You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Tanmoy Chatterjee <Ta...@nxp.com> on 2013/02/19 15:56:21 UTC
Question regarding JNDIRealm - tomcat 6.0.35
Hello,
Technical Stack: Apache Tomcat v 6.0.35
OS : RHEL 5.3 64 bits
java version "1.6.0_18" 32 bits
I am using Realm className="org.apache.catalina.realm.JNDIRealm" for connecting to LDAP.
Is there any configuration to prevent the default connection to LDAP happening on Tomcat-Start.
If I have to write my own code for doing this which method should I be overriding?
Thanks and Regards,
Tanmoy Chatterjee
Technology Advancement | room 0.14, High Tech Campus 60, 5656AA, Eindhoven, NL
Tel: +31402728844
Re: Question regarding JNDIRealm - tomcat 6.0.35
Posted by Ognjen Blagojevic <og...@gmail.com>.
André,
On 25.2.2013 14:53, André Warnier wrote:
> Yes, but as soon as Tomcat would try to write to (or read from) that
> connection, it would immediately get an error, no ?
>
> So to say that in the meantime "tomcat keeps on trying" one of these
> connections doesn't seem to fit, or ?
In regular situation if LDAP server receives a packet that does not
match to any established connection, and that packet is not SYN, it
would respond with RST packet, causing Connection reset on Tomcat side.
However, if there is no connection reset from LDAP server, that might
imply that packets are being dropped. If LDAP server (or any device in
between) simply drops TCP packets after the connection is dropped,
Tomcat server will try to send the same data packet over and over again.
The delay between two retries will be exponentialy incresed, until it
reaches certain limit (e.g. 64s), when Tomcat server would finaly send
the RST packet itself and give up. That would explain several minutes delay.
I think that Wireshark or tcpdump would help to diagnose what is really
going on on the network level.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question regarding JNDIRealm - tomcat 6.0.35
Posted by André Warnier <aw...@ice-sa.com>.
Ognjen Blagojevic wrote:
> André,
>
> On 25.2.2013 10:34, André Warnier wrote:
>> So, on the face of it, there seems to be a contradiction between you
>> saying on the one hand that the LDAP server closes the connection, and
>> on the other hand that netstat shows the connection still being active.
>
> TCP connection is established until one of the endpoints terminates it.
> If one endpoint die before it terminates the connection, or if there is
> a NAT in between which timeouts the connection due to inactivity, that
> may result in one endpoint seeing that TCP connection as "ESTABLISHED",
> while other endpoint not seeing the connection at all (or seeing it as
> closed).
>
> Related info here:
>
> http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/#overview
>
Yes, but as soon as Tomcat would try to write to (or read from) that connection, it would
immediately get an error, no ?
So to say that in the meantime "tomcat keeps on trying" one of these connections doesn't
seem to fit, or ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question regarding JNDIRealm - tomcat 6.0.35
Posted by Ognjen Blagojevic <og...@gmail.com>.
André,
On 25.2.2013 10:34, André Warnier wrote:
> So, on the face of it, there seems to be a contradiction between you
> saying on the one hand that the LDAP server closes the connection, and
> on the other hand that netstat shows the connection still being active.
TCP connection is established until one of the endpoints terminates it.
If one endpoint die before it terminates the connection, or if there is
a NAT in between which timeouts the connection due to inactivity, that
may result in one endpoint seeing that TCP connection as "ESTABLISHED",
while other endpoint not seeing the connection at all (or seeing it as
closed).
Related info here:
http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/#overview
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Question regarding JNDIRealm - tomcat 6.0.35
Posted by Tanmoy Chatterjee <Ta...@nxp.com>.
