CODEWITHSUNDEEP
apachespring-securitytomcat7
Vipul Paralikar
Vipul Paralikar

Reputation: 1568

Spring security 3 Concurrent session control not working in tomcat clustered environment

Spring security's concurrent session control is not working properly in tomcat 7 clustered environment but works fine in non-clustered environment.Sessions are also replicated in tomcat.

Configuration for clustering:

<Cluster channelSendOptions="6" className="org.apache.catalina.ha.tcp.SimpleTcpCluster">
        <Manager className="org.apache.catalina.ha.session.DeltaManager" expireSessionsOnShutdown="false" notifyListenersOnReplication="true"/>
        <Channel className="org.apache.catalina.tribes.group.GroupChannel">
          <Membership address="228.0.0.9" className="org.apache.catalina.tribes.membership.McastService" dropTime="3000" frequency="500" port="45564"/>
          <Receiver address="auto" autoBind="100" className="org.apache.catalina.tribes.transport.nio.NioReceiver" maxThreads="6" port="5008" selectorTimeout="5000"/>
          <Sender className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
            <Transport className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"/>
          </Sender>
          <Interceptor className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"/>
          <Interceptor className="org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor"/>
        </Channel>
        <Valve className="org.apache.catalina.ha.tcp.ReplicationValve" filter=""/>
        <Valve className="org.apache.catalina.ha.session.JvmRouteBinderValve"/>
        <Deployer className="org.apache.catalina.ha.deploy.FarmWarDeployer" deployDir="/tmp/war-deploy/" tempDir="/tmp/war-temp/" watchDir="/tmp/war-listen/" watchEnabled="false"/>
        <ClusterListener className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener"/>
        <ClusterListener className="org.apache.catalina.ha.session.ClusterSessionListener"/>
      </Cluster>

Configuration for apache load balancing:

ProxyPass / balancer://domain.foo.net/ lbmethod=byrequests stickysession=JSESSIONID|jsessionid nofailover=Off maxattempts=15
ProxyPreserveHost On
<Proxy balancer://domain.abcprocure.net>
    BalancerMember http://127.0.0.1:8888 max=250 min=45 keepalive=On route=tc02
    BalancerMember http://127.0.0.1:8080 max=250 min=45 keepalive=On route=tc01

</Proxy>

Further assistance would be appreciated.

Upvotes: 3

Views: 2752

Answers (1)

Shaun the Sheep
Shaun the Sheep

Reputation: 22752

The default SessonRegistry is an in-memory implementation so you will have a different one in each JVM which will be unaware of the others.

You need to implement the SessionRegistry interface in a way that shares data between VMs. This could use a SQL database, memcached, redis or whatever is most appropriate for your situation.

Once you've written your class, the reference manual shows how to configure concurrency control with an explicit SessionRegistry bean.

Upvotes: 4

Related Questions