You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Aaron R <aa...@gmail.com> on 2014/12/04 19:35:29 UTC
Single Sign On Replication with New Tomcat Cluster Nodes
Hello,
I have a Tomcat cluster (7.0.42) that is configured to use the DeltaManager
for session replication. It also uses the ClusterSingleSignOn valve for SSO
and for propagating authentication to the other nodes in the cluster. If I
log into Tomcat1, the session state and the single sign on state are
successfully replicated to Tomcat2, so that when Tomcat1 goes down, the
load balancer switches me to Tomcat2, and I am still authenticated and am
able to access other applications on the server.
The problem I'm having is that if a new node (Tomcat3) is then brought up
after I have logged in, that new node does not appear to get any SSO state
replicated to it, as I get a 403 error when trying to access a different
application on the server. The regular session state is correctly
replicated to it, but I don't seem to have SSO authentication on this new
server.
Should this scenario work? Is it possible to get the single sign on state
propagated to nodes that come online after the user has logged in?
I see one instance of someone mentioning a similar issue in passing a while
back (
http://mail-archives.apache.org/mod_mbox/tomcat-users/200809.mbox/%3C15060d5e0809211745s522af93bv153367d9183c6e5e%40mail.gmail.com%3E),
but I didn't see any followup after that.
Thanks,
Aaron
Re: Single Sign On Replication with New Tomcat Cluster Nodes
Posted by Aaron R <aa...@gmail.com>.
Great, thanks for taking a look. I've submitted a bug report for
replicating the SingleSignOnEntry cache data here:
https://issues.apache.org/bugzilla/show_bug.cgi?id=57338
On Tue, Dec 9, 2014 at 9:23 PM, Keiichi Fujino <kf...@apache.org> wrote:
> I examined the code of ClusterSingleSignOn.
> This behavior seems to be bug.
> There seems to be some other problems.
> a) When a new node is started, SingleSignOnEntry of cache is not
> replicated. (you mentioned.)
> b) ClusterSingleSignOn does not implement ClusterValve.
> c) Unsupported to BackupManager.
> d) There are no documents.
>
> In order to resolve this problem(a), it must be synchronized between
> cluster nodes cache of SingleSignOnEntry at startup.
> Please open a bug entry for a).
>
> 2014-12-05 3:35 GMT+09:00 Aaron R <aa...@gmail.com>:
>
> > Hello,
> >
> > I have a Tomcat cluster (7.0.42) that is configured to use the
> DeltaManager
> > for session replication. It also uses the ClusterSingleSignOn valve for
> SSO
> > and for propagating authentication to the other nodes in the cluster. If
> I
> > log into Tomcat1, the session state and the single sign on state are
> > successfully replicated to Tomcat2, so that when Tomcat1 goes down, the
> > load balancer switches me to Tomcat2, and I am still authenticated and am
> > able to access other applications on the server.
> >
> > The problem I'm having is that if a new node (Tomcat3) is then brought up
> > after I have logged in, that new node does not appear to get any SSO
> state
> > replicated to it, as I get a 403 error when trying to access a different
> > application on the server. The regular session state is correctly
> > replicated to it, but I don't seem to have SSO authentication on this new
> > server.
> >
> > Should this scenario work? Is it possible to get the single sign on state
> > propagated to nodes that come online after the user has logged in?
> >
> > I see one instance of someone mentioning a similar issue in passing a
> while
> > back (
> >
> >
> http://mail-archives.apache.org/mod_mbox/tomcat-users/200809.mbox/%3C15060d5e0809211745s522af93bv153367d9183c6e5e%40mail.gmail.com%3E
> > ),
> > but I didn't see any followup after that.
> >
> > Thanks,
> > Aaron
> >
> > --
> > Keiichi.Fujino
> >
>
Re: Single Sign On Replication with New Tomcat Cluster Nodes
Posted by Keiichi Fujino <kf...@apache.org>.
I examined the code of ClusterSingleSignOn.
This behavior seems to be bug.
There seems to be some other problems.
a) When a new node is started, SingleSignOnEntry of cache is not
replicated. (you mentioned.)
b) ClusterSingleSignOn does not implement ClusterValve.
c) Unsupported to BackupManager.
d) There are no documents.
In order to resolve this problem(a), it must be synchronized between
cluster nodes cache of SingleSignOnEntry at startup.
Please open a bug entry for a).
2014-12-05 3:35 GMT+09:00 Aaron R <aa...@gmail.com>:
> Hello,
>
> I have a Tomcat cluster (7.0.42) that is configured to use the DeltaManager
> for session replication. It also uses the ClusterSingleSignOn valve for SSO
> and for propagating authentication to the other nodes in the cluster. If I
> log into Tomcat1, the session state and the single sign on state are
> successfully replicated to Tomcat2, so that when Tomcat1 goes down, the
> load balancer switches me to Tomcat2, and I am still authenticated and am
> able to access other applications on the server.
>
> The problem I'm having is that if a new node (Tomcat3) is then brought up
> after I have logged in, that new node does not appear to get any SSO state
> replicated to it, as I get a 403 error when trying to access a different
> application on the server. The regular session state is correctly
> replicated to it, but I don't seem to have SSO authentication on this new
> server.
>
> Should this scenario work? Is it possible to get the single sign on state
> propagated to nodes that come online after the user has logged in?
>
> I see one instance of someone mentioning a similar issue in passing a while
> back (
>
> http://mail-archives.apache.org/mod_mbox/tomcat-users/200809.mbox/%3C15060d5e0809211745s522af93bv153367d9183c6e5e%40mail.gmail.com%3E
> ),
> but I didn't see any followup after that.
>
> Thanks,
> Aaron
>
> --
> Keiichi.Fujino
>