You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Luc DALLEMANE <ld...@alaloop.com> on 2015/01/30 14:45:21 UTC
JDBC authentication problem
Hi,
I'm facing a problem with my web application.
I'm using Tomcat 7.0.56, Java 1.8, Postgres 9.4 and Debian 7.
The application is configured as followed :
The web server is located in a DMZ.
The database server is located in our LAN.
To communicate with each other, a firewall has been setup (Cisco asa firewall)
To authenticate an user to the website, I use the tomcat JDBC Realm.
At the beginning, everything works fine, but after about an hour of inactivity, its impossible to authenticate again :
Tomcat process seems to be running but doesn't log anything and doesn't answer any other requests.
The firewall is rejecting the connection with the following message : Deny TCP (no connection) from WEB/50790 to DB/5432 FIN ACK on interface DMZ_clients
I thought, the problem was after a while, if tomcat connexions were not used, the firewall would drop them.
So, I tried to add "keepAlive" time-outs (tomcat site, postgres side, ) but none of them worked :
Here is the tomcat context.xml :
<Resource name="jdbc/elkar" auth="Container"
type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"
url="jdbc:postgresql://10.2.1.128/elkar" username="asa"
password="mei!z60Hm" maxActive="100" maxIdle="20" maxWait="10000" maxAge="60000"
removeAbandonned="true" removeAbandonnedTimeout="60" keepAlive="true" autoReconnect="true"
/>
The postgresql.conf :
# - TCP Keepalives -
# see "man 7 tcp" for details
#tcp_keepalives_idle = 300 # TCP_KEEPIDLE, in seconds;
# 0 selects the system default
#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
# 0 selects the system default
#tcp_keepalives_count = 0
And finally, the Sysctl.conf :
net.ipv4.tcp_keepalive_time = 900
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 9
Before that, the application was tested without using the firewall and everything worked fine.
If you have any idea of why this is happening, I haven't found a solution yet.
Regards, Luc D.
Re: JDBC authentication problem
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Luc,
On 2/5/15 5:25 AM, Luc DALLEMANE wrote:
> The keep alive on postgres was already setup, but was not working.
> However, I finally found a workaround.
>
> I'm using the tomcat connexion pool, but For the authentication,
> Tomcat is creating its own connexion and does not use the pool (and
> seems to use the same connexion all along the session).
>
> So I think that's was why it was dropped by the firewall after a
> while, and when we restarted tomcat, the connexion was recreated
> and it worked again.
>
> To resolve this problem, we override Tomcat's authenticate method.
> We made our own open function which uses the postgres driver and is
> called in the authenticate. We do not use the getPassword and
> getRoles function, because they used the Tomcat's "global"
> connexion.
>
> With this, we are now able to connect to the site even after a long
> period of inactivity.
>
> Thank you for your help, and maybe this could help someone else.
None of that should be necessary /at all/. Did you switch-over to
using the DataSourceRealm or not?
JDBCRealm is pretty stupid.
- -chris
> ________________________________________ De : Felix Schumacher
> <fe...@internetallee.de> Envoyé : mercredi 4 février
> 2015 20:11 À : Tomcat Users List Objet : Re: JDBC authentication
> problem
>
> Am 04.02.2015 um 14:21 schrieb Luc DALLEMANE:
>> Hi,
>>
>> I'm back again with the problem :)
>>
>> Firstly, I add the validationQuery and it works and I can see it
>> in postgres logs.
>>
>> But still not able to login after a while of inactivity....
>>
>> Now, after 15 min of waiting, I'm getting a socket connexion
>> timeout, but seems logic after such a long period of trying to
>> connect.
>>
>> Thank you again for your ideas and haven't found a solution.
> You might try to enable keepalive on your postgresql connection.
> Connection porperties can be specified with the attribute
> "connectionProperties" (at least according to
> http://commons.apache.org/proper/commons-dbcp/configuration.html)
> or in the jdbc url jdbc://...?tcpKeepAlive=true. You can even
> specify the timeout for connnecting to your database.
>
> Regards Felix
>>
>> Regards, Luc. ________________________________________ De :
>> Konstantin Kolinko <kn...@gmail.com> Envoyé : mardi 3
>> février 2015 12:33 À : Tomcat Users List Objet : Re: JDBC
>> authentication problem
>>
>> 2015-02-03 14:29 GMT+03:00 Luc DALLEMANE
>> <ld...@alaloop.com>:
>>> Hi,
>>>
>>> Thanks for the reply, I tried to add the options you told me
>>> about (testWhileIdle, timeBetweenEvictionRunsMillis, and
>>> maxConnLifetimeMillis), but I'm still unable to log after un
>>> hour ...
>> Do you have validationQuery configured? testOnBorrow,
>> testWhileIdle do not work without it.
>>
>>
>> Best regards, Konstantin Kolinko
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJU03ulAAoJEBzwKT+lPKRYUPoQAKUx68eqWORIYbvUJr9i2G01
cd7xbemgBy0tWP2DmCG6D1MAEqfzphXXTCuOqvf1sg3aU+XbQtAexezJA826XXVb
5KrgQu3wYWG0Bc3D2tCNrzLzz8yqUE33+R+H13CGXPBX5vO48DvfjUZuMQ65/SQ+
G05t1LuljBTVulqwzK3l4lt48CS02xTlEu7KtMQ0WagmoeTnjBPZRjxuMNdtXeW6
DIW4MT++yOgptlOyyHbY1rjtlobP9vSpKK97cuwbG1W9DN+9FQ2HqDe+7V9QnNVg
9vr3eyj6wkOYAdzwatT8yusugxFJhl3reMavGdeYZzyv1leC6oLlBEZ4SEG5mftu
yT7L9pwNWPChJVhpq8VXDWsz63M8WGCDYyvjjRKCkca0eUSRv2dnWTsjsDfRTLT7
JORaDs1KF5x57Wb0yy7sLcsPty9U+FAxhFykYQdGUKjB8O9ZEZ+NFv0XrIqn0M+R
6+8r5ndr1uG+vqETeTnK4Eq+l2aZ0OaYbBhf0mpDvhCcqGlbD19AglUUsWN5Gevw
FLPhi0FSokLnV6uthypeKIixEtB66BrHsnXb+yl/q42GfExeSPEwSzLS48spPxDf
AppY8vCGdhtkEwhJqsbpdgeEwOakMhs1e8TuJ2tXIiDMoCLrcEmH0Lur0twWt0NW
CGqDrWy22blnCxqcneTj
=iDbk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JDBC authentication problem
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 5. Februar 2015 11:25:13 MEZ, schrieb Luc DALLEMANE <ld...@alaloop.com>:
>Hi,
>
>The keep alive on postgres was already setup, but was not working.