As I said, we do not have much visibility / access on the LDAP side to do a deep dive. Neither am I a networking expert but some more info on what actually happens (application - netstat log) when I say...tomcat(or JVM as you say) keeps on trying the 'broken' connection..
tcp 0 81 ::ffff:1.2.3.4:59356 ::ffff:4.3.2.1:636 ESTABLISHED 5009 587231913 on (51.70/14/0)
tcp 0 81 ::ffff:1.2.3.4:59356 ::ffff:4.3.2.1:636 ESTABLISHED 5009 587231913 on (49.55/14/0)
tcp 0 81 ::ffff:1.2.3.4:59356 ::ffff:4.3.2.1:636 ESTABLISHED 5009 587231913 on (47.39/14/0)
tcp 0 81 ::ffff:1.2.3.4:59356 ::ffff:4.3.2.1:636 ESTABLISHED 5009 587231913 on (45.23/14/0)
tcp 0 81 ::ffff:1.2.3.4:59356 ::ffff:4.3.2.1:636 ESTABLISHED 5009 587231913 on (43.08/14/0)
tcp 0 81 ::ffff:1.2.3.4:59356 ::ffff:4.3.2.1:636 ESTABLISHED 5009 587231913 on (40.93/14/0)
tcp 0 81 ::ffff:1.2.3.4:59356 ::ffff:4.3.2.1:636 ESTABLISHED 5009 587231913 on (38.77/14/0)
tcp 0 81 ::ffff:1.2.3.4:59356 ::ffff:4.3.2.1:636 ESTABLISHED 5009 587231913 on (36.61/14/0)
tcp 0 81 ::ffff:1.2.3.4:59356 ::ffff:4.3.2.1:636 ESTABLISHED 5009 587231913 on (34.45/14/0)
This keeps on going till the point a new connection is established as below...
tcp 0 0 ::ffff:1.2.3.4:56309 ::ffff:4.3.2.1:636 ESTABLISHED 5009 587536364 off (0.00/0/0)
1.2.3.4 - app ip
4.3.2.1 - ldap ip
You can see the timer part changing. Do you get any idea as to what exactly might be happening?
-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com]
Sent: Monday, February 25, 2013 10:34 AM
To: Tomcat Users List
Subject: Re: Question regarding JNDIRealm - tomcat 6.0.35
Tanmoy Chatterjee wrote:
> We are not using openldap but eDirectory. Unfortunately we do not have access to the ldap configurations...only information we have is that after about 2 mins of idle connection, ldap drops the same from its side. Bit if we see in app server side using netstat, we can still see the same connection.
Just a comment on what you say above :
When "Tomcat" opens a connection, it is really the JVM under which Tomcat runs which does that, or in some cases some native code library. And this JVM / native library uses the OS TCP/IP stack to do that.
What you see with netstat is the status of connections at the OS level.
In other words, if netstat says that a connection is "established", then that is what it is, and any code in Tomcat will see it that way, and has no way to see it otherwise.
So, on the face of it, there seems to be a contradiction between you saying on the one hand that the LDAP server closes the connection, and on the other hand that netstat shows the connection still being active.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question regarding JNDIRealm - tomcat 6.0.35
Posted by André Warnier <aw...@ice-sa.com>.
Tanmoy Chatterjee wrote:
> We are not using openldap but eDirectory. Unfortunately we do not have access to the ldap configurations...only information we have is that after about 2 mins of idle connection, ldap drops the same from its side. Bit if we see in app server side using netstat, we can still see the same connection.
Just a comment on what you say above :
When "Tomcat" opens a connection, it is really the JVM under which Tomcat runs which does
that, or in some cases some native code library. And this JVM / native library uses the
OS TCP/IP stack to do that.
What you see with netstat is the status of connections at the OS level.
In other words, if netstat says that a connection is "established", then that is what it
is, and any code in Tomcat will see it that way, and has no way to see it otherwise.
So, on the face of it, there seems to be a contradiction between you saying on the one
hand that the LDAP server closes the connection, and on the other hand that netstat shows
the connection still being active.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Question regarding JNDIRealm - tomcat 6.0.35
Posted by Tanmoy Chatterjee <Ta...@nxp.com>.
