How to share identity between several TomEE servers

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to share identity between several TomEE servers

renz
Hi,

We have a Remote EJB application (only Stateless EJB) with our own JAAS LoginModule deployed on several servers.
Each server is running a TomEE 1.7.1 instance and nginx as a reverse proxy.
There also a hardware load-balancing device.

The load-balancer is configured to redirect according to IP address.
The problem is that if a server is down, the client application (developped by ourselves) will be redirected to a new server and get this error :

INFO: Client identity is not valid - EJBRequest{deploymentId='ExtractionBean-20151019', type=EJB_OBJECT_BUSINESS_METHOD, Body{ejb=null, orb=null, methodInstance=null, interfaceClass=null,
methodName='null', methodParamTypes=null, methodParameters=null, primaryKey=null, requestId='null', version=2}} - Enable DEBUG for stacktrace: javax.security.auth.login.LoginException: Identity is not currently logged in: 1aff801d-238f-4d72-a4e2-6d7553224ba7

I would like to know if it is possible to share identity between all servers, using a database, a shared directory or anything else.

Thanks.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to share identity between several TomEE servers

Romain Manni-Bucau
Hi

Maybe try adding in the client properties
openejb.ejbd.authenticate-with-request=true

(see https://issues.apache.org/jira/browse/TOMEE-997)


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2016-10-04 10:18 GMT+02:00 renz <[hidden email]>:

> Hi,
>
> We have a Remote EJB application (only Stateless EJB) with our own JAAS
> LoginModule deployed on several servers.
> Each server is running a TomEE 1.7.1 instance and nginx as a reverse proxy.
> There also a hardware load-balancing device.
>
> The load-balancer is configured to redirect according to IP address.
> The problem is that if a server is down, the client application (developped
> by ourselves) will be redirected to a new server and get this error :
>
>
>
> I would like to know if it is possible to share identity between all
> servers, using a database, a shared directory or anything else.
>
> Thanks.
>
>
>
> --
> View this message in context: http://tomee-openejb.979440.
> n4.nabble.com/How-to-share-identity-between-several-
> TomEE-servers-tp4680280.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to share identity between several TomEE servers

renz
Hi Romain,

Thank you very much. It seems to do the trick.

1. What is the purpose of this property?

2. I have a side effect. If my login module throw a FailedLoginException, I get the exception below when I create the InitialContext. Without 'openejb.ejbd.authenticate-with-request=true', FailedLoginException were nested in an 'AuthenticationException'

javax.ejb.EJBException: Unknown Container Exception: java.rmi.RemoteException: Received invalid response code from server: 3
	 at org.apache.openejb.client.EJBObjectHandler._invoke(EJBObjectHandler.java:236)
	 at org.apache.openejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:136)
	 at org.apache.openejb.client.proxy.Jdk13InvocationHandler.invoke(Jdk13InvocationHandler.java:49)
	 at ...

Any idea?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to share identity between several TomEE servers

Romain Manni-Bucau
2016-10-04 11:42 GMT+02:00 renz <[hidden email]>:

> Hi Romain,
>
> Thank you very much. It seems to do the trick.
>
> 1. What is the purpose of this property?
>
>
By default ejbd uses a session so flow is something like:

a. login
b. do business calls
c. logout

If B is 1000000 of calls you still have had a single a (and will get a
single c)

With this property flow is a,b,c for each invocation but a and c are no
more needed globally. In other words you authenticate where the request
ends each time.


> 2. I have a side effect. If my login module throw a FailedLoginException, I
> get the exception below when I create the InitialContext. Without
> 'openejb.ejbd.authenticate-with-request=true', FailedLoginException were
> nested in an 'AuthenticationException'
>
>
>
With that property you log in with a business call no more with an
authentication phase so doesn't shock or surprise me much. Is that an issue?


>
> Any idea?
>
>
>
> --
> View this message in context: http://tomee-openejb.979440.
> n4.nabble.com/How-to-share-identity-between-several-TomEE-servers-
> tp4680280p4680283.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to share identity between several TomEE servers

renz
OK for the 1st point.
For the 2nd point, at the moment, we have specific process on client side according to the LoginException nested in AuthenticationException. With that property we have access neither to AuthenticationException nor LoginException.

Maybe, we should forget to use this property and replace it by a reconnect process on client side.
Do we need to explicitely logout from ejbd session? InitialContext.close?

Thank you.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to share identity between several TomEE servers

Romain Manni-Bucau
2016-10-04 13:58 GMT+02:00 renz <[hidden email]>:

> OK for the 1st point.
> For the 2nd point, at the moment, we have specific process on client side
> according to the LoginException nested in AuthenticationException. With
> that
> property we have access neither to AuthenticationException nor
> LoginException.
>
>
What do you have exactly? I'm no more sure of the type and it will likely
be something more generic but you should see where it comes from.


> Maybe, we should forget to use this property and replace it by a reconnect
> process on client side.
>

Depends your application. Originally this property was there to allow
contextual security data to work (otherwise you loose it once your are
logged).


