You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jerry Malcolm <2n...@gmail.com> on 2011/12/21 21:39:59 UTC
Login fails, then works subsequently (Tomcat 7)
About a month ago, I upgraded two different servers from TC 5 to TC 7. The
migration went cleanly, and everything has been working fine with the
exception of one thing. About 50% of the time, when I log in to the realm
for my web app (form-based login), the login will fail. When I try again
with the same id/pw it works. I can then log out and log back in
repeatedly with no problem. But if I come back later and try to log on
again, same things. Fails once, and then passes.
My authentication configuration hasn't changed for years on these webapps,
and this has worked solid on TC 5. My database (MySQL) hasn't changed, and
the user tables are unchanged. The only thing that has changed is TC 5-
-->TC 7. And the problem has hit both servers, completely independent of
each other, other than they both got the TC 7 upgrade.
First of all, has anyone ever heard of this situation? Second, any idea
how where/how to turn on detailed tracing/logging of the authentication
calls to see what might be going on in the authentication code in TC? The
only information I'm getting is that the id/pw were not correct. But
again, same id/pw becomes correct when I submit it a 2nd time.
The one thing I didn't change was the MySQL connector. Should that have
been changed for TC 7? (Just guessing now)
Suggestions for how to proceed?
Thx.
Jerry
Re: Login fails, then works subsequently (Tomcat 7)
Posted by Daniel Mikusa <dm...@vmware.com>.
On Wed, 2011-12-21 at 12:39 -0800, Jerry Malcolm wrote:
> About a month ago, I upgraded two different servers from TC 5 to TC 7. The
> migration went cleanly, and everything has been working fine with the
> exception of one thing. About 50% of the time, when I log in to the realm
> for my web app (form-based login), the login will fail. When I try again
> with the same id/pw it works. I can then log out and log back in
> repeatedly with no problem. But if I come back later and try to log on
> again, same things. Fails once, and then passes.
>
> My authentication configuration hasn't changed for years on these webapps,
> and this has worked solid on TC 5. My database (MySQL) hasn't changed, and
> the user tables are unchanged. The only thing that has changed is TC 5-
> -->TC 7. And the problem has hit both servers, completely independent of
> each other, other than they both got the TC 7 upgrade.
>
> First of all, has anyone ever heard of this situation? Second, any idea
> how where/how to turn on detailed tracing/logging of the authentication
> calls to see what might be going on in the authentication code in TC?
My first thought would be to capture the HTTP traffic from a good and
bad request and compare the two.
Before digging in further, I'd want to make sure that both requests were
identical. Since, if the requests are not the same, that could
certainly account for the difference in behavior.
Wireshark is helpful for capturing and analyzing the packets.
Dan
> The
> only information I'm getting is that the id/pw were not correct. But
> again, same id/pw becomes correct when I submit it a 2nd time.
>
> The one thing I didn't change was the MySQL connector. Should that have
> been changed for TC 7? (Just guessing now)
>
> Suggestions for how to proceed?
>
> Thx.
>
> Jerry
Re: Login fails, then works subsequently (Tomcat 7)
Posted by Pid * <pi...@pidster.com>.
On 22 Dec 2011, at 02:22, Brian Burch <br...@pingtoo.com> wrote:
> On 22/12/11 06:39, Jerry Malcolm wrote:
>> About a month ago, I upgraded two different servers from TC 5 to TC 7. The
>> migration went cleanly, and everything has been working fine with the
>> exception of one thing. About 50% of the time, when I log in to the realm
>> for my web app (form-based login), the login will fail. When I try again
>> with the same id/pw it works. I can then log out and log back in
>> repeatedly with no problem. But if I come back later and try to log on
>> again, same things. Fails once, and then passes.
>>
>> My authentication configuration hasn't changed for years on these webapps,
>> and this has worked solid on TC 5. My database (MySQL) hasn't changed, and
>> the user tables are unchanged. The only thing that has changed is TC 5-
>> -->TC 7. And the problem has hit both servers, completely independent of
>> each other, other than they both got the TC 7 upgrade.
>>
>> First of all, has anyone ever heard of this situation? Second, any idea
>> how where/how to turn on detailed tracing/logging of the authentication
>> calls to see what might be going on in the authentication code in TC? The
>> only information I'm getting is that the id/pw were not correct. But
>> again, same id/pw becomes correct when I submit it a 2nd time.