>However, I finally found a workaround.
>
>I'm using the tomcat connexion pool, but For the authentication, Tomcat
>is creating its own connexion and does not use the pool (and seems to
>use the same connexion all along the session).
Which realm do you use?
Felix
>
>So I think that's was why it was dropped by the firewall after a while,
>and when we restarted tomcat, the connexion was recreated and it worked
>again.
>
>To resolve this problem, we override Tomcat's authenticate method. We
>made our own open function which uses the postgres driver and is called
>in the authenticate.
>We do not use the getPassword and getRoles function, because they used
>the Tomcat's "global" connexion.
>
>With this, we are now able to connect to the site even after a long
>period of inactivity.
>
>Thank you for your help, and maybe this could help someone else.
>
>Regards, Luc.
>________________________________________
>De : Felix Schumacher <fe...@internetallee.de>
>Envoyé : mercredi 4 février 2015 20:11
>À : Tomcat Users List
>Objet : Re: JDBC authentication problem
>
>Am 04.02.2015 um 14:21 schrieb Luc DALLEMANE:
>> Hi,
>>
>> I'm back again with the problem :)
>>
>> Firstly, I add the validationQuery and it works and I can see it in
>postgres logs.
>>
>> But still not able to login after a while of inactivity....
>>
>> Now, after 15 min of waiting, I'm getting a socket connexion timeout,
>but seems logic after such a long period of trying to connect.
>>
>> Thank you again for your ideas and haven't found a solution.
>You might try to enable keepalive on your postgresql connection.
>Connection porperties can be specified with the attribute
>"connectionProperties" (at least according to
>http://commons.apache.org/proper/commons-dbcp/configuration.html) or in
>the jdbc url jdbc://...?tcpKeepAlive=true. You can even specify the
>timeout for connnecting to your database.
>
>Regards
> Felix
>>
>> Regards, Luc.
>> ________________________________________
>> De : Konstantin Kolinko <kn...@gmail.com>
>> Envoyé : mardi 3 février 2015 12:33
>> À : Tomcat Users List
>> Objet : Re: JDBC authentication problem
>>
>> 2015-02-03 14:29 GMT+03:00 Luc DALLEMANE <ld...@alaloop.com>:
>>> Hi,
>>>
>>> Thanks for the reply, I tried to add the options you told me about
>(testWhileIdle, timeBetweenEvictionRunsMillis, and
>maxConnLifetimeMillis), but I'm still unable to log after un hour ...
>> Do you have validationQuery configured? testOnBorrow, testWhileIdle
>> do not work without it.
>>
>>
>> Best regards,
>> Konstantin Kolinko
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JDBC authentication problem
Posted by Luc DALLEMANE <ld...@alaloop.com>.
Hi,
The keep alive on postgres was already setup, but was not working. However, I finally found a workaround.
I'm using the tomcat connexion pool, but For the authentication, Tomcat is creating its own connexion and does not use the pool (and seems to use the same connexion all along the session).
So I think that's was why it was dropped by the firewall after a while, and when we restarted tomcat, the connexion was recreated and it worked again.
To resolve this problem, we override Tomcat's authenticate method. We made our own open function which uses the postgres driver and is called in the authenticate.
We do not use the getPassword and getRoles function, because they used the Tomcat's "global" connexion.
With this, we are now able to connect to the site even after a long period of inactivity.
Thank you for your help, and maybe this could help someone else.
Regards, Luc.
________________________________________
De : Felix Schumacher <fe...@internetallee.de>
Envoyé : mercredi 4 février 2015 20:11
À : Tomcat Users List
Objet : Re: JDBC authentication problem
Am 04.02.2015 um 14:21 schrieb Luc DALLEMANE:
> Hi,
>
> I'm back again with the problem :)
>
> Firstly, I add the validationQuery and it works and I can see it in postgres logs.
>
> But still not able to login after a while of inactivity....
>
> Now, after 15 min of waiting, I'm getting a socket connexion timeout, but seems logic after such a long period of trying to connect.
>
> Thank you again for your ideas and haven't found a solution.
You might try to enable keepalive on your postgresql connection.
Connection porperties can be specified with the attribute
"connectionProperties" (at least according to
http://commons.apache.org/proper/commons-dbcp/configuration.html) or in
the jdbc url jdbc://...?tcpKeepAlive=true. You can even specify the
timeout for connnecting to your database.
Regards
Felix
>
> Regards, Luc.
> ________________________________________
> De : Konstantin Kolinko <kn...@gmail.com>
> Envoyé : mardi 3 février 2015 12:33
> À : Tomcat Users List
> Objet : Re: JDBC authentication problem
>
> 2015-02-03 14:29 GMT+03:00 Luc DALLEMANE <ld...@alaloop.com>:
>> Hi,
>>
>> Thanks for the reply, I tried to add the options you told me about (testWhileIdle, timeBetweenEvictionRunsMillis, and maxConnLifetimeMillis), but I'm still unable to log after un hour ...