> Do we need to explicitely logout from ejbd session? InitialContext.close?
>
>
yes


> Thank you.
>
>
>
> --
> View this message in context: http://tomee-openejb.979440.
> n4.nabble.com/How-to-share-identity-between-several-TomEE-servers-
> tp4680280p4680286.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to share identity between several TomEE servers

renz
Exceptions are replaced by a RemoteException in EJBObejctHandler._handleBusinessMethodResponse (see 'default' below).

    private Object _handleBusinessMethodResponse(final EJBResponse res) throws Throwable {
        switch (res.getResponseCode()) {
            case ResponseCodes.EJB_ERROR:
                throw new SystemError((ThrowableArtifact) getResult(res));
            case ResponseCodes.EJB_SYS_EXCEPTION:
                throw new SystemException((ThrowableArtifact) getResult(res));
            case ResponseCodes.EJB_APP_EXCEPTION:
                throw new ApplicationException((ThrowableArtifact) getResult(res));
            case ResponseCodes.EJB_OK:
                return getResult(res);
            default:
                throw new RemoteException("Received invalid response code from server: " + res.getResponseCode());
        }
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to share identity between several TomEE servers

Romain Manni-Bucau
Expected an explicit message at least. That said if you want to enhance
this error handling to support your case a pull-request would be welcomed
and can still hit the coming 7.0.2


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2016-10-04 14:13 GMT+02:00 renz <[hidden email]>:

> Exceptions are replaced by a RemoteException in
> EJBObejctHandler._handleBusinessMethodResponse (see 'default' below).
>
>
>
>
>
> --
> View this message in context: http://tomee-openejb.979440.
> n4.nabble.com/How-to-share-identity-between-several-TomEE-servers-
> tp4680280p4680288.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to share identity between several TomEE servers

renz
In my case, I think we'll keep the parameter to 'false'.

I don't know what really happens behind the scene but maybe 'org.apache.openejb.client.EJBObjectHandler._handleBusinessMethodResponse' could be improved by adding a 'ResponseCodes.AUTH_DENIED' case like below  :

private Object _handleBusinessMethodResponse(final EJBResponse res) throws Throwable {
	switch (res.getResponseCode()) {
		case ResponseCodes.EJB_ERROR:
			throw new SystemError((ThrowableArtifact) getResult(res));
		case ResponseCodes.EJB_SYS_EXCEPTION:
			throw new SystemException((ThrowableArtifact) getResult(res));
		case ResponseCodes.EJB_APP_EXCEPTION:
			throw new ApplicationException((ThrowableArtifact) getResult(res));
		case ResponseCodes.EJB_OK:
			return getResult(res);
		case ResponseCodes.AUTH_DENIED :
			throw  new AuthenticationException(((ThrowableArtifact) getResult(res)).getThrowable) ;
		default:
			throw new RemoteException("Received invalid response code from server: " + res.getResponseCode());
	}
}
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to share identity between several TomEE servers

Romain Manni-Bucau
Yes, was the idea of the proposal


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2016-10-04 16:39 GMT+02:00 renz <[hidden email]>:

> In my case, I think we'll keep the parameter to 'false'.
>
> I don't know what really happens behind the scene but maybe
> 'org.apache.openejb.client.EJBObjectHandler._handleBusinessMethodResponse'
> could be improved by adding a 'ResponseCodes.AUTH_DENIED' case like below
> :
>
>
>
>
>
> --
> View this message in context: http://tomee-openejb.979440.
> n4.nabble.com/How-to-share-identity-between-several-TomEE-servers-
> tp4680280p4680290.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to share identity between several TomEE servers

Romain Manni-Bucau
PS: https://issues.apache.org/jira/browse/TOMEE-1952


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2016-10-04 16:49 GMT+02:00 Romain Manni-Bucau <[hidden email]>:

> Yes, was the idea of the proposal
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Wordpress Blog
> <http://rmannibucau.wordpress.com> | Github
> <https://github.com/rmannibucau> | LinkedIn
> <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com> | JavaEE Factory
> <https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2016-10-04 16:39 GMT+02:00 renz <[hidden email]>:
>
>> In my case, I think we'll keep the parameter to 'false'.
>>
>> I don't know what really happens behind the scene but maybe
>> 'org.apache.openejb.client.EJBObjectHandler._handleBusinessM
>> ethodResponse'
>> could be improved by adding a 'ResponseCodes.AUTH_DENIED' case like
>> below  :
>>
>>
>>
>>
>>
>> --
>> View this message in context: http://tomee-openejb.979440.n4
>> .nabble.com/How-to-share-identity-between-several-TomEE-
>> servers-tp4680280p4680290.html
>> Sent from the TomEE Users mailing list archive at Nabble.com.
>>
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to share identity between several TomEE servers

amol.p.dongare
In reply to this post by renz
this trick works, however

before setting this property when I debug my ejbclient it was showing following information
ClientMetaData Object which shows clientIndentity (UUID) and ProtocolMetaData Object values

However after setting openejb.ejbd.authenticate-with-request=true it shows ClientMetaData Object=null and ProtocolMetaData Object=null

What are the consequences of this? Does this mean after setting this property remote clients are no more authenticated during business call?


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to share identity between several TomEE servers

Romain Manni-Bucau
ejbd protocol does normally:

auth();
business();


this flag makes it logging with the request, kind of:

authThenBusiness();


It is more reliable with security frameworks cause it is compatible with
ThreadLocal often used in impls.


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2017-06-20 16:01 GMT+02:00 amol.p.dongare <[hidden email]>:

> this trick works, however
>
> before setting this property when I debug my ejbclient it was showing
> following information
> *ClientMetaData Object which shows clientIndentity (UUID) and
> ProtocolMetaData Object values*
>
> However after setting *openejb.ejbd.authenticate-with-request=true* it
> shows
> *ClientMetaData Object=null and ProtocolMetaData Object=null*
>
> What are the consequences of this? Does this mean after setting this
> property remote clients are no more authenticated during business call?
>
>
>
>
>
>
> --
> View this message in context: http://tomee-openejb.979440.
> n4.nabble.com/How-to-share-identity-between-several-TomEE-servers-
> tp4680280p4681927.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
Loading...