>>
>> The one thing I didn't change was the MySQL connector. Should that have
>> been changed for TC 7? (Just guessing now)
>>
>> Suggestions for how to proceed?
>>
>> Thx.
>>
>> Jerry
>>
>
> When I was working on a NonLoginAuthenticator problem with the SingleSignOn Valve, I noticed behaviour similar to that described when interacting with FormAuthenticator.
>
> I didn't want to get side-tracked from my primary problem, so I didn't investigate it thoroughly. I also have a bad memory, but I /think/ I remember the symptoms were caused by the browser sending an SSO cookie associated with a session which had previously expired. The login failure was because the FormAuthenticator did not handle this situation gracefully. As you discovered, the second attempt is successful because the SingleSignOn Valve deletes the expired cookie as part of the initial error response. This means the second login attempt proceeds without the browser sending any SSO cookies and so starts again "from scratch".
>
> Of course, if you haven't enabled SSO, then all the above is narrative is irrelevant! On the other hand, if you have enabled SSO, then you can confirm my theory with either a wireshark trace, or by turning on debug logging for SSO and FormAuthenticator - both classes provide detailed logging, but it isn't very helpful unless you understand the logic flow and interactions between these two classes.
>
> I think it should be possible to make the handling of expired SSO cookies more more graceful, i.e. bounce directly back to the login form rather than display the error response.
That's interesting.
I don't think reverting to the login page after form submission will
fly, but maybe a bad SSO cookie could be handled better.
Reproducible?
p
> However, if only you and me care about it, then I have more important things to work on!
>
> Regards,
>
> Brian
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Login fails, then works subsequently (Tomcat 7)
Posted by Brian Burch <br...@pingtoo.com>.
On 22/12/11 06:39, Jerry Malcolm wrote:
> About a month ago, I upgraded two different servers from TC 5 to TC 7. The
> migration went cleanly, and everything has been working fine with the
> exception of one thing. About 50% of the time, when I log in to the realm
> for my web app (form-based login), the login will fail. When I try again
> with the same id/pw it works. I can then log out and log back in
> repeatedly with no problem. But if I come back later and try to log on
> again, same things. Fails once, and then passes.
>
> My authentication configuration hasn't changed for years on these webapps,
> and this has worked solid on TC 5. My database (MySQL) hasn't changed, and
> the user tables are unchanged. The only thing that has changed is TC 5-
> -->TC 7. And the problem has hit both servers, completely independent of
> each other, other than they both got the TC 7 upgrade.
>
> First of all, has anyone ever heard of this situation? Second, any idea
> how where/how to turn on detailed tracing/logging of the authentication
> calls to see what might be going on in the authentication code in TC? The
> only information I'm getting is that the id/pw were not correct. But
> again, same id/pw becomes correct when I submit it a 2nd time.
>
> The one thing I didn't change was the MySQL connector. Should that have
> been changed for TC 7? (Just guessing now)
>
> Suggestions for how to proceed?
>
> Thx.
>
> Jerry
>
When I was working on a NonLoginAuthenticator problem with the
SingleSignOn Valve, I noticed behaviour similar to that described when
interacting with FormAuthenticator.
I didn't want to get side-tracked from my primary problem, so I didn't
investigate it thoroughly. I also have a bad memory, but I /think/ I
remember the symptoms were caused by the browser sending an SSO cookie
associated with a session which had previously expired. The login
failure was because the FormAuthenticator did not handle this situation
gracefully. As you discovered, the second attempt is successful because
the SingleSignOn Valve deletes the expired cookie as part of the initial
error response. This means the second login attempt proceeds without the
browser sending any SSO cookies and so starts again "from scratch".
Of course, if you haven't enabled SSO, then all the above is narrative
is irrelevant! On the other hand, if you have enabled SSO, then you can
confirm my theory with either a wireshark trace, or by turning on debug
logging for SSO and FormAuthenticator - both classes provide detailed
logging, but it isn't very helpful unless you understand the logic flow
and interactions between these two classes.
I think it should be possible to make the handling of expired SSO
cookies more more graceful, i.e. bounce directly back to the login form
rather than display the error response. However, if only you and me care
about it, then I have more important things to work on!
Regards,
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Login fails, then works subsequently (Tomcat 7)
Posted by Daniel Mikusa <dm...@vmware.com>.
