Sessions and Tomcat versioning

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Sessions and Tomcat versioning

malbinola
Hi all,
we are experiencing a strange behaviour using Shiro in conjunction with
Tomcat versioning/naming feature
(https://tomcat.apache.org/tomcat-8.0-doc/config/context.html#Naming).
Let's suppose that we have a deployed app named app##01.war on which we have
several logged users.
If we realease a new version of our webapp (app##02.war), after the webapp
is started up by tomcat, users on the instance ##01 start receiving 401
Unauthorized from the server and they are automatically redirected to login
page.

It seems that sessions of both webapp instances are treated in the same
pool.
How can we separate the session handling in order to avoid any interference
between the instances?

Any help would be appreciated.
Thanks.

Matteo A.

I leave here our shiro.ini configuration:

[main]
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = wtSessionId
cookie.path = /
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionListener = com.sonicle.webtop.core.app.ShiroSessionListener
sessionManager.sessionIdCookie = $cookie

securityManager.sessionManager = $sessionManager
securityManager.sessionManager.sessionIdCookieEnabled = true
securityManager.sessionManager.sessionIdUrlRewritingEnabled = false
securityManager.sessionManager.globalSessionTimeout = 900000
securityManager.sessionManager.sessionListeners = $sessionListener

cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

realm = com.sonicle.webtop.core.shiro.WTRealm
securityManager.realms = $realm

authc = com.sonicle.webtop.core.shiro.WTFormAuthFilter
authc.loginUrl = /login
authc.successUrl = /
authc.usernameParam = wtusername
authc.passwordParam = wtpassword
authc.rememberMeParam = wtrememberme
authc.failureKeyAttribute = loginFailure



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Sessions and Tomcat versioning

Felipe Jaekel
Hi,

I've been using Shiro + Tomcat parallel deployment without issues for some years. Currently I'm using Tomcat 8.5.20 and Shiro 1.4.0.

Here is my shiro.ini file:

[main]
shiro.loginUrl = /login.jsf
authc.loginUrl = /login.jsf

user = br.com.tecnico.login.UserFilter
user.loginUrl = /login.jsf

logout = br.com.tecnico.login.LogoutFilter
logout.redirectUrl = http://www.company-name.com.br

roles = br.com.tecnico.login.RolesAuthorizationFilter
roles.loginUrl = /login.jsf
roles.unauthorizedUrl = /authorizationError.jsf

# DataSource config
ds                = org.apache.shiro.jndi.JndiObjectFactory 
ds.requiredType   = javax.sql.DataSource
ds.resourceName   = openejb:Resource/MySql

# JDBC realm config
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.authorizationCachingEnabled = true
jdbcRealm.permissionsLookupEnabled = false
jdbcRealm.authenticationQuery = SELECT senha FROM TBTecnico WHERE usuario = ?
jdbcRealm.userRolesQuery = SELECT role FROM RoleUsuario WHERE usuario = ?
jdbcRealm.dataSource = $ds

securityManager.realms = $jdbcRealm

# Cache
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager

securityManager.cacheManager = $cacheManager

[urls]
/logout = logout

# Chat interno
/page/chatInterno/mensagens.jsf = user

# Capacitação
/page/capacitacao/inscricao.jsf = user
/page/capacitacao/certificado.jsf = user
/page/capacitacao/participacao.jsf = user
/page/capacitacao/prova.jsf = user
/page/capacitacao/video/visualizarVideos.jsf = user
/page/capacitacao/consultaInscricao.jsf = roles[gerente, consulta_inscricao_capacitacao]
/page/capacitacao/etiquetas.jsf = user
/page/capacitacao/** = roles[admin_capacitacao, coordenador_projeto]