> Do you have validationQuery configured? testOnBorrow, testWhileIdle
> do not work without it.
>
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JDBC authentication problem
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 04.02.2015 um 14:21 schrieb Luc DALLEMANE:
> Hi,
>
> I'm back again with the problem :)
>
> Firstly, I add the validationQuery and it works and I can see it in postgres logs.
>
> But still not able to login after a while of inactivity....
>
> Now, after 15 min of waiting, I'm getting a socket connexion timeout, but seems logic after such a long period of trying to connect.
>
> Thank you again for your ideas and haven't found a solution.
You might try to enable keepalive on your postgresql connection.
Connection porperties can be specified with the attribute
"connectionProperties" (at least according to
http://commons.apache.org/proper/commons-dbcp/configuration.html) or in
the jdbc url jdbc://...?tcpKeepAlive=true. You can even specify the
timeout for connnecting to your database.
Regards
Felix
>
> Regards, Luc.
> ________________________________________
> De : Konstantin Kolinko <kn...@gmail.com>
> Envoyé : mardi 3 février 2015 12:33
> À : Tomcat Users List
> Objet : Re: JDBC authentication problem
>
> 2015-02-03 14:29 GMT+03:00 Luc DALLEMANE <ld...@alaloop.com>:
>> Hi,
>>
>> Thanks for the reply, I tried to add the options you told me about (testWhileIdle, timeBetweenEvictionRunsMillis, and maxConnLifetimeMillis), but I'm still unable to log after un hour ...
> Do you have validationQuery configured? testOnBorrow, testWhileIdle
> do not work without it.
>
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JDBC authentication problem
Posted by Luc DALLEMANE <ld...@alaloop.com>.
Hi,
I'm back again with the problem :)
Firstly, I add the validationQuery and it works and I can see it in postgres logs.
But still not able to login after a while of inactivity....
Now, after 15 min of waiting, I'm getting a socket connexion timeout, but seems logic after such a long period of trying to connect.
Thank you again for your ideas and haven't found a solution.
Regards, Luc.
________________________________________
De : Konstantin Kolinko <kn...@gmail.com>
Envoyé : mardi 3 février 2015 12:33
À : Tomcat Users List
Objet : Re: JDBC authentication problem
2015-02-03 14:29 GMT+03:00 Luc DALLEMANE <ld...@alaloop.com>:
> Hi,
>
> Thanks for the reply, I tried to add the options you told me about (testWhileIdle, timeBetweenEvictionRunsMillis, and maxConnLifetimeMillis), but I'm still unable to log after un hour ...
Do you have validationQuery configured? testOnBorrow, testWhileIdle
do not work without it.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JDBC authentication problem
Posted by Konstantin Kolinko <kn...@gmail.com>.
2015-02-03 14:29 GMT+03:00 Luc DALLEMANE <ld...@alaloop.com>:
> Hi,
>
> Thanks for the reply, I tried to add the options you told me about (testWhileIdle, timeBetweenEvictionRunsMillis, and maxConnLifetimeMillis), but I'm still unable to log after un hour ...
Do you have validationQuery configured? testOnBorrow, testWhileIdle
do not work without it.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JDBC authentication problem
Posted by Luc DALLEMANE <ld...@alaloop.com>.
Hi,
Thanks for the reply, I tried to add the options you told me about (testWhileIdle, timeBetweenEvictionRunsMillis, and maxConnLifetimeMillis), but I'm still unable to log after un hour ...
I'm having this problem for 2 weeks and still unable to find a way to go around this problem...
I thought that the firewall dropped my connexions, but no solutions for this problem seems to work.
"(again I assume it is the firewall, that corrupts your connections and I assume you are using a connection pool managed by tomcat)". You were right, I'm using it.
The only thing I haven't test is to not use the pool, but this doesn't seems a really good option for me.
I'm new to Tomcat so I don't know it very well, but this should have worked...
We are thinking of asking a guy from another company (who knows tomcat and network better than I), because nobody have a solution for this in mine.
Thank you for your help !! And if you have another idea... you're welcome again.
Regards, Luc.
________________________________________
De : Felix Schumacher <fe...@internetallee.de>
Envoyé : lundi 2 février 2015 18:59
À : Tomcat Users List
Objet : Re: JDBC authentication problem
Am 02.02.2015 um 17:03 schrieb Luc DALLEMANE:
> Thanks for the reply,
>
> No I haven't got any exceptions, and there is no more logs until I restart tomcat manually.
> From the web page, you can see that it keeps loading the page indefinitely... and never tells if the authentication fails or not. (This part works when I restart tomcat).
>
> I'm using the DataSourceRealm provided with Tomcat7.
First of all, I wouldn't trust the network guys :) The firewall might be
OK, but OK might mean, that it drops connections, when they are idle for
too long.
That said, you have a few options to drive around such a limitation.
You could set "testWhileIdle" to true, so that you generate network
traffic and thus keep open the firewall (again I assume it is the
firewall, that corrupts your connections and I assume you are using a
connection pool managed by tomcat). I believe you have to set
"timeBetweenEvictionRunsMillis" to a postive value, or no idle testing
will be done.
You might try the "maxConnLifetimeMillis" setting, so that old
connections from the pool will not be used.
You might try to size the pool, so that it keeps no idle connections
(but why should I use a pool then?).
Hope this helps
Felix
>
>
> -----Message d'origine-----
> De : Christopher Schultz [mailto:chris@christopherschultz.net]
> Envoyé : lundi 2 février 2015 16:19
> À : Tomcat Users List
> Objet : Re: JDBC authentication problem
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Luc,
>
> On 2/2/15 6:11 AM, Luc DALLEMANE wrote:
>> I tried to switch to DataSourceRealm but my problem is here again.
