I have 3 tomcat servers
All my applications are deployed as WARs
The first one is a web server which use remote object by http invoker from server 2
Server 2 is using remote object with http invoker from server 3
I would like to use spring security on server 2 and 3.
I need to know under which user session the remote method was called
I was thinking on creating a session on each of the servers but I do not know how to do this?
Even if I can replicate the session to all servers how do I tell server 2 that user X called some remote method?
Well..We use Spring Security on our project. We use 3 Tomcat servers which are under a cluster. We use Sticky session on our LB so that, once the session form between the LB and a Node, the subsequent requests goes to that same node.
I suggest you to put the 3 TOmcat servers under on cluster(its quite easy) and maintain sticky session btw your LB and all nodes.
Related
Why we want to configure that setup?
We would like to have a Blue/Green zero downtime setup for our CF2018 App.
We currently have a basic CF Server Install (IIS + CF2018) in one server that connects to another Server for the DB (we are using CF2018 Standard).
Our app uses J2EE sessions
There are posts that explain how to use the External Session Storage feature included in CF (redis) but that won’t work with J2EE sessions, the CF admin interface wont allow it.
How can I setup 2 servers in a cluster (behind a load balancer) with J2EE session failover functionality by using CF2018 Standard Edition?
I am facing very dramatic behavior caused by Amazon EC2 server. I have one web application deployed at Amazon ec2 server which is developed using Spring and Java. For every request new session is created here. I have one scenario where i need to store some data into httpsession object but due to session changing at every time I lost my data.
Your response is respectable.
Thanks.
Please add comment if forget something to mention here and its required to understand.
Let me explain my scenario completely:
I have two machines which have apache installed and integrated with tomcat server using mod_jk connector eg. app0 and app1 machines, this both machines are requested by load balancer of ec2 server. To replicate session for each instance of server i have used DeltaManager jdbc store setting because ec2 does not support SimpleTCPCluster setting.
DeltaManger code:
<Manager className="org.apache.catalina.session.PersistentManager"
saveOnRestart="true"
minIdleSwap="-1"
maxIdleSwap="-1"
maxIdleBackup="20"
processExpiresFrequency="1">
<Store className="org.apache.catalina.session.JDBCStore"
connectionURL="jdbc:mysql://localhost:3306/tomcat"
driverName="com.mysql.jdbc.Driver"
connectionName="username"
connectionPassword="password"
sessionIdCol="session_id"
sessionValidCol="valid_session"
sessionMaxInactiveCol="max_inactive"
sessionLastAccessedCol="last_access"
sessionTable="sessions"
sessionAppCol="app_name"
sessionDataCol="session_data"
/>
</Manager>
This all works fine on my local machine but failed on production as there are two machines and they are handled by ec2 load balancer.
Please comment if any thing else required.
Issue with session was that jsessionid cookie was removed from the request due to the different path. App has a "/" (root) as a path and jsessionid had a path "/". This was causing jsessionid to be removed from the request and since server never received the jsessionid it was creating the new one all the time.
We fixed the issue by adding parameter - emptySessionPath="true" - to all connectors in /etc/tomcat6/server.xml.
First this app works perfectly fine in a non-clustered environment.
The problem we have is when the ELB routes first to one server in a cluster during a session, then to a second server. The second server can't find the session. e.g.
An iOS app passes a login call to a Glassfish 4 server cluster (we're using oAuth/Facebook tokens, so no Glassish security realms).
The Amazon Elastic Load Balancer (ELB) sends to server 1.
Session is authenticated and user logged in and a session cookie passed back to the app.
Immediately the app sends another request which needs authentication (is this a valid session).
The ELB decides to send the request to server 2
In our authenticate servlet filter, server 2 can't find a session with the id passed in with the cookie
The servlet says the user is not authenticated and the call fails.
Our code is pretty typical for finding the session (if no session immediately return fail):
HttpSession session = req.getSession(false);
//psuedocode
if session == null then session not authenticated log and return
else session authenticated, log and return
If the second call gets routed to the same server as the login, the second call works fine. Whenever a call (be it the second, third, fourth, whatever) goes to the second server, authentication fails because it can't find the session on the second server.