# Comercial
/page/comercial/bonificacaoImplantacao.jsf = roles[admin_comercial]
/page/comercial/tipoContato.jsf = roles[admin_comercial, gerente, contato_cliente]
/page/comercial/contatos.jsf = roles[admin_comercial, gerente, contato_cliente]
/page/comercial/gestaoClientes.jsf = roles[gerente, admin_comercial, comercial]
/page/comercial/gerarProposta.jsf = roles[admin_comercial, comercial, comercial_proposta]
/page/comercial/gestaoProposta.jsf = roles[admin_comercial, comercial, comercial_proposta]
/page/comercial/captacaoClientes.jsf = roles[admin_comercial, comercial]
/page/comercial/licenca.jsf = roles[admin]
/page/comercial/assinaturaHmac.jsf = roles[assinatura_hmac]
/page/comercial/tabelaReajusteSolucao.jsf = roles[admin_comercial]


# Colaboradores
/page/colaboradores/portal.jsf = user
/page/agenda/calendario.jsf = roles[admin_agenda, agenda, tecnico, comercial, coordenador_projeto]
/page/rdv/protocoloRecebimento.jsf = roles[admin_rdv]
/page/rdv/valorKm.jsf = roles[admin_rdv]
/page/rdv/** = roles[admin_rdv, tecnico, comercial, coordenador_projeto, viajante, rdv]
/page/agenda/evento/agenda.jsf = roles[evento]
/page/colaboradores/gestaoComunicacao.jsf = user
/page/colaboradores/habilidades.jsf = roles[admin_escritorioProjeto]
/page/colaboradores/nivelConhecimento.jsf = roles[admin_escritorioProjeto]
/page/colaboradores/assinaturaEmail.jsf = user

# Gerencia
/page/agenda/painelGestao/painelGestao.jsf = roles[admin_agenda, gerente]
/page/agenda/gestaoAutorizacao/autorizacaoVisita.jsf = roles[admin_agenda, gerente] 
/page/agenda/rat/atendimentoEmAdamento.jsf = roles[admin_agenda, gerente]
/page/gerencia/atores.jsf = roles[admin_projeto]
/page/gerencia/controlePassagemAerea/** = roles[gerente]
/page/gerencia/pesquisa/acompanhamento.jsf = roles[gerente]
/page/gerencia/pesquisa/pesquisasRecusadas.jsf = roles[gerente]
/page/gerencia/pesquisa/** = roles[admin_pesquisa]
/page/gerencia/atendimentoTecnicoDialog.jsf = roles[gerente]
/page/gerencia/painel/painelGerencia.jsf = roles[gerente]
/page/gerencia/gestaoProjeto.jsf = roles[gerente, admin_projeto]
/page/gerencia/projetos/timeLine.jsf = roles[gerente, admin_projeto]
/page/gerencia/projetos/gestaoRecursos.jsf = roles[gerente, admin_projeto]
/page/gerencia/apartamentos.jsf = roles[admin_agenda, gerente]
/page/solicitacaoVisita/visitaDiagnostico.jsf = roles[gerente]
/page/gerencia/rdv/consultaRdv.jsf = roles[admin_rdv, coordenador_projeto]
/page/gerencia/elicitacao/** = roles[diagnostico_situacional, coordenador_projeto]
/page/gerencia/relatorio/** = roles[gerente, diretor]
/page/gerencia/escritorios.jsf = roles[gerente, diretor]
/page/plano/kanban.jsf = roles[gerente, coordenador_projeto, kanban]
/page/plano/acompanhamentoProjetosKanban.jsf = roles[gerente, coordenador_projeto, kanban]
/page/gerencia/monitorProjeto/monitorProjeto.jsf = roles[gerente, coordenador_projeto, monitor_projeto]
/page/gerencia/hotel.jsf = roles[admin_agenda, gerente]
/page/gerencia/reservaHotel.jsf = roles[admin_agenda, gerente]
/page/rpc/relatorioRPC.jsf = roles[gerente]
/page/agenda/rat/atendidosRat.jsf = roles[admin_agenda, gerente]

# Financeiro
/page/financeiro/** = roles[admin_financeiro]
/page/mensagemBoleto.jsf = roles[mensagem_boleto]

# RH
/page/rh/** = roles[rh]

# Serviços
/page/comunicados.jsf = user
/page/calendarioOficial.jsf = user
/page/comprovanteRendimentos.jsf = user
/page/consultaGastoUnimed.jsf = user
/page/demonstrativoPagamento.jsf = user
/page/sistema/leituraEmailBounce.jsf = roles[admin_sac]
/page/recadastramentoSenha.jsf = user
/page/envioEmail/envioEmail.jsf = roles[envio_email, admin_comercial, comercial]
/page/rh/aniversariantesMes.jsf = user