>>
>> After a while, the authentication is still impossible. Maybe i have
>> missed something about the DataSource in the doc but I'm able to login
>> several times. It's only after about one hour of inactivity.
>>
>> The network admin looked the firewall config and told me the config
>> was OK ...
> Are there any exceptions in the log files? Or do you simply get a refused authentication? Are you using Tomcat's built-in authenticator?
> Which one?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUz5VWAAoJEBzwKT+lPKRY7i8P/jS1NIa4jKCrONMdyxSpibQo
> Ce+s6EO3li8LY8TqTvcB6F6lABHMvFu7izDkA9K5wdAfUX0zqNTliUnfEUy+rf2C
> 92NEeyoXKVkphaFnhYhfBXU6c4DQDhSvq+ZNb8r3exH0y7fbclZzDG/6d6YnxL3i
> DHUiq/iPG5xB+5H4a6WQgudQoKiMC+rEmrXhkYGnAbTscw43tkQqkyW7KlkIF610
> CUultPN3gw1coAVSHXulzW+AqIUCM1GOtsY2qT5xobGTM3oO/YsE6YCRCQC6s8ZJ
> Sa6TC1sMCnqALS1T5rJrwHU9jCN7pPRT0SjToU6gPF8rIzVzejAunJpiwKtTNwW3
> 8tuAfaTLOwBTAq1ddF8rwk93pFB2EYM3htWQ0u6GzLsWHDqBU0zkAkYz6m/6qvfR
> egZMFuCkPjmxmoObbuAwHZ73HfosXeGUwkGeXgeD3a6DD5g7wXlSXGixkZ65Hifi
> FyM/RmUat4IVOiIXe2poVmwiOnFL9hDarkWCrybpTH4xlPhgv98feKvKxudkJsM/
> o6U3lpB/q//SEQ3PGuddJX1znCjXkIWFlfqZ3avrB5OTIuxAdTrSC5GaSiTK+L48
> ieN8K6SxnOo5pmdgoTcFiYXiH0qvIOFJ0Ez36+ZE3X987ysTvylxMJdpP4y81miO
> TY2PAwTlHfFyUFLQahlg
> =3+Xk
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JDBC authentication problem
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 02.02.2015 um 17:03 schrieb Luc DALLEMANE:
> Thanks for the reply,
>
> No I haven't got any exceptions, and there is no more logs until I restart tomcat manually.
> From the web page, you can see that it keeps loading the page indefinitely... and never tells if the authentication fails or not. (This part works when I restart tomcat).
>
> I'm using the DataSourceRealm provided with Tomcat7.
First of all, I wouldn't trust the network guys :) The firewall might be
OK, but OK might mean, that it drops connections, when they are idle for
too long.
That said, you have a few options to drive around such a limitation.
You could set "testWhileIdle" to true, so that you generate network
traffic and thus keep open the firewall (again I assume it is the
firewall, that corrupts your connections and I assume you are using a
connection pool managed by tomcat). I believe you have to set
"timeBetweenEvictionRunsMillis" to a postive value, or no idle testing
will be done.
You might try the "maxConnLifetimeMillis" setting, so that old
connections from the pool will not be used.
You might try to size the pool, so that it keeps no idle connections
(but why should I use a pool then?).
Hope this helps
Felix
>
>
> -----Message d'origine-----
> De : Christopher Schultz [mailto:chris@christopherschultz.net]
> Envoyé : lundi 2 février 2015 16:19
> À : Tomcat Users List
> Objet : Re: JDBC authentication problem
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Luc,
>
> On 2/2/15 6:11 AM, Luc DALLEMANE wrote:
>> I tried to switch to DataSourceRealm but my problem is here again.
>>
>> After a while, the authentication is still impossible. Maybe i have
>> missed something about the DataSource in the doc but I'm able to login
>> several times. It's only after about one hour of inactivity.
>>
>> The network admin looked the firewall config and told me the config
>> was OK ...
> Are there any exceptions in the log files? Or do you simply get a refused authentication? Are you using Tomcat's built-in authenticator?
> Which one?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUz5VWAAoJEBzwKT+lPKRY7i8P/jS1NIa4jKCrONMdyxSpibQo
> Ce+s6EO3li8LY8TqTvcB6F6lABHMvFu7izDkA9K5wdAfUX0zqNTliUnfEUy+rf2C
> 92NEeyoXKVkphaFnhYhfBXU6c4DQDhSvq+ZNb8r3exH0y7fbclZzDG/6d6YnxL3i
> DHUiq/iPG5xB+5H4a6WQgudQoKiMC+rEmrXhkYGnAbTscw43tkQqkyW7KlkIF610
> CUultPN3gw1coAVSHXulzW+AqIUCM1GOtsY2qT5xobGTM3oO/YsE6YCRCQC6s8ZJ
> Sa6TC1sMCnqALS1T5rJrwHU9jCN7pPRT0SjToU6gPF8rIzVzejAunJpiwKtTNwW3
> 8tuAfaTLOwBTAq1ddF8rwk93pFB2EYM3htWQ0u6GzLsWHDqBU0zkAkYz6m/6qvfR
> egZMFuCkPjmxmoObbuAwHZ73HfosXeGUwkGeXgeD3a6DD5g7wXlSXGixkZ65Hifi
> FyM/RmUat4IVOiIXe2poVmwiOnFL9hDarkWCrybpTH4xlPhgv98feKvKxudkJsM/
> o6U3lpB/q//SEQ3PGuddJX1znCjXkIWFlfqZ3avrB5OTIuxAdTrSC5GaSiTK+L48
> ieN8K6SxnOo5pmdgoTcFiYXiH0qvIOFJ0Ez36+ZE3X987ysTvylxMJdpP4y81miO
> TY2PAwTlHfFyUFLQahlg
> =3+Xk
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JDBC authentication problem
Posted by Luc DALLEMANE <ld...@alaloop.com>.