We are not using openldap but eDirectory. Unfortunately we do not have access to the ldap configurations...only information we have is that after about 2 mins of idle connection, ldap drops the same from its side. Bit if we see in app server side using netstat, we can still see the same connection.
Regarding the connection,you are right in terms of the number of times tomcat tries to connect..it is 2....what I meant when tomcat keeps on trying is that tomcat tries to use the same 'BROKEN' connection to connect to the LDAP without creating a new connection for 4-5 mins.
By the way....The below code worked successfully.
@Override
public void start() throws org.apache.catalina.LifecycleException {
super.start();
if (context != null) {
close(context);
}
-----Original Message-----
From: Cédric Couralet [mailto:cedric.couralet@gmail.com]
Sent: Wednesday, February 20, 2013 3:15 PM
To: Tomcat Users List
Subject: Re: Question regarding JNDIRealm - tomcat 6.0.35
2013/2/20 Tanmoy Chatterjee <Ta...@nxp.com>:
> Thanks Cédric, I will try this and let you know.
> Once Ldap closes the connection from it's end, tomcat indeed keeps on trying and finally establishes a new connection....but the time spent in retrying is too high (more than 4-5 minutes) and in that time...user cannot login....the login page just sort of hangs in the browser.
>
I'd say this is more a problem with openldap. Do you know why tomcat hangs to recreate the connection when openldap closes it? Do you have anything in openldap configuration which could explain this.
We are at the moment migrating our old ldap server to openldap and this could be a real issue for us.
Just a note, from what I see, Tomcat does not keep on trying. A first attempt is made on the context then if an exception is thrown, it is caught and tomcat call the open method again (wich tries first the connectionURL and then the alternateUrl if problem). So only two attempts if I'm not wrong.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question regarding JNDIRealm - tomcat 6.0.35
Posted by Cédric Couralet <ce...@gmail.com>.
2013/2/20 Tanmoy Chatterjee <Ta...@nxp.com>:
> Thanks Cédric, I will try this and let you know.
> Once Ldap closes the connection from it's end, tomcat indeed keeps on trying and finally establishes a new connection....but the time spent in retrying is too high (more than 4-5 minutes) and in that time...user cannot login....the login page just sort of hangs in the browser.
>
I'd say this is more a problem with openldap. Do you know why tomcat
hangs to recreate the connection when openldap closes it? Do you have
anything in openldap configuration which could explain this.
We are at the moment migrating our old ldap server to openldap and
this could be a real issue for us.
Just a note, from what I see, Tomcat does not keep on trying. A first
attempt is made on the context then if an exception is thrown, it is
caught and tomcat call the open method again (wich tries first the
connectionURL and then the alternateUrl if problem). So only two
attempts if I'm not wrong.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Question regarding JNDIRealm - tomcat 6.0.35
Posted by Tanmoy Chatterjee <Ta...@nxp.com>.
Thanks Cédric, I will try this and let you know.
Once Ldap closes the connection from it's end, tomcat indeed keeps on trying and finally establishes a new connection....but the time spent in retrying is too high (more than 4-5 minutes) and in that time...user cannot login....the login page just sort of hangs in the browser. (Probably at the OS level tcp connection timeout etc can be set but I don't want to change any OS parameter because of only this issue). Hence the need to have this workaround unless someone can suggest something smarter apart from Ignoring.
-----Original Message-----
From: Cédric Couralet [mailto:cedric.couralet@gmail.com]
Sent: Wednesday, February 20, 2013 1:05 PM
To: Tomcat Users List
Subject: Re: Question regarding JNDIRealm - tomcat 6.0.35
2013/2/20 Tanmoy Chatterjee <Ta...@nxp.com>:
> Hello Cédric,
> The reason I want to do is as follows:
> I am facing the problem already expressed in
> https://issues.apache.org/bugzilla/show_bug.cgi?id=33774
> I see that the bug status shows as Fixed, however I still get the same Issue on the Stack mentioned earlier.
