You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomee.apache.org by renz <re...@areasante.com> on 2016/10/04 08:18:29 UTC
How to share identity between several TomEE servers
Hi,
We have a Remote EJB application (only Stateless EJB) with our own JAAS
LoginModule deployed on several servers.
Each server is running a TomEE 1.7.1 instance and nginx as a reverse proxy.
There also a hardware load-balancing device.
The load-balancer is configured to redirect according to IP address.
The problem is that if a server is down, the client application (developped
by ourselves) will be redirected to a new server and get this error :
I would like to know if it is possible to share identity between all
servers, using a database, a shared directory or anything else.
Thanks.
--
View this message in context: http://tomee-openejb.979440.n4.nabble.com/How-to-share-identity-between-several-TomEE-servers-tp4680280.html
Sent from the TomEE Users mailing list archive at Nabble.com.
Re: How to share identity between several TomEE servers
Posted by Romain Manni-Bucau <rm...@gmail.com>.
PS: https://issues.apache.org/jira/browse/TOMEE-1952
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>
2016-10-04 16:49 GMT+02:00 Romain Manni-Bucau <rm...@gmail.com>:
> Yes, was the idea of the proposal
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
> <http://rmannibucau.wordpress.com> | Github
> <https://github.com/rmannibucau> | LinkedIn
> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com> | JavaEE Factory
> <https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2016-10-04 16:39 GMT+02:00 renz <re...@areasante.com>:
>
>> In my case, I think we'll keep the parameter to 'false'.
>>
>> I don't know what really happens behind the scene but maybe
>> 'org.apache.openejb.client.EJBObjectHandler._handleBusinessM
>> ethodResponse'
>> could be improved by adding a 'ResponseCodes.AUTH_DENIED' case like
>> below :
>>
>>
>>
>>
>>
>> --
>> View this message in context: http://tomee-openejb.979440.n4
>> .nabble.com/How-to-share-identity-between-several-TomEE-
>> servers-tp4680280p4680290.html
>> Sent from the TomEE Users mailing list archive at Nabble.com.
>>
>
>
Re: How to share identity between several TomEE servers
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Yes, was the idea of the proposal
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>
2016-10-04 16:39 GMT+02:00 renz <re...@areasante.com>:
> In my case, I think we'll keep the parameter to 'false'.
>
> I don't know what really happens behind the scene but maybe
> 'org.apache.openejb.client.EJBObjectHandler._handleBusinessMethodResponse'
> could be improved by adding a 'ResponseCodes.AUTH_DENIED' case like below
> :
>
>
>
>
>
> --
> View this message in context: http://tomee-openejb.979440.
> n4.nabble.com/How-to-share-identity-between-several-TomEE-servers-
> tp4680280p4680290.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
Re: How to share identity between several TomEE servers
Posted by renz <re...@areasante.com>.
In my case, I think we'll keep the parameter to 'false'.
I don't know what really happens behind the scene but maybe
'org.apache.openejb.client.EJBObjectHandler._handleBusinessMethodResponse'
could be improved by adding a 'ResponseCodes.AUTH_DENIED' case like below :
--
View this message in context: http://tomee-openejb.979440.n4.nabble.com/How-to-share-identity-between-several-TomEE-servers-tp4680280p4680290.html
Sent from the TomEE Users mailing list archive at Nabble.com.
Re: How to share identity between several TomEE servers
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Expected an explicit message at least. That said if you want to enhance
this error handling to support your case a pull-request would be welcomed
and can still hit the coming 7.0.2
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>
2016-10-04 14:13 GMT+02:00 renz <re...@areasante.com>:
> Exceptions are replaced by a RemoteException in
> EJBObejctHandler._handleBusinessMethodResponse (see 'default' below).
>
>
>
>
>
> --
> View this message in context: http://tomee-openejb.979440.
> n4.nabble.com/How-to-share-identity-between-several-TomEE-servers-
> tp4680280p4680288.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
Re: How to share identity between several TomEE servers
Posted by renz <re...@areasante.com>.
Exceptions are replaced by a RemoteException in
EJBObejctHandler._handleBusinessMethodResponse (see 'default' below).
--
View this message in context: http://tomee-openejb.979440.n4.nabble.com/How-to-share-identity-between-several-TomEE-servers-tp4680280p4680288.html
Sent from the TomEE Users mailing list archive at Nabble.com.
Re: How to share identity between several TomEE servers
Posted by Romain Manni-Bucau <rm...@gmail.com>.
2016-10-04 13:58 GMT+02:00 renz <re...@areasante.com>:
> OK for the 1st point.
> For the 2nd point, at the moment, we have specific process on client side
> according to the LoginException nested in AuthenticationException. With
> that
> property we have access neither to AuthenticationException nor
> LoginException.
>
>
What do you have exactly? I'm no more sure of the type and it will likely
be something more generic but you should see where it comes from.
> Maybe, we should forget to use this property and replace it by a reconnect
> process on client side.
>
Depends your application. Originally this property was there to allow
contextual security data to work (otherwise you loose it once your are
logged).
> Do we need to explicitely logout from ejbd session? InitialContext.close?
>
>
yes
> Thank you.
>
>
>
> --
> View this message in context: http://tomee-openejb.979440.