Thanks for the reply,
No I haven't got any exceptions, and there is no more logs until I restart tomcat manually.
From the web page, you can see that it keeps loading the page indefinitely... and never tells if the authentication fails or not. (This part works when I restart tomcat).
I'm using the DataSourceRealm provided with Tomcat7.
-----Message d'origine-----
De : Christopher Schultz [mailto:chris@christopherschultz.net]
Envoyé : lundi 2 février 2015 16:19
À : Tomcat Users List
Objet : Re: JDBC authentication problem
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Luc,
On 2/2/15 6:11 AM, Luc DALLEMANE wrote:
> I tried to switch to DataSourceRealm but my problem is here again.
>
> After a while, the authentication is still impossible. Maybe i have
> missed something about the DataSource in the doc but I'm able to login
> several times. It's only after about one hour of inactivity.
>
> The network admin looked the firewall config and told me the config
> was OK ...
Are there any exceptions in the log files? Or do you simply get a refused authentication? Are you using Tomcat's built-in authenticator?
Which one?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUz5VWAAoJEBzwKT+lPKRY7i8P/jS1NIa4jKCrONMdyxSpibQo
Ce+s6EO3li8LY8TqTvcB6F6lABHMvFu7izDkA9K5wdAfUX0zqNTliUnfEUy+rf2C
92NEeyoXKVkphaFnhYhfBXU6c4DQDhSvq+ZNb8r3exH0y7fbclZzDG/6d6YnxL3i
DHUiq/iPG5xB+5H4a6WQgudQoKiMC+rEmrXhkYGnAbTscw43tkQqkyW7KlkIF610
CUultPN3gw1coAVSHXulzW+AqIUCM1GOtsY2qT5xobGTM3oO/YsE6YCRCQC6s8ZJ
Sa6TC1sMCnqALS1T5rJrwHU9jCN7pPRT0SjToU6gPF8rIzVzejAunJpiwKtTNwW3
8tuAfaTLOwBTAq1ddF8rwk93pFB2EYM3htWQ0u6GzLsWHDqBU0zkAkYz6m/6qvfR
egZMFuCkPjmxmoObbuAwHZ73HfosXeGUwkGeXgeD3a6DD5g7wXlSXGixkZ65Hifi
FyM/RmUat4IVOiIXe2poVmwiOnFL9hDarkWCrybpTH4xlPhgv98feKvKxudkJsM/
o6U3lpB/q//SEQ3PGuddJX1znCjXkIWFlfqZ3avrB5OTIuxAdTrSC5GaSiTK+L48
ieN8K6SxnOo5pmdgoTcFiYXiH0qvIOFJ0Ez36+ZE3X987ysTvylxMJdpP4y81miO
TY2PAwTlHfFyUFLQahlg
=3+Xk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JDBC authentication problem
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Luc,
On 2/2/15 6:11 AM, Luc DALLEMANE wrote:
> I tried to switch to DataSourceRealm but my problem is here again.
>
> After a while, the authentication is still impossible. Maybe i
> have missed something about the DataSource in the doc but I'm able
> to login several times. It's only after about one hour of
> inactivity.
>
> The network admin looked the firewall config and told me the
> config was OK ...
Are there any exceptions in the log files? Or do you simply get a
refused authentication? Are you using Tomcat's built-in authenticator?
Which one?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUz5VWAAoJEBzwKT+lPKRY7i8P/jS1NIa4jKCrONMdyxSpibQo
Ce+s6EO3li8LY8TqTvcB6F6lABHMvFu7izDkA9K5wdAfUX0zqNTliUnfEUy+rf2C
92NEeyoXKVkphaFnhYhfBXU6c4DQDhSvq+ZNb8r3exH0y7fbclZzDG/6d6YnxL3i
DHUiq/iPG5xB+5H4a6WQgudQoKiMC+rEmrXhkYGnAbTscw43tkQqkyW7KlkIF610
CUultPN3gw1coAVSHXulzW+AqIUCM1GOtsY2qT5xobGTM3oO/YsE6YCRCQC6s8ZJ
Sa6TC1sMCnqALS1T5rJrwHU9jCN7pPRT0SjToU6gPF8rIzVzejAunJpiwKtTNwW3
8tuAfaTLOwBTAq1ddF8rwk93pFB2EYM3htWQ0u6GzLsWHDqBU0zkAkYz6m/6qvfR
egZMFuCkPjmxmoObbuAwHZ73HfosXeGUwkGeXgeD3a6DD5g7wXlSXGixkZ65Hifi
FyM/RmUat4IVOiIXe2poVmwiOnFL9hDarkWCrybpTH4xlPhgv98feKvKxudkJsM/
o6U3lpB/q//SEQ3PGuddJX1znCjXkIWFlfqZ3avrB5OTIuxAdTrSC5GaSiTK+L48
ieN8K6SxnOo5pmdgoTcFiYXiH0qvIOFJ0Ez36+ZE3X987ysTvylxMJdpP4y81miO
TY2PAwTlHfFyUFLQahlg
=3+Xk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JDBC authentication problem
Posted by Luc DALLEMANE <ld...@alaloop.com>.
Hi,
I tried to switch to DataSourceRealm but my problem is here again.
After a while, the authentication is still impossible. Maybe i have missed something about the DataSource in the doc but I'm able to login several times. It's only after about one hour of inactivity.
The network admin looked the firewall config and told me the config was OK ...
So, if you have any idea, you're welcome !
Regards, Luc.