>
> Hence what I have done is that I have already extended the JNDIRealm
> class (CustomJNDIRealm) to disconnect as soon as authentication is
> successful. (ref:
> http://stackoverflow.com/questions/10911897/tomcat-7-0-14-ldap-authent
> ication)
>
> public class CustomJNDIRealm extends JNDIRealm {
> @Override
> public Principal authenticate(String username, String credentials) {
> Principal principal = super.authenticate(username, credentials);
>
> if (context != null) {
> close(context);
> }
> return principal;
> }
> }
>
> Have tested this and I see it to be working great except a small problem.
> After tomcat starts successfully and remains idle i.e let's say there is no user who logs in (gets authenticated) for 5-10 mins...I face the same issue as mentioned in the above bug. This is because the initial connection to the LDAP exists and the above overridden authenticate () doesn't get called. Hence I want to prevent the initial connection started by tomcat to LDAP as well.
> I am looking for some good way of doing this only on tomcat start-up and not all other the times.
> What I am not able to understand is why Tomcat doesn't allow configurable parameters to either select / deselect the Realm connections on startup.
So you don't mind the initial connection but want to close it as soon as possible. Then what about writing a custom start method in your CustomJNDIRealm based on your overriding of the authenticate method :
@Override
public void start() throws LifecycleException {
super.start();
if (context != null) {
close(context);
}
}
To come back to the root of the problem. In tomcat6, there is a chance an exception is thrown with JNDIRealm when no user has tried to log in in a certain time.
That exception is logged at a WARNING level and I tend to ignore them because tomcat retries anyway. I don't think you should do anything just to avoid those.
Hope this helps,
Cédric
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question regarding JNDIRealm - tomcat 6.0.35
Posted by Cédric Couralet <ce...@gmail.com>.
2013/2/20 Tanmoy Chatterjee <Ta...@nxp.com>:
> Hello Cédric,
> The reason I want to do is as follows:
> I am facing the problem already expressed in https://issues.apache.org/bugzilla/show_bug.cgi?id=33774
> I see that the bug status shows as Fixed, however I still get the same Issue on the Stack mentioned earlier.
>
> Hence what I have done is that I have already extended the JNDIRealm class (CustomJNDIRealm) to disconnect as soon as authentication is successful. (ref: http://stackoverflow.com/questions/10911897/tomcat-7-0-14-ldap-authentication)
>
> public class CustomJNDIRealm extends JNDIRealm {
> @Override
> public Principal authenticate(String username, String credentials) {
> Principal principal = super.authenticate(username, credentials);
>
> if (context != null) {
> close(context);
> }
> return principal;
> }
> }
>
> Have tested this and I see it to be working great except a small problem.
> After tomcat starts successfully and remains idle i.e let's say there is no user who logs in (gets authenticated) for 5-10 mins...I face the same issue as mentioned in the above bug. This is because the initial connection to the LDAP exists and the above overridden authenticate () doesn't get called. Hence I want to prevent the initial connection started by tomcat to LDAP as well.
> I am looking for some good way of doing this only on tomcat start-up and not all other the times.
> What I am not able to understand is why Tomcat doesn't allow configurable parameters to either select / deselect the Realm connections on startup.
So you don't mind the initial connection but want to close it as soon
as possible. Then what about writing a custom start method in your
CustomJNDIRealm based on your overriding of the authenticate method :
@Override
public void start() throws LifecycleException {
super.start();
if (context != null) {
close(context);
}
}
To come back to the root of the problem. In tomcat6, there is a chance
an exception is thrown with JNDIRealm when no user has tried to log in
in a certain time.
That exception is logged at a WARNING level and I tend to ignore them
because tomcat retries anyway. I don't think you should do anything
just to avoid those.
Hope this helps,
Cédric
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Question regarding JNDIRealm - tomcat 6.0.35
Posted by Tanmoy Chatterjee <Ta...@nxp.com>.