>The http trace would show if the id/pw were different. But that would
>pretty much imply that the browser is messing up what it sends. I guess
>that's always a possibility.
Not necessarily, the browser will send things other than the login and
password like headers and cookies.
>But I haven't changed browsers in months.
>And it's sending a saved id/pw in all cases. the login form appears, and
>the id/pw is already filled in.
You could be right, but garbage in equals garbage out so it's worth verifying.
Especially when it's pretty painless to do. If you're using Firefox there are
plugins that can help like TamperData and Live HTTP Headers.
Dan
On Wed, Dec 21, 2011 at 4:01 PM, Chema <de...@gmail.com> wrote:
> You can try to set traces into the code of your realm class, if it's a
> custom realm : to watch the query executed , to watch the
> user/password passed from browser, to catch exceptions and print stack
> trace ...
> If you dont have a custom realm, you can try to create one for testing
>
> Can you paste your server.xml conf ? Only realm parts (all), without
> sensible data
>
> Good luck
>
>
>
> 2011/12/21 Jerry Malcolm <2n...@gmail.com>:
> > About a month ago, I upgraded two different servers from TC 5 to TC 7.
> The
> > migration went cleanly, and everything has been working fine with the
> > exception of one thing. About 50% of the time, when I log in to the
> realm
> > for my web app (form-based login), the login will fail. When I try again
> > with the same id/pw it works. I can then log out and log back in
> > repeatedly with no problem. But if I come back later and try to log on
> > again, same things. Fails once, and then passes.
> >
> > My authentication configuration hasn't changed for years on these
> webapps,
> > and this has worked solid on TC 5. My database (MySQL) hasn't changed,
> and
> > the user tables are unchanged. The only thing that has changed is TC 5-
> > -->TC 7. And the problem has hit both servers, completely independent of
> > each other, other than they both got the TC 7 upgrade.
> >
> > First of all, has anyone ever heard of this situation? Second, any idea
> > how where/how to turn on detailed tracing/logging of the authentication
> > calls to see what might be going on in the authentication code in TC?
> The
> > only information I'm getting is that the id/pw were not correct. But
> > again, same id/pw becomes correct when I submit it a 2nd time.
> >
> > The one thing I didn't change was the MySQL connector. Should that have
> > been changed for TC 7? (Just guessing now)
> >
> > Suggestions for how to proceed?
> >
> > Thx.
> >
> > Jerry
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Login fails, then works subsequently (Tomcat 7)
Posted by Pid <pi...@pidster.com>.
On 22/12/2011 04:51, Caldarale, Charles R wrote:
>> From: Hassan Schroeder [mailto:hassan.schroeder@gmail.com]
>> Subject: Re: Login fails, then works subsequently (Tomcat 7)
>
>> No "testWhileIdle" / "validationQuery" settings?
>
>> 10 to 1 you've got stale connections in your pool
>
> Did we just go off on a tangent? Isn't the OP talking about logging into Tomcat, not logging into the SQL server?
>
> Also, we still don't know which <Realm> the OP is using; the only hint we have is the statement: "I'm just using the default auth code in TC", which would seem to imply the UserDatabaseRealm. What is it really?
...and "My database (MySQL) hasn't changed, and the user tables are
unchanged."
p
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
[key:62590808]
RE: Login fails, then works subsequently (Tomcat 7)
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Hassan Schroeder [mailto:hassan.schroeder@gmail.com]
> Subject: Re: Login fails, then works subsequently (Tomcat 7)
> No "testWhileIdle" / "validationQuery" settings?
> 10 to 1 you've got stale connections in your pool
Did we just go off on a tangent? Isn't the OP talking about logging into Tomcat, not logging into the SQL server?
Also, we still don't know which <Realm> the OP is using; the only hint we have is the statement: "I'm just using the default auth code in TC", which would seem to imply the UserDatabaseRealm. What is it really?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Login fails, then works subsequently (Tomcat 7)
Posted by Pid * <pi...@pidster.com>.
On 21 Dec 2011, at 22:52, Chema <de...@gmail.com> wrote:
>> 10 to 1 you've got stale connections in your pool; first try fails, second
>> one gets a fresh connection
>
> I thought the same
>
>
> autoReconnect
> Should the driver try to re-establish stale and/or dead connections?
Nope. Like Hassan said, use a validation query. If you're using MySQL
then "/* ping */ SELECT 1" will work.
p
PS @Chema - you've been around here long enough now to know better
than to keep top-posting.