> n4.nabble.com/How-to-share-identity-between-several-TomEE-servers-
> tp4680280p4680286.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
Re: How to share identity between several TomEE servers
Posted by Romain Manni-Bucau <rm...@gmail.com>.
ejbd protocol does normally:
auth();
business();
this flag makes it logging with the request, kind of:
authThenBusiness();
It is more reliable with security frameworks cause it is compatible with
ThreadLocal often used in impls.
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://blog-rmannibucau.rhcloud.com> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>
2017-06-20 16:01 GMT+02:00 amol.p.dongare <ad...@3ds.com>:
> this trick works, however
>
> before setting this property when I debug my ejbclient it was showing
> following information
> *ClientMetaData Object which shows clientIndentity (UUID) and
> ProtocolMetaData Object values*
>
> However after setting *openejb.ejbd.authenticate-with-request=true* it
> shows
> *ClientMetaData Object=null and ProtocolMetaData Object=null*
>
> What are the consequences of this? Does this mean after setting this
> property remote clients are no more authenticated during business call?
>
>
>
>
>
>
> --
> View this message in context: http://tomee-openejb.979440.
> n4.nabble.com/How-to-share-identity-between-several-TomEE-servers-
> tp4680280p4681927.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
Re: How to share identity between several TomEE servers
Posted by "amol.p.dongare" <ad...@3ds.com>.
this trick works, however
before setting this property when I debug my ejbclient it was showing
following information
*ClientMetaData Object which shows clientIndentity (UUID) and
ProtocolMetaData Object values*
However after setting *openejb.ejbd.authenticate-with-request=true* it shows
*ClientMetaData Object=null and ProtocolMetaData Object=null*
What are the consequences of this? Does this mean after setting this
property remote clients are no more authenticated during business call?
--
View this message in context: http://tomee-openejb.979440.n4.nabble.com/How-to-share-identity-between-several-TomEE-servers-tp4680280p4681927.html
Sent from the TomEE Users mailing list archive at Nabble.com.
Re: How to share identity between several TomEE servers
Posted by renz <re...@areasante.com>.
OK for the 1st point.
For the 2nd point, at the moment, we have specific process on client side
according to the LoginException nested in AuthenticationException. With that
property we have access neither to AuthenticationException nor
LoginException.
Maybe, we should forget to use this property and replace it by a reconnect
process on client side.
Do we need to explicitely logout from ejbd session? InitialContext.close?
Thank you.
--
View this message in context: http://tomee-openejb.979440.n4.nabble.com/How-to-share-identity-between-several-TomEE-servers-tp4680280p4680286.html
Sent from the TomEE Users mailing list archive at Nabble.com.
Re: How to share identity between several TomEE servers
Posted by Romain Manni-Bucau <rm...@gmail.com>.
2016-10-04 11:42 GMT+02:00 renz <re...@areasante.com>:
> Hi Romain,
>
> Thank you very much. It seems to do the trick.
>
> 1. What is the purpose of this property?
>
>
By default ejbd uses a session so flow is something like:
a. login
b. do business calls
c. logout
If B is 1000000 of calls you still have had a single a (and will get a
single c)
With this property flow is a,b,c for each invocation but a and c are no
more needed globally. In other words you authenticate where the request
ends each time.
> 2. I have a side effect. If my login module throw a FailedLoginException, I
> get the exception below when I create the InitialContext. Without
> 'openejb.ejbd.authenticate-with-request=true', FailedLoginException were
> nested in an 'AuthenticationException'
>
>
>
With that property you log in with a business call no more with an
authentication phase so doesn't shock or surprise me much. Is that an issue?
>
> Any idea?
>
>
>
> --
> View this message in context: http://tomee-openejb.979440.
> n4.nabble.com/How-to-share-identity-between-several-TomEE-servers-
> tp4680280p4680283.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
Re: How to share identity between several TomEE servers
Posted by renz <re...@areasante.com>.
Hi Romain,
Thank you very much. It seems to do the trick.
1. What is the purpose of this property?
2. I have a side effect. If my login module throw a FailedLoginException, I
get the exception below when I create the InitialContext. Without
'openejb.ejbd.authenticate-with-request=true', FailedLoginException were
nested in an 'AuthenticationException'
Any idea?
--
View this message in context: http://tomee-openejb.979440.n4.nabble.com/How-to-share-identity-between-several-TomEE-servers-tp4680280p4680283.html
Sent from the TomEE Users mailing list archive at Nabble.com.
Re: How to share identity between several TomEE servers
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Hi
Maybe try adding in the client properties
openejb.ejbd.authenticate-with-request=true
(see https://issues.apache.org/jira/browse/TOMEE-997)
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>
2016-10-04 10:18 GMT+02:00 renz <re...@areasante.com>:
> Hi,
>
> We have a Remote EJB application (only Stateless EJB) with our own JAAS
> LoginModule deployed on several servers.
> Each server is running a TomEE 1.7.1 instance and nginx as a reverse proxy.
> There also a hardware load-balancing device.
>
> The load-balancer is configured to redirect according to IP address.
> The problem is that if a server is down, the client application (developped
> by ourselves) will be redirected to a new server and get this error :
>
>
>
> I would like to know if it is possible to share identity between all
> servers, using a database, a shared directory or anything else.
>
> Thanks.
>
>
>
> --
> View this message in context: http://tomee-openejb.979440.
> n4.nabble.com/How-to-share-identity-between-several-
> TomEE-servers-tp4680280.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>