I'm looking to see if anyone has encountered something like this and how you have resolved the issue. Is it better to use sticky sessions on the ELB, or is Apache web server using JK or AJP a better choice?
Two potential issues off the top of my head:
Have you specified <distributable/> in your web.xml?
Could be a multicast issue. EC2 does not support multicast, which is what GlassFish uses by default. Check out this stackoverflow thread that discusses the topic, including non-multicast clustering.
Got a question on IBM worklight server, thanks in advance for any comments on this subject.
Workflow:
User --> WorkLight Server --> Back-end Server
Scenario:
(1) Designed a mobile application with IBM worklight studio and deployed to worklight server.
(2) Must use worklight server for the first entry point (user authentication by LDAP via worklight server)
(3) This mobile application designed for downloading/uploading huge file size (10mb to 1gb) to the backend server behind the worklight server (refer to the workflow pls.)
Question(s):
(1) How session sharing can be done in between worklight server and the back-end server?
(2) If session sharing cannot be done, what's the safest way that mobile application download/upload the files to the back-end server given that the application and back-end server do not know its the same authenticated transaction by skipping worklight server?
(3) Did I misunderstood anything from the worklight server architecture? as far as I know worklight server is just kind of gateway and presentation layer for deploying mobile application by its framework. Heavy and complex computation logic should be handled by other backend server. As long as the worklight server network IO is wide enough for file transfer, it shouldn't be a problem for the worklight server act as a gateway in this case. For file transfer, it shouldn't be a burden for CPU for computation as it is just simply in and out from the user device to the backend server (worklight as a middle man).
Thank you and sorry for the lengthy question.
(1) How session sharing can be done in between worklight server and the back-end server?
Can I make the assumption that you will be using a worklight adapter in order to do your file transfers? In that case, a "session" between the adapter and the client will be created. To be a bit more specific, if I have a global variable stored in my adapter and I modify the variable based on the adapter call from the client, the state of the variable will be maintained upon subsequent requests, and the state of that variable will only be visible to the calling client. (Just a note, this is not always true in clustered environments, where the client may be calling adapters on separate worklight servers)
(2) If session sharing cannot be done, what's the safest way that mobile application download/upload the files to the back-end server given that the application and back-end server do not know its the same authenticated transaction by skipping worklight server?
As stated above, this can be achieved through adapters. Since adapters can be protected through authentication, it knows that the client is calling through the same authenticated transaction.
(3) Did I misunderstood anything from the worklight server architecture? as far as I know worklight server is just kind of gateway and presentation layer for deploying mobile application by its framework. Heavy and complex computation logic should be handled by other backend server. As long as the worklight server network IO is wide enough for file transfer, it shouldn't be a problem for the worklight server act as a gateway in this case. For file transfer, it shouldn't be a burden for CPU for computation as it is just simply in and out from the user device to the backend server (worklight as a middle man).
You hit the nail on the head. I haven't personally done any performance testing with a high amount of computations on the worklight server, but if it is being used simply as a passthrough then you should be fine. The worklight server has been known to be able to process a relatively high amount of concurrent adapter calls, so I believe you will be fine with your setup.
My application is distributed in multiple components (Web Applications).
The components are deployed on different glassfish servers.
Each Glassfish server is running on a different host.
I'm using the provided Security Realm for authentication.
Is there a way, that a user that is already authenticated on server x, doesn't need to authenticate again on server y (single-sign-on)?
I was looking into session replication. But if I understand clustering correctly, this means I would have to deploy the applications to the whole cluster (each instance). What I need is a physically distributed solution.
My reason for this setup is not load balancing or high availibility. This is a customer demand.
Any ideas or workarounds? Thanks!
This is an area where products like Oracle Access Manager come in for single-sign-on across multiple services. Oracle GlassFish Server (commercial product that includes GlassFish Server Control features) has a JSR 196 JAAS Provider for Oracle Access Manager. Check out the How-To document on setting it up.
Hope this helps.