> If enabled the driver will throw an exception for a queries issued on
> a stale or dead connection, which belong to the current transaction,
> but will attempt reconnect before the next query issued on the
> connection in a new transaction. The use of this feature is not
> recommended, because it has side effects related to session state and
> data consistency when applications don't handle SQLExceptions
> properly,
>
>
> http://dev.mysql.com/doc/refman/5.1/en/connector-j-reference-configuration-properties.html
>
>
> You can implement your own realm extending DataSourceRealm and
> overriding authenticate() method with your traces . And don't forget
> to call super.authenticate().
>
> More info:
> http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#DataSourceRealm
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Login fails, then works subsequently (Tomcat 7)
Posted by Chema <de...@gmail.com>.
> 10 to 1 you've got stale connections in your pool; first try fails, second
> one gets a fresh connection
I thought the same
autoReconnect
Should the driver try to re-establish stale and/or dead connections?
If enabled the driver will throw an exception for a queries issued on
a stale or dead connection, which belong to the current transaction,
but will attempt reconnect before the next query issued on the
connection in a new transaction. The use of this feature is not
recommended, because it has side effects related to session state and
data consistency when applications don't handle SQLExceptions
properly,
http://dev.mysql.com/doc/refman/5.1/en/connector-j-reference-configuration-properties.html
You can implement your own realm extending DataSourceRealm and
overriding authenticate() method with your traces . And don't forget
to call super.authenticate().
More info:
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#DataSourceRealm
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Login fails, then works subsequently (Tomcat 7)
Posted by Mark Eggers <it...@yahoo.com>.
----- Original Message -----
> From: Hassan Schroeder <ha...@gmail.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Cc:
> Sent: Wednesday, December 21, 2011 2:40 PM
> Subject: Re: Login fails, then works subsequently (Tomcat 7)
>
> On Wed, Dec 21, 2011 at 2:23 PM, Jerry Malcolm <2n...@gmail.com>
> wrote:
>> Here is the line from <GlobalNamingResources> in server.xml:
>
> No "testWhileIdle" / "validationQuery" settings?
>
> 10 to 1 you've got stale connections in your pool; first try fails, second
> one gets a fresh connection and away you go.
>
> Just a WAG -- no idea why you'd only see this after upgrading.
>
I seem to recall an issue with using autoReconnect with pooled connections. According to the MySQL bug database, it's recommended to not use autoReconnect (see for example http://bugs.mysql.com/bug.php?id=5020 at the end).
I recommend the validationQuery approach and testWhileIdle Hassan mentioned above.
I have no idea as well why this would suddenly pop up in Tomcat 7.0.x as opposed to Tomcat 5.5.x.
Using pools with at least a validationQuery for authentication addresses a host of other issues concerning authentication / authorization that arises due to the frequency / infrequency of requests when compared to normal application database requests.
There was a long discussion concerning those issues on the mailing list some time back. Look for "problems at thejarbar.org" - I think that was the thread.
. . . just my two cents.
/mde/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Login fails, then works subsequently (Tomcat 7)
Posted by Hassan Schroeder <ha...@gmail.com>.
On Wed, Dec 21, 2011 at 2:23 PM, Jerry Malcolm <2n...@gmail.com> wrote:
> Here is the line from <GlobalNamingResources> in server.xml:
No "testWhileIdle" / "validationQuery" settings?
10 to 1 you've got stale connections in your pool; first try fails, second
one gets a fresh connection and away you go.
Just a WAG -- no idea why you'd only see this after upgrading.
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
http://about.me/hassanschroeder
twitter: @hassan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Login fails, then works subsequently (Tomcat 7)
Posted by Jerry Malcolm <2n...@gmail.com>.
Here is the line from <GlobalNamingResources> in server.xml:
<Resource name="jdbc/aaaaaaaaaaaaaaaaaaaa.com" auth="Container"
type="javax.sql.DataSource" maxActive="100" maxIdle="30" maxWait="10000"
removeAbandoned="true" removeAbandonedTimeout="60" logAbandoned="true"
username="*******" password="*********"
driverClassName="com.mysql.jdbc.Driver" url="jdbc:mysql://
127.0.0.1/aaaaaaaaa?autoReconnect=true"/>
The http trace would show if the id/pw were different. But that would
pretty much imply that the browser is messing up what it sends. I guess
that's always a possibility. But I haven't changed browsers in months.
