' part and a per-webapp part.
In general, my view of single signon is that each app must
redirect to an auth application ( similar with kerberos for example)
and use the certificate as session id for all webapps.
Costin
>
> On Mon, 8 Jul 2002 costinm@covalent.net wrote:
>
> > +1
> >
> > But before doing that - would it be possible to replace JSESSIONIDSSO
> > with a mechanism relying only on JSESSIONID ?
> >
> > Even if we patch mod_jk, there are other load balancing solutions
> > ( hardware, etc ) - it would be much simpler if from 'outside'
> > we would only use the standard JSESSIONID cookie / path param.
> >
> > Costin
> >
> > On Thu, 4 Jul 2002, Denis Benoit wrote:
> >
> > > Hi,
> > >
> > > With the current code (TC 4.1.6), the single signon does not work with the
> > > loadbalancer connector.
> > >
> > > If a user was logged in a given webapp, the loadbalancer looks at the
> > > JSESSIONID cookie (or URL parameter) to dispatch the request properly to the
> > > tomcat where the user was logged on. But if the user hits another webapp,
> > > the JSESSIONID is not present anymore and the dispatcher applies its
> > > round-robin logic to dispatch the request to any tomcat. It nullifies the
> > > effect of the single signon. There is two problem that prevent it to work.
> > >
> > > 1. On the Tomcat side, the generateSessionId() method of
> > > org.apache.catalina.authenticator.AuthenticatorBase does not append
> > > the jvmRoute of the Engine if one is specified. So when a user changes
> > > webapp, the web connector dispatcher does not have any information to
> > > properly route the request;
> > >
> > > 2. The current loadbalancer code specifically look for the JSESSIONID cookie
> > > and does not look for a JSESSIONIDSSO cookie.
> > >
> > > I could provide a patch to org.apache.catalina.authenticator.AuthenticatorBase
> > > to add the jvmRoute to the session id; in fact it is a copy of the code from
> > > org.apache.catalina.session.ManagerBase.
> > >
> > > The change in:
> > >
> > > ./jk/native/common/jk_lb_worker.c
> > > ./jk/native2/common/jk_requtil.c
> > >
> > > is also trivial, first the connector must look for the JSESSIONID cookie (or
> > > param), and if not found it should look for the JSESSIONIDSSO cookie (or
> > > param). Then the same logic should be applied if either one is found.
> > >
> > > Comments?
> > >
> > >
> >
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [PROPOSAL] Single signon and loadbalancer
Posted by Denis Benoit <De...@fbn.ca>.
I think it would be difficult, since JSESSIONID is distinct for each
webapp on a Tomcat, only JSESSIONIDSSO (if the SingleSignon valve
is activated) is common to all webapps.
I'll try to think of something, but if you think of something first,
let me know :)
On Mon, 8 Jul 2002 costinm@covalent.net wrote:
> +1
>
> But before doing that - would it be possible to replace JSESSIONIDSSO
> with a mechanism relying only on JSESSIONID ?
>
> Even if we patch mod_jk, there are other load balancing solutions
> ( hardware, etc ) - it would be much simpler if from 'outside'
> we would only use the standard JSESSIONID cookie / path param.
>
> Costin
>
> On Thu, 4 Jul 2002, Denis Benoit wrote:
>
> > Hi,
> >
> > With the current code (TC 4.1.6), the single signon does not work with the
> > loadbalancer connector.
> >
> > If a user was logged in a given webapp, the loadbalancer looks at the
> > JSESSIONID cookie (or URL parameter) to dispatch the request properly to the
> > tomcat where the user was logged on. But if the user hits another webapp,
> > the JSESSIONID is not present anymore and the dispatcher applies its
> > round-robin logic to dispatch the request to any tomcat. It nullifies the
> > effect of the single signon. There is two problem that prevent it to work.
> >
> > 1. On the Tomcat side, the generateSessionId() method of
> > org.apache.catalina.authenticator.AuthenticatorBase does not append
> > the jvmRoute of the Engine if one is specified. So when a user changes
> > webapp, the web connector dispatcher does not have any information to
> > properly route the request;
> >
> > 2. The current loadbalancer code specifically look for the JSESSIONID cookie
> > and does not look for a JSESSIONIDSSO cookie.
> >
> > I could provide a patch to org.apache.catalina.authenticator.AuthenticatorBase
> > to add the jvmRoute to the session id; in fact it is a copy of the code from
> > org.apache.catalina.session.ManagerBase.
> >
> > The change in:
> >
> > ./jk/native/common/jk_lb_worker.c
> > ./jk/native2/common/jk_requtil.c
> >
> > is also trivial, first the connector must look for the JSESSIONID cookie (or
> > param), and if not found it should look for the JSESSIONIDSSO cookie (or
> > param). Then the same logic should be applied if either one is found.
> >
> > Comments?
> >
> >
>
--
Denis Benoit
**********************************************************************
Financiere Banque Nationale et NBCN n'assument
aucune responsabilite quant a la confidentialite et l'integrite du
present courriel en raison des risques d'interception inherents
a l'Internet. Pour cette raison, toute opinion exprimee au terme
des presentes ne reflete pas necessairement celle de
Financiere Banque Nationale et de NBCN.