# Site 
/page/site/suporte.jsf = user
/page/site/gestaoSuporte.jsf = roles[moderador_suporte]
/page/permissao/permissaoUsuario.jsf = roles[admin_permissao] 
/page/site/emailPendente.jsf = roles[admin_agenda, admin_sac, admin_capacitacao, admin_comercial, admin_rdv]
/page/site/dbs.jsf = roles[site]
/page/site/imagemPopUp.jsf = roles[site]
/page/site/cadastroComunicado.jsf = roles[site]
/page/site/cadastroCliente.jsf = roles[cadastro_cliente]
/page/site/cadastroColaborador.jsf = roles[cadastro_colaborador]
/page/startTestServer.jsf = user
/page/site/cadastroComunicadoSgh.jsf = roles[comunicado_sgh]

###########
# Suporte #
###########
#Consulta RAT
/page/agenda/rat/consultaRat.jsf = roles[atendente, gerente, tecnico, coordenador_projeto]

# Tele Suporte
/page/servico/classificacaoAtendimento.jsf = roles[admin_sac]
/page/servico/produto.jsf = roles[admin_produto, admin_comercial, comercial]
/page/teleSuporte/bancoInformacoes/** = roles[supervisor]
/page/teleSuporte/informacaoProvisoriaCliente/informacaoProvisoriaCliente.jsf = roles[supervisor, informacoes_provisorias_cliente]
/page/teleSuporte/relatoriosSacweb.jsf = roles[supervisor]
/page/teleSuporte/finalizarAtendimento.jsf = roles[supervisor]
/page/teleSuporte/indicadores.jsf = roles[supervisor]
/page/teleSuporte/historicoSacweb.jsf = user
/page/teleSuporte/sacwebEmailGerente.jsf = roles[gerente]
/page/teleSuporte/geracaoPacoteDialog.jsf = user
/page/teleSuporte/** = user
/page/sistema/** = roles[admin_sac]

/page/upload/fileUploadDialogCliente.jsf = roles[atendente]
/template/fileUploadDialog.jsf = user

# Você on-line
/page/atendimento/atendimento.jsf = user
/page/atendimento/cadastroAtendente.jsf = roles[admin_sac]
/page/atendimento/monitoria.jsf = roles[admin_sac]
/page/atendimento/** = roles[atendente, admin_sac]

# Home Office
/page/teleTrabalho/cadastroImpressaoDigital.jsf = roles[admin_biometria]
/page/teleTrabalho/marcacaoPonto.jsf = roles[biometria]
/page/teleTrabalho/relatorioPonto.jsf = roles[admin_biometria]
/page/solicitacaoVisita/solicitacaoVisita.jsf = user
/page/solicitacaoVisita/acompanhamentoSolicitacaoVisita.jsf = roles[gerente]

############
# Técnicos #
############
# Agenda
/page/agenda/atendimentoEscritorio.jsf = roles[atendimento_escritorio, gerente]
/page/agenda/cadastroReservaVeiculo.jsf = roles[reserva_veiculo, gerente]
/page/agenda/painelVeiculos/painelVeiculos.jsf = roles[reserva_veiculo, gerente]
/page/agenda/pesquisa.jsf = roles[admin_agenda]
/page/agenda/localizacao.jsf = roles[admin_agenda, agenda, tecnico]
/page/agenda/** = roles[admin_agenda, tecnico, coordenador_projeto]

## Veículos ##
/page/servico/modeloVeiculo.jsf = roles[admin_veiculo]
/page/servico/veiculo.jsf = roles[admin_veiculo]

# Atualizações
/page/download/download.jsf = roles[atualizacoes, tecnico, coordenador_projeto]
/page/atualizacaoSus/gerenciamento.jsf = roles[atualizacao_sus]
/page/atualizacaoSus/gerenciamentoAtualizacaoSus.jsf = roles[atualizacao_sus]
/page/atualizacaoSus/download.jsf = roles[atualizacoes, tecnico]
/page/atualizacaoSus/downloadAtualizacaoSus.jsf = roles[atualizacoes, tecnico, coordenador_projeto]
/page/senhaCliente.jsf = roles[atualizacoes, tecnico, coordenador_projeto]