________________________________________
De : Luc DALLEMANE <ld...@alaloop.com>
Envoyé : vendredi 30 janvier 2015 15:39
À : Tomcat Users List
Objet : RE: JDBC authentication problem
Ok, I'm going to try this.
Hope this will help to solve my problem.
Regards Luc D.
-----Message d'origine-----
De : Christopher Schultz [mailto:chris@christopherschultz.net]
Envoyé : vendredi 30 janvier 2015 15:24
À : Tomcat Users List
Objet : Re: JDBC authentication problem
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Luc,
On 1/30/15 9:05 AM, Luc DALLEMANE wrote:
> Thanks for the reply, it is the JDBCRealm not the data source.
Your Resource configuration is therefore ignored.
The JDBCRealm should really not be used at all. Switch to DataSourceRealm. If you don't like using your application's DataSource for authentication (some folks don't), then create a second DataSource just for authentication.
The DataSourceRealm has some significant advantages, such as being able to use a configurable pool of Connections, instead of a single Connection like JDBCRealm does. This improved performance and allows for re-connections, etc. I think this will fix your immediate problem plus eliminate some other problems down the line (like performance).
- -chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JDBC authentication problem
Posted by Luc DALLEMANE <ld...@alaloop.com>.
Ok, I'm going to try this.
Hope this will help to solve my problem.
Regards Luc D.
-----Message d'origine-----
De : Christopher Schultz [mailto:chris@christopherschultz.net]
Envoyé : vendredi 30 janvier 2015 15:24
À : Tomcat Users List
Objet : Re: JDBC authentication problem
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Luc,
On 1/30/15 9:05 AM, Luc DALLEMANE wrote:
> Thanks for the reply, it is the JDBCRealm not the data source.
Your Resource configuration is therefore ignored.
The JDBCRealm should really not be used at all. Switch to DataSourceRealm. If you don't like using your application's DataSource for authentication (some folks don't), then create a second DataSource just for authentication.
The DataSourceRealm has some significant advantages, such as being able to use a configurable pool of Connections, instead of a single Connection like JDBCRealm does. This improved performance and allows for re-connections, etc. I think this will fix your immediate problem plus eliminate some other problems down the line (like performance).
> I have set this password for test only but it will be changed when
> everything will be ok and in production . (But didn't saw i had paste
> it ...)
Good. :)
- -chris
> -----Message d'origine----- De : Konstantin Kolinko
> [mailto:knst.kolinko@gmail.com] Envoyé : vendredi 30 janvier 2015
> 14:52 À : Tomcat Users List Objet : Re: JDBC authentication problem
>
> 2015-01-30 16:45 GMT+03:00 Luc DALLEMANE <ld...@alaloop.com>:
>> Hi,
>>
>>
>> I'm facing a problem with my web application.
>>
>>
>> I'm using Tomcat 7.0.56, Java 1.8, Postgres 9.4 and Debian 7.
>>
>> The application is configured as followed :
>>
>>
>> The web server is located in a DMZ.
>>
>> The database server is located in our LAN.
>>
>> To communicate with each other, a firewall has been setup (Cisco asa
>> firewall)
>>
>>
>> To authenticate an user to the website, I use the tomcat JDBC Realm.
>
> 1. Realm configuration =? Is it JDBCRealm or DataSourceRealm? If it is
> the former, then your <Resource> is not used at all.
>
> 2. Posting the actual password on a public mailing list? Consider it
> compromised.
>
>
>> At the beginning, everything works fine, but after about an hour of
>> inactivity, its impossible to authenticate again :
>>
>> Tomcat process seems to be running but doesn't log anything and
>> doesn't answer any other requests.
>>
>>
>> The firewall is rejecting the connection with the following message :
>> Deny TCP (no connection) from WEB/50790 to DB/5432 FIN ACK on
>> interface DMZ_clients
>>
>>
>> I thought, the problem was after a while, if tomcat connexions were
>> not used, the firewall would drop them.
>>
>> So, I tried to add "keepAlive" time-outs (tomcat site, postgres side,
>> ) but none of them worked :
>>
>>
>> Here is the tomcat context.xml :
>>
>>
>> <Resource name="jdbc/elkar" auth="Container"
>> type="javax.sql.DataSource"
>> driverClassName="org.postgresql.Driver"
> [...]
>> />
>>
>>
>> The postgresql.conf :
>>
>>
>> # - TCP Keepalives - # see "man 7 tcp" for details
>>
>> #tcp_keepalives_idle = 300 # TCP_KEEPIDLE, in
>> seconds; # 0 selects the system default #tcp_keepalives_interval
>> = 0 # TCP_KEEPINTVL, in seconds; # 0 selects the
>> system default #tcp_keepalives_count = 0
>>
>>
>> And finally, the Sysctl.conf :
>>
>>
>> net.ipv4.tcp_keepalive_time = 900 net.ipv4.tcp_keepalive_intvl =
>> 60 net.ipv4.tcp_keepalive_probes = 9
>>
>>
>>
>> Before that, the application was tested without using the firewall
>> and everything worked fine.
>>
>>
>> If you have any idea of why this is happening, I haven't found a
>> solution yet.
>>
>>
>> Regards, Luc D.