Hello Cédric,
The reason I want to do is as follows:
I am facing the problem already expressed in https://issues.apache.org/bugzilla/show_bug.cgi?id=33774
I see that the bug status shows as Fixed, however I still get the same Issue on the Stack mentioned earlier.
Hence what I have done is that I have already extended the JNDIRealm class (CustomJNDIRealm) to disconnect as soon as authentication is successful. (ref: http://stackoverflow.com/questions/10911897/tomcat-7-0-14-ldap-authentication)
public class CustomJNDIRealm extends JNDIRealm {
@Override
public Principal authenticate(String username, String credentials) {
Principal principal = super.authenticate(username, credentials);
if (context != null) {
close(context);
}
return principal;
}
}
Have tested this and I see it to be working great except a small problem.
After tomcat starts successfully and remains idle i.e let's say there is no user who logs in (gets authenticated) for 5-10 mins...I face the same issue as mentioned in the above bug. This is because the initial connection to the LDAP exists and the above overridden authenticate () doesn't get called. Hence I want to prevent the initial connection started by tomcat to LDAP as well.
I am looking for some good way of doing this only on tomcat start-up and not all other the times.
What I am not able to understand is why Tomcat doesn't allow configurable parameters to either select / deselect the Realm connections on startup.
Thanks
-----Original Message-----
From: Cédric Couralet [mailto:cedric.couralet@gmail.com]
Sent: Wednesday, February 20, 2013 10:57 AM
To: Tomcat Users List
Subject: Re: Question regarding JNDIRealm - tomcat 6.0.35
2013/2/19 Tanmoy Chatterjee <Ta...@nxp.com>:
> Hello,
> Technical Stack: Apache Tomcat v 6.0.35 OS : RHEL 5.3 64 bits java
> version "1.6.0_18" 32 bits
>
> I am using Realm className="org.apache.catalina.realm.JNDIRealm" for connecting to LDAP.
>
> Is there any configuration to prevent the default connection to LDAP happening on Tomcat-Start.
> If I have to write my own code for doing this which method should I be overriding?
>
Hello,
By pure curiosity, why would you want that?
The validation happens in the start method of JNDIRealm :
// Validate that we can open our connection
try {
open();
} catch (NamingException e) {
throw new LifecycleException(sm.getString("jndiRealm.open"), e);
}
My first attempt was to override this method in a custom Class which inherits from JNDIRealm. This obviously can't work short of rewriting the complete call to super.start().
Or, but I didn't test nor do i know if it is good (or even valid) java, you could try by overriding this method like that :
@Override
public void start() throws LifecycleException {
((RealmBase)this).start();
}
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question regarding JNDIRealm - tomcat 6.0.35
Posted by Cédric Couralet <ce...@gmail.com>.
2013/2/19 Tanmoy Chatterjee <Ta...@nxp.com>:
> Hello,
> Technical Stack: Apache Tomcat v 6.0.35
> OS : RHEL 5.3 64 bits
> java version "1.6.0_18" 32 bits
>
> I am using Realm className="org.apache.catalina.realm.JNDIRealm" for connecting to LDAP.
>
> Is there any configuration to prevent the default connection to LDAP happening on Tomcat-Start.
> If I have to write my own code for doing this which method should I be overriding?
>
Hello,
By pure curiosity, why would you want that?
The validation happens in the start method of JNDIRealm :
// Validate that we can open our connection
try {
open();
} catch (NamingException e) {
throw new LifecycleException(sm.getString("jndiRealm.open"), e);
}
My first attempt was to override this method in a custom Class which
inherits from JNDIRealm. This obviously can't work short of rewriting
the complete call to super.start().
Or, but I didn't test nor do i know if it is good (or even valid)
java, you could try by overriding this method like that :
@Override
public void start() throws LifecycleException {
((RealmBase)this).start();
}
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org