# Plano de Ação
/page/plano/plano.jsf = roles[tecnico, admin_plano, gerente, coordenador_projeto]
/page/plano/** = roles[admin_plano, gerente, coordenador_projeto]

# Relatórios
/page/perfilCliente.jsf = roles[tecnico, perfil_cliente]

# Solicitações
/page/solicitacaoServico/** = roles[tecnico, solicitacao_servico, coordenador_projeto]

# Tarefa Interna
/page/tarefaInterna/visualizacaoTarefaInterna.jsf = user

# Gerador de Relatórios
/page/cadastroRelatorio.jsf = roles[tecnico, gerente, gerador_relatorio]

# Dialgos
/dialogs/** = user
###############################################################################

# Previne que páginas sem mapeamento sejam acessadas
/page/** = roles[admin]

2017-11-02 8:16 GMT-02:00 malbinola <[hidden email]>:
Hi all,
we are experiencing a strange behaviour using Shiro in conjunction with
Tomcat versioning/naming feature
(https://tomcat.apache.org/tomcat-8.0-doc/config/context.html#Naming).
Let's suppose that we have a deployed app named app##01.war on which we have
several logged users.
If we realease a new version of our webapp (app##02.war), after the webapp
is started up by tomcat, users on the instance ##01 start receiving 401
Unauthorized from the server and they are automatically redirected to login
page.

It seems that sessions of both webapp instances are treated in the same
pool.
How can we separate the session handling in order to avoid any interference
between the instances?

Any help would be appreciated.
Thanks.

Matteo A.

I leave here our shiro.ini configuration:

[main]
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = wtSessionId
cookie.path = /
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionListener = com.sonicle.webtop.core.app.ShiroSessionListener
sessionManager.sessionIdCookie = $cookie

securityManager.sessionManager = $sessionManager
securityManager.sessionManager.sessionIdCookieEnabled = true
securityManager.sessionManager.sessionIdUrlRewritingEnabled = false
securityManager.sessionManager.globalSessionTimeout = 900000
securityManager.sessionManager.sessionListeners = $sessionListener

cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

realm = com.sonicle.webtop.core.shiro.WTRealm
securityManager.realms = $realm

authc = com.sonicle.webtop.core.shiro.WTFormAuthFilter
authc.loginUrl = /login
authc.successUrl = /
authc.usernameParam = wtusername
authc.passwordParam = wtpassword
authc.rememberMeParam = wtrememberme
authc.failureKeyAttribute = loginFailure



--
Sent from: http://shiro-user.582556.n2.nabble.com/

Reply | Threaded
Open this post in threaded view
|

Re: Sessions and Tomcat versioning

malbinola
Thanks Felipe...
After checking the relevant parts of your shiro.ini, i think that the our
issue is related to use of Shiro's native sessions.
It seems that using DefaultWebSessionManager blinds Tomcat completely,
preventing it from understanding real session distribution over webapp's
instances.
In fact, if i look into the Tomcat Manager application, all session counters
remains at 0.

Is there any way (maybe extending the DefaultWebSessionManager) to inform
Tomcat about shiro session management?



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Sessions and Tomcat versioning

Brian Demers

Is there any way (maybe extending the DefaultWebSessionManager) to inform
Tomcat about shiro session management?


If you want to use Tomcat (or other servlet container’s sessions) use ‘ServletContainerSessionManager’ instead:



Reply | Threaded
Open this post in threaded view
|

Re: Sessions and Tomcat versioning

malbinola
Brian Demers wrote
> If you want to use Tomcat (or other servlet container’s sessions) use
> ‘ServletContainerSessionManager’ instead:
>
> https://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/session/mgt/ServletContainerSessionManager.html

You are right Brian but from one side we don't want to compromise future
benefits related to generic (i mean not container specific) clustering or
enterprise-caching configurations.
On the other side we appreciate the single configuration point of the
shiro.ini file; using container's sessions means using tomcat specific
configuration options in context.xml.
We would have the cake and also eat it.