And it's sending a saved id/pw in all cases. the login form appears, and
the id/pw is already filled in. I hit enter. I get the logon-failed form,
I hit enter again, and it logs me in. I just don't see how the browser
after all of these years would just all of a sudden start sending bad id/pw
once, and the start coincides with new version of TC. Again, I guess
anything could happen. But I think it's unlikely. This worked fine for
years with the same db and the same browsers. Drop in a new TC and it
starts failing.
I don't have a custom realm. I'm just using the default auth code in TC.
I'm not really excited about writing my own realm code for this or
modifying TC source and rebuilding TC from scratch. Anybody got a jar file
I can drop in that has realm debug stuff already in it?
Thanks.
Jerry
On Wed, Dec 21, 2011 at 4:01 PM, Chema <de...@gmail.com> wrote:
> You can try to set traces into the code of your realm class, if it's a
> custom realm : to watch the query executed , to watch the
> user/password passed from browser, to catch exceptions and print stack
> trace ...
> If you dont have a custom realm, you can try to create one for testing
>
> Can you paste your server.xml conf ? Only realm parts (all), without
> sensible data
>
> Good luck
>
>
>
> 2011/12/21 Jerry Malcolm <2n...@gmail.com>:
> > About a month ago, I upgraded two different servers from TC 5 to TC 7.
> The
> > migration went cleanly, and everything has been working fine with the
> > exception of one thing. About 50% of the time, when I log in to the
> realm
> > for my web app (form-based login), the login will fail. When I try again
> > with the same id/pw it works. I can then log out and log back in
> > repeatedly with no problem. But if I come back later and try to log on
> > again, same things. Fails once, and then passes.
> >
> > My authentication configuration hasn't changed for years on these
> webapps,
> > and this has worked solid on TC 5. My database (MySQL) hasn't changed,
> and
> > the user tables are unchanged. The only thing that has changed is TC 5-
> > -->TC 7. And the problem has hit both servers, completely independent of
> > each other, other than they both got the TC 7 upgrade.
> >
> > First of all, has anyone ever heard of this situation? Second, any idea
> > how where/how to turn on detailed tracing/logging of the authentication
> > calls to see what might be going on in the authentication code in TC?
> The
> > only information I'm getting is that the id/pw were not correct. But
> > again, same id/pw becomes correct when I submit it a 2nd time.
> >
> > The one thing I didn't change was the MySQL connector. Should that have
> > been changed for TC 7? (Just guessing now)
> >
> > Suggestions for how to proceed?
> >
> > Thx.
> >
> > Jerry
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Login fails, then works subsequently (Tomcat 7)
Posted by Chema <de...@gmail.com>.
You can try to set traces into the code of your realm class, if it's a
custom realm : to watch the query executed , to watch the
user/password passed from browser, to catch exceptions and print stack
trace ...
If you dont have a custom realm, you can try to create one for testing
Can you paste your server.xml conf ? Only realm parts (all), without
sensible data
Good luck
2011/12/21 Jerry Malcolm <2n...@gmail.com>:
> About a month ago, I upgraded two different servers from TC 5 to TC 7. The
> migration went cleanly, and everything has been working fine with the
> exception of one thing. About 50% of the time, when I log in to the realm
> for my web app (form-based login), the login will fail. When I try again
> with the same id/pw it works. I can then log out and log back in
> repeatedly with no problem. But if I come back later and try to log on
> again, same things. Fails once, and then passes.
>
> My authentication configuration hasn't changed for years on these webapps,
> and this has worked solid on TC 5. My database (MySQL) hasn't changed, and
> the user tables are unchanged. The only thing that has changed is TC 5-
> -->TC 7. And the problem has hit both servers, completely independent of
> each other, other than they both got the TC 7 upgrade.
>
> First of all, has anyone ever heard of this situation? Second, any idea
> how where/how to turn on detailed tracing/logging of the authentication
> calls to see what might be going on in the authentication code in TC? The
> only information I'm getting is that the id/pw were not correct. But
> again, same id/pw becomes correct when I submit it a 2nd time.
>
> The one thing I didn't change was the MySQL connector. Should that have
> been changed for TC 7? (Just guessing now)
>
> Suggestions for how to proceed?
>
> Thx.
>
> Jerry
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org