I have a simple little app with a bit of faces/richfaces for the UI, a single stateful session bean for a service layer and a couple of JPA beans for persistence backed by hibernate. It is based off the project called "multi" generated from jboss tools when you select new->project and JBoss Central->Java EE Project. It is packaged as a war and ejb jar in an ear file for deployment. I also have mod-cluster configured with apache 2.2.
I am using this as a example app to get experience in configuring and running jboss as7 for a fault tolerant deployment of a larger application.
It is now mostly working with a nightly build of 7.1.2 (from about a week ago).
The application is configured for form based authentication in web.xml and also has the <distributable/> element in web.xml.
If I start both servers and then access the application via the mod-cluster address (http://172.16.95.131/multi-web) I get to login to the app and use it as expected. If I then shutdown the server that the app is currently running on I would expect that I should still be able to use the application with the current login session but failed over to the other server.
Instead of that I get put back to the login form and if I try to login the login hangs, eventually I get a timeout and a 503 service unavailable error. If I reload that url again I go back to the login form and this time I can login to the app running on the other server.
So, something is missing or mis-configured. Can anyone suggest where to look?
A bit more reading/searching finds this post, https://community.jboss.org/thread/155273, that suggests that security credentails are not replicated with the session and that I need to configure SSO to get this to work. It suggests that I need to setup the ClusteredSingleSignOn valve in the jboss-web.xml file in the deployment. This is further described in the wiki at https://community.jboss.org/wiki/JBossWebSingleSignOn but this is quite out of date.
Is there anything written about how this works and should be configured? I can't find anything about what can be configured in jboss-web.xml.
I found someone else with the same problem posted a couple of days ago, https://community.jboss.org/thread/198857. They seem to have a bit more info on how it should be configured but it still isn't working for them either.
I'm still unable to get this to work correctly.
Session state is failing over OK but authentication state is not. Can anyone help or point to some current documentation about how to configure this?
Details of my configuration are as follows.
I have the following in my domain.xml for the web subsystem
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false"> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/> <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/> <virtual-server name="default-host" enable-welcome-root="true"> <alias name="localhost"/> <alias name="example.com"/> <sso cache-container="web" cache-name="sso" reauthenticate="false"/> </virtual-server> </subsystem>
and the web.xml for the application has the <distributable/> element. My application is using form based authentication. web.xml is
<?xml version="1.0" encoding="UTF-8"?> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> <display-name>AuthenticationEx</display-name> <distributable/> <session-config> <session-timeout>2</session-timeout> </session-config> <security-constraint> <display-name>Authentication Login</display-name> <web-resource-collection> <web-resource-name>SecuredArea</web-resource-name> <url-pattern>/index.jsf</url-pattern> </web-resource-collection> <auth-constraint> <role-name>other</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>other</realm-name> <form-login-config> <form-login-page>/login.jsf</form-login-page> <form-error-page>/bad-login.jsf</form-error-page> </form-login-config> </login-config> <security-role> <role-name>other</role-name> </security-role> </web-app>
and jboss-web.xml is
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <security-domain flushOnSessionInvalidation="true">other</security-domain> <replication-config> <replication-trigger>SET_AND_NON_PRIMITIVE_GET</replication-trigger> <replication-granularity>SESSION</replication-granularity> </replication-config> </jboss-web>
and modcluster has been configured as well, the following is the subsystem configuration:
<subsystem xmlns="urn:jboss:domain:modcluster:1.1"> <mod-cluster-config advertise-socket="modcluster" connector="ajp"> <dynamic-load-provider> <load-metric type="busyness"/> </dynamic-load-provider> </mod-cluster-config> </subsystem>
finally, the httpd configuration is as follows
<VirtualHost 172.16.95.131:10001> LogLevel debug <Directory /> Order deny,allow Deny from all Allow from all </Directory> # This directive allows you to view mod_cluster status at URL http://10.211.55.4:10001/mod_cluster-manager <Location /mod_cluster-manager> SetHandler mod_cluster-manager Order deny,allow Deny from all Allow from 172.16.95. </Location> KeepAliveTimeout 60 MaxKeepAliveRequests 0 ManagerBalancerName other-server-group AdvertiseFrequency 5 AdvertiseSecurityKey secret EnableMCPMReceive </VirtualHost>
No, sorry. My current project work is with an old JBoss version (6.1) and we haven't had to progress the session sharing. When we do it will be with the EAP 6.2.0 version
I'd suggest that trying it with the EAP 6.2.0 version or Wildfly which is now in candidate release state (8.0.0.CR1) if you have that option.