>>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUy5PtAAoJEBzwKT+lPKRYqI4P/0kZuZuJCopHe88BXTNj/1O7
cEdmsoJq/7Ba/kLZ3/xqElzAjOQfnWK22GTCVGdsEou95MB4MspAcD8unGJgKiKs
b1Ko/ixTN8irY7w5QGbXAv52NX9N/h9vrsr/EASxe/A8nSCSP9sjdh9Qr2OAOXBC
2FAMcpS3blpik78nFBBPkwJY5L3nhbkcEq0AMSqGGsfo+WJPFUtXBtzPO4JoAtGJ
8d1HxDd8PsL0tOMsqdIbJ9EqfW7Fano7ajk2Cu4gczGA3G3XlwsuHo5Glq9MSkzW
DZYqxW3JwpgvMQO2o/vZyZcK7aqADqaMNE+sgaaAvRYbHzMtOTqCLebfLHqst17q
eg+85Pm/5815SVvbW7kQX2Pv2bAs+bzyz7zdWk4KFdUaU1sD3bwNtkgWewNB/Gex
jbZXLbKK27EFPd8M8W8PWd0x11veJ5hHEPyCWwM2njF5OoB3OSumY+yPUTWg/9oD
7xcFWjntybTHWpOcE5uxtPSzZqz1ctijiBvYo5DI8qh0W0CVsFYGGYmBucPcMc5M
PapWz+jYPgqzxDIHq27jpqmDqch6h1EQCmj3rGriWifxl9qTw4WtDgL/9sEmmkjd
NfysWjaNW+nqkt8qg6pmuHs0K1PLp2IO7C9jftE3jJ/lIZCy+yo+LSe2U7mhUvn9
Qj6PY8Ds4aaN0GzgUan/
=8zAr
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JDBC authentication problem
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Luc,
On 1/30/15 9:05 AM, Luc DALLEMANE wrote:
> Thanks for the reply, it is the JDBCRealm not the data source.
Your Resource configuration is therefore ignored.
The JDBCRealm should really not be used at all. Switch to
DataSourceRealm. If you don't like using your application's DataSource
for authentication (some folks don't), then create a second DataSource
just for authentication.
The DataSourceRealm has some significant advantages, such as being
able to use a configurable pool of Connections, instead of a single
Connection like JDBCRealm does. This improved performance and allows
for re-connections, etc. I think this will fix your immediate problem
plus eliminate some other problems down the line (like performance).
> I have set this password for test only but it will be changed when
> everything will be ok and in production . (But didn't saw i had
> paste it ...)
Good. :)
- -chris
> -----Message d'origine----- De : Konstantin Kolinko
> [mailto:knst.kolinko@gmail.com] Envoyé : vendredi 30 janvier 2015
> 14:52 À : Tomcat Users List Objet : Re: JDBC authentication
> problem
>
> 2015-01-30 16:45 GMT+03:00 Luc DALLEMANE <ld...@alaloop.com>:
>> Hi,
>>
>>
>> I'm facing a problem with my web application.
>>
>>
>> I'm using Tomcat 7.0.56, Java 1.8, Postgres 9.4 and Debian 7.
>>
>> The application is configured as followed :
>>
>>
>> The web server is located in a DMZ.
>>
>> The database server is located in our LAN.
>>
>> To communicate with each other, a firewall has been setup (Cisco
>> asa firewall)
>>
>>
>> To authenticate an user to the website, I use the tomcat JDBC
>> Realm.
>
> 1. Realm configuration =? Is it JDBCRealm or DataSourceRealm? If it
> is the former, then your <Resource> is not used at all.
>
> 2. Posting the actual password on a public mailing list? Consider
> it compromised.
>
>
>> At the beginning, everything works fine, but after about an hour
>> of inactivity, its impossible to authenticate again :
>>
>> Tomcat process seems to be running but doesn't log anything and
>> doesn't answer any other requests.
>>
>>
>> The firewall is rejecting the connection with the following
>> message : Deny TCP (no connection) from WEB/50790 to DB/5432 FIN
>> ACK on interface DMZ_clients
>>
>>
>> I thought, the problem was after a while, if tomcat connexions
>> were not used, the firewall would drop them.
>>
>> So, I tried to add "keepAlive" time-outs (tomcat site, postgres
>> side, ) but none of them worked :
>>
>>
>> Here is the tomcat context.xml :
>>
>>
>> <Resource name="jdbc/elkar" auth="Container"
>> type="javax.sql.DataSource"
>> driverClassName="org.postgresql.Driver"
> [...]
>> />
>>
>>
>> The postgresql.conf :
>>
>>
>> # - TCP Keepalives - # see "man 7 tcp" for details
>>
>> #tcp_keepalives_idle = 300 # TCP_KEEPIDLE, in
>> seconds; # 0 selects the system default #tcp_keepalives_interval
>> = 0 # TCP_KEEPINTVL, in seconds; # 0 selects the
>> system default #tcp_keepalives_count = 0
>>
>>
>> And finally, the Sysctl.conf :
>>
>>
>> net.ipv4.tcp_keepalive_time = 900 net.ipv4.tcp_keepalive_intvl =
>> 60 net.ipv4.tcp_keepalive_probes = 9
>>
>>
>>
>> Before that, the application was tested without using the
>> firewall and everything worked fine.
>>
>>
>> If you have any idea of why this is happening, I haven't found a
>> solution yet.
>>
>>
>> Regards, Luc D.