Anyway, the purpose of my questions is only to understand if there is a
chance to use Tomcat's parallel deployment in conjunction with Shiro's
native sessions, or/and maybe to obtain some advices in order to achieve our
goal. Any thoughts?

In our webapp, we make use of websockets and current implementation is able
to associate multiple websockes channels (eg. in case of two browser tabs)
to the same session of the logged user.
If eventually we decide to go back to ServletContainerSessionManager, could
we have some problems or something to keep in mind with this kind of
situation?

Thank you,
Matteo



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Sessions and Tomcat versioning

Brian Demers
Hey Matteo!

You basically have two main options:

1.) Use the native container sessions.  This allows you to use any of the container's clustering techniques you want. (its just standard servlet sessions)
2.) Use the DefaultWebSessionManager.  You can configure your session management (and clustering) outside of your container (in your shiro config)  Out of the box you could use EhCache, Hazelcast, etc)


On Fri, Dec 1, 2017 at 4:16 AM, malbinola <[hidden email]> wrote:
Brian Demers wrote
> If you want to use Tomcat (or other servlet container’s sessions) use
> ‘ServletContainerSessionManager’ instead:
>
> https://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/session/mgt/ServletContainerSessionManager.html

You are right Brian but from one side we don't want to compromise future
benefits related to generic (i mean not container specific) clustering or
enterprise-caching configurations.
On the other side we appreciate the single configuration point of the
shiro.ini file; using container's sessions means using tomcat specific
configuration options in context.xml.
We would have the cake and also eat it.

Anyway, the purpose of my questions is only to understand if there is a
chance to use Tomcat's parallel deployment in conjunction with Shiro's
native sessions, or/and maybe to obtain some advices in order to achieve our
goal. Any thoughts?

In our webapp, we make use of websockets and current implementation is able
to associate multiple websockes channels (eg. in case of two browser tabs)
to the same session of the logged user.
If eventually we decide to go back to ServletContainerSessionManager, could
we have some problems or something to keep in mind with this kind of
situation?

Thank you,
Matteo

Reply | Threaded
Open this post in threaded view
|

Re: Sessions and Tomcat versioning

gbulfon
Hello,

the versioning feature of Tomcat (parallel deployment) is too important for
our live deployments.
This was something usual for us while deploying WebTop4, using native
container session manager.

With WebTop5 we need the best of both worlds, and to achieve this I bet we
need some kind of hybrid session manager implementing both the native
container session manager and the default native shiro session manager: this
would allow us to both have classic JSESSIONID management on Tomcat (making
it work on parallel deployments) together with a native shiro session to
work with our websockets management and rest APIs.

We may invest in the development of such an hybrid manager, but we need some
help on how to achieve this. We would contribute the final result,
obviously.

Can anyone help?

Gabriele



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Sessions and Tomcat versioning

Brian Demers
Gabriele, this might be best for a separate thread.

My take on this is you don't need a hybrid session manager, you would still use one or the other (it sounds like in your case you would want to use your containers session).
Depending on what async lib you are using, you may just need to configure how those threads are executed, typically you just need to associate the thread with the current Subject.

Put together a sample app of what you are trying to do and we should be able to point you in the right direction!

-Brian



On Mon, Jan 15, 2018 at 8:32 AM, gbulfon <[hidden email]> wrote:
Hello,

the versioning feature of Tomcat (parallel deployment) is too important for
our live deployments.
This was something usual for us while deploying WebTop4, using native
container session manager.

With WebTop5 we need the best of both worlds, and to achieve this I bet we
need some kind of hybrid session manager implementing both the native
container session manager and the default native shiro session manager: this
would allow us to both have classic JSESSIONID management on Tomcat (making
it work on parallel deployments) together with a native shiro session to
work with our websockets management and rest APIs.

We may invest in the development of such an hybrid manager, but we need some
help on how to achieve this. We would contribute the final result,
obviously.

Can anyone help?

Gabriele