**********************************************************************
Due to the security risks involved in sending information over the
Internet, National Bank Financial and NBCN cannot be held responsible
for ensuring the confidentiality and integrity of the present e-mail. For this
reason, the opinions expressed herein do not necessarily reflect those of
National Bank Financial and NBCN.
**********************************************************************
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [PROPOSAL] Single signon and loadbalancer
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Mon, 8 Jul 2002 costinm@covalent.net wrote:
> Date: Mon, 8 Jul 2002 10:43:26 -0700 (PDT)
> From: costinm@covalent.net
> Reply-To: Tomcat Developers List <to...@jakarta.apache.org>
> To: Tomcat Developers List <to...@jakarta.apache.org>,
> Denis.Benoit@fbn.ca
> Subject: Re: [PROPOSAL] Single signon and loadbalancer
>
> +1
>
> But before doing that - would it be possible to replace JSESSIONIDSSO
> with a mechanism relying only on JSESSIONID ?
>
When designing the way SSO worked in the first place, I couldn't think of
a solution with just JSESSIONID that supported single sign on when you
weren't using sessions in one or more of the applications. It seems to me
that this is an important functional requirement, and is at least
implicitly required by the spec (Servlet 2.3, section 12.6).
> Even if we patch mod_jk, there are other load balancing solutions
> ( hardware, etc ) - it would be much simpler if from 'outside'
> we would only use the standard JSESSIONID cookie / path param.
>
> Costin
>
Craig
> On Thu, 4 Jul 2002, Denis Benoit wrote:
>
> > Hi,
> >
> > With the current code (TC 4.1.6), the single signon does not work with the
> > loadbalancer connector.
> >
> > If a user was logged in a given webapp, the loadbalancer looks at the
> > JSESSIONID cookie (or URL parameter) to dispatch the request properly to the
> > tomcat where the user was logged on. But if the user hits another webapp,
> > the JSESSIONID is not present anymore and the dispatcher applies its
> > round-robin logic to dispatch the request to any tomcat. It nullifies the
> > effect of the single signon. There is two problem that prevent it to work.
> >
> > 1. On the Tomcat side, the generateSessionId() method of
> > org.apache.catalina.authenticator.AuthenticatorBase does not append
> > the jvmRoute of the Engine if one is specified. So when a user changes
> > webapp, the web connector dispatcher does not have any information to
> > properly route the request;
> >
> > 2. The current loadbalancer code specifically look for the JSESSIONID cookie
> > and does not look for a JSESSIONIDSSO cookie.
> >
> > I could provide a patch to org.apache.catalina.authenticator.AuthenticatorBase
> > to add the jvmRoute to the session id; in fact it is a copy of the code from
> > org.apache.catalina.session.ManagerBase.
> >
> > The change in:
> >
> > ./jk/native/common/jk_lb_worker.c
> > ./jk/native2/common/jk_requtil.c
> >
> > is also trivial, first the connector must look for the JSESSIONID cookie (or
> > param), and if not found it should look for the JSESSIONIDSSO cookie (or
> > param). Then the same logic should be applied if either one is found.
> >
> > Comments?
> >
> >
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [PROPOSAL] Single signon and loadbalancer
Posted by co...@covalent.net.
+1
But before doing that - would it be possible to replace JSESSIONIDSSO
with a mechanism relying only on JSESSIONID ?
Even if we patch mod_jk, there are other load balancing solutions
( hardware, etc ) - it would be much simpler if from 'outside'
we would only use the standard JSESSIONID cookie / path param.
Costin
On Thu, 4 Jul 2002, Denis Benoit wrote:
> Hi,
>
> With the current code (TC 4.1.6), the single signon does not work with the
> loadbalancer connector.
>
> If a user was logged in a given webapp, the loadbalancer looks at the
> JSESSIONID cookie (or URL parameter) to dispatch the request properly to the
> tomcat where the user was logged on. But if the user hits another webapp,
> the JSESSIONID is not present anymore and the dispatcher applies its
> round-robin logic to dispatch the request to any tomcat. It nullifies the
> effect of the single signon. There is two problem that prevent it to work.
>
> 1. On the Tomcat side, the generateSessionId() method of
> org.apache.catalina.authenticator.AuthenticatorBase does not append
> the jvmRoute of the Engine if one is specified. So when a user changes
> webapp, the web connector dispatcher does not have any information to
> properly route the request;
>
> 2. The current loadbalancer code specifically look for the JSESSIONID cookie
> and does not look for a JSESSIONIDSSO cookie.
>
> I could provide a patch to org.apache.catalina.authenticator.AuthenticatorBase
> to add the jvmRoute to the session id; in fact it is a copy of the code from
> org.apache.catalina.session.ManagerBase.
>
> The change in:
>
> ./jk/native/common/jk_lb_worker.c
> ./jk/native2/common/jk_requtil.c
>
> is also trivial, first the connector must look for the JSESSIONID cookie (or
> param), and if not found it should look for the JSESSIONIDSSO cookie (or
> param). Then the same logic should be applied if either one is found.
>
> Comments?
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>