>>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUy5PtAAoJEBzwKT+lPKRYqI4P/0kZuZuJCopHe88BXTNj/1O7
cEdmsoJq/7Ba/kLZ3/xqElzAjOQfnWK22GTCVGdsEou95MB4MspAcD8unGJgKiKs
b1Ko/ixTN8irY7w5QGbXAv52NX9N/h9vrsr/EASxe/A8nSCSP9sjdh9Qr2OAOXBC
2FAMcpS3blpik78nFBBPkwJY5L3nhbkcEq0AMSqGGsfo+WJPFUtXBtzPO4JoAtGJ
8d1HxDd8PsL0tOMsqdIbJ9EqfW7Fano7ajk2Cu4gczGA3G3XlwsuHo5Glq9MSkzW
DZYqxW3JwpgvMQO2o/vZyZcK7aqADqaMNE+sgaaAvRYbHzMtOTqCLebfLHqst17q
eg+85Pm/5815SVvbW7kQX2Pv2bAs+bzyz7zdWk4KFdUaU1sD3bwNtkgWewNB/Gex
jbZXLbKK27EFPd8M8W8PWd0x11veJ5hHEPyCWwM2njF5OoB3OSumY+yPUTWg/9oD
7xcFWjntybTHWpOcE5uxtPSzZqz1ctijiBvYo5DI8qh0W0CVsFYGGYmBucPcMc5M
PapWz+jYPgqzxDIHq27jpqmDqch6h1EQCmj3rGriWifxl9qTw4WtDgL/9sEmmkjd
NfysWjaNW+nqkt8qg6pmuHs0K1PLp2IO7C9jftE3jJ/lIZCy+yo+LSe2U7mhUvn9
Qj6PY8Ds4aaN0GzgUan/
=8zAr
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JDBC authentication problem
Posted by Luc DALLEMANE <ld...@alaloop.com>.
Thanks for the reply, it is the JDBCRealm not the data source.
I have set this password for test only but it will be changed when everything will be ok and in production . (But didn't saw i had paste it ...)
-----Message d'origine-----
De : Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
Envoyé : vendredi 30 janvier 2015 14:52
À : Tomcat Users List
Objet : Re: JDBC authentication problem
2015-01-30 16:45 GMT+03:00 Luc DALLEMANE <ld...@alaloop.com>:
> Hi,
>
>
> I'm facing a problem with my web application.
>
>
> I'm using Tomcat 7.0.56, Java 1.8, Postgres 9.4 and Debian 7.
>
> The application is configured as followed :
>
>
> The web server is located in a DMZ.
>
> The database server is located in our LAN.
>
> To communicate with each other, a firewall has been setup (Cisco asa
> firewall)
>
>
> To authenticate an user to the website, I use the tomcat JDBC Realm.
1. Realm configuration =?
Is it JDBCRealm or DataSourceRealm? If it is the former, then your <Resource> is not used at all.
2. Posting the actual password on a public mailing list? Consider it compromised.
> At the beginning, everything works fine, but after about an hour of inactivity, its impossible to authenticate again :
>
> Tomcat process seems to be running but doesn't log anything and doesn't answer any other requests.
>
>
> The firewall is rejecting the connection with the following message :
> Deny TCP (no connection) from WEB/50790 to DB/5432 FIN ACK on
> interface DMZ_clients
>
>
> I thought, the problem was after a while, if tomcat connexions were not used, the firewall would drop them.
>
> So, I tried to add "keepAlive" time-outs (tomcat site, postgres side, ) but none of them worked :
>
>
> Here is the tomcat context.xml :
>
>
> <Resource name="jdbc/elkar" auth="Container"
> type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"
[...]
> />
>
>
> The postgresql.conf :
>
>
> # - TCP Keepalives -
> # see "man 7 tcp" for details
>
> #tcp_keepalives_idle = 300 # TCP_KEEPIDLE, in seconds;
> # 0 selects the system default
> #tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
> # 0 selects the
> system default #tcp_keepalives_count = 0
>
>
> And finally, the Sysctl.conf :
>
>
> net.ipv4.tcp_keepalive_time = 900
> net.ipv4.tcp_keepalive_intvl = 60
> net.ipv4.tcp_keepalive_probes = 9
>
>
>
> Before that, the application was tested without using the firewall and everything worked fine.
>
>
> If you have any idea of why this is happening, I haven't found a solution yet.
>
>
> Regards, Luc D.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JDBC authentication problem
Posted by Konstantin Kolinko <kn...@gmail.com>.
2015-01-30 16:45 GMT+03:00 Luc DALLEMANE <ld...@alaloop.com>:
> Hi,
>
>
> I'm facing a problem with my web application.
>
>
> I'm using Tomcat 7.0.56, Java 1.8, Postgres 9.4 and Debian 7.
>
> The application is configured as followed :
>
>
> The web server is located in a DMZ.
>
> The database server is located in our LAN.
>
> To communicate with each other, a firewall has been setup (Cisco asa firewall)
>
>
> To authenticate an user to the website, I use the tomcat JDBC Realm.
1. Realm configuration =?
Is it JDBCRealm or DataSourceRealm? If it is the former, then your
<Resource> is not used at all.
2. Posting the actual password on a public mailing list? Consider it
compromised.
> At the beginning, everything works fine, but after about an hour of inactivity, its impossible to authenticate again :
>
> Tomcat process seems to be running but doesn't log anything and doesn't answer any other requests.
>
>
> The firewall is rejecting the connection with the following message : Deny TCP (no connection) from WEB/50790 to DB/5432 FIN ACK on interface DMZ_clients
>
>
> I thought, the problem was after a while, if tomcat connexions were not used, the firewall would drop them.
>
> So, I tried to add "keepAlive" time-outs (tomcat site, postgres side, ) but none of them worked :
>
>
> Here is the tomcat context.xml :
>
>
> <Resource name="jdbc/elkar" auth="Container"
> type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"
[...]
> />
>
>
> The postgresql.conf :
>
>
> # - TCP Keepalives -
> # see "man 7 tcp" for details
>
> #tcp_keepalives_idle = 300 # TCP_KEEPIDLE, in seconds;
> # 0 selects the system default
> #tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
> # 0 selects the system default
> #tcp_keepalives_count = 0
>
>
> And finally, the Sysctl.conf :
>
>
> net.ipv4.tcp_keepalive_time = 900
> net.ipv4.tcp_keepalive_intvl = 60
> net.ipv4.tcp_keepalive_probes = 9
>
>
>
> Before that, the application was tested without using the firewall and everything worked fine.
>
>
> If you have any idea of why this is happening, I haven't found a solution yet.
>
>
> Regards, Luc D.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org