The Blog
Tomcat secure sessions with AJP and HTTP protocols using Apache proxy balancer
published May 20, 2011
During this week I have been digging into Apache AJP protocol and how it communicates with Tomcat. Especially, I have been interested in knowing how SSL works in different Tomcat connector setups. Once again in hindsight everything is so clear but had many desperate moments during these days :) Anyways, you should first check mod_proxy balancer configurations, and ajp protocol.
Basically, I have tried two different solutions:
1) Apache proxy balancer using HTTP
<Proxy balancer://liferaycluster>
BalancerMember http://node1 route=node1
BalancerMember http://node2 route=node2
ProxySet stickysession=ROUTEID
</Proxy>
2) Apache proxy balancer using AJP
<Proxy balancer://liferaycluster>
BalancerMember ajp://node1 route=node1 ping=3
BalancerMember ajp://node2 route=node2 ping=3
ProxySet stickysession=ROUTEID
</Proxy>
Benefit of using AJP is the “ping” setting which Apache uses to check whether Tomcat is up or down and does more sophisticated load balancing based on that information. However, things become more tricky in Tomcat connector configurations when checking whether JSESSION will end up to be “secure” or “not”. In HTTP connector you can define secureness of your connector like so:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="false" scheme="https" secure="true" proxyPort="443"/>
But if you define connector with AJP protocol:
<Connector port="8443" protocol="AJP/1.3" SSLEnabled="false" scheme="http" secure="false" proxyPort="443"/>
“Secure” setting will not have any effect to JSESSIONID cookie. However, it does have an effect to function call “ServletRequest.isSecure()”. Go figure.
It seems that AJP protocol contains boolean value wheter initial connection to Apache was secure or not and that value is passed to Tomcat which uses that information to create user session cookie.
If you need an AJP setup where JSESSIONID should not be secure even if initial connection was through HTTPS you can do Apache haxing to remove Secure setting from cookie like so:
Header edit "Set-Cookie: JSESSIONID=" Secure " "
This will replace word Secure with empty string from JSESSIONID cookie. This is not the most clever thing to do because now your session is open for hijacking.
One click deployment to clustered Liferay with Jenkins
published April 27, 2011
During last year, we have built pretty cool one click deployment system with Jenkins. Environment has been created little by little, but when decision was made to cluster Liferay and in addition to serve our 15.000 lines of JavaScript code from Apache, it was pretty clear that manual installations would be a pain. So we built environment like this:
Developer can initiate (1) portlet build from the Jenkins CI GUI. Jenkins runs (2) Ant build, unit tests, selenium tests and builds multiple war packages. If build is successful Jenkins first copies (3) our JavaScript framework to Apache and then deploys (4) portlet wars to clustered liferay environment. All this with one click.
Configuration is pretty simple, each copy step is run as a shell script like so:
./deployFrameworkToApache.sh;
./deployPortletsToNode1.sh;
./deployPortletsToNode2.sh;
I have to give credit to Jenkins, it is really easy to configure.
The tale of the catching team
published September 10, 2010
Have you ever been in a situation where a software project is started with a clear roadmap and beginning works very well? Then after a while, “easy” parts of the software are done and suddenly new features are harder to implement because future plans are not clear enough.
It is almost like the story of the tortoise and the hare. The role of the hare is played by a product owner, the tortoise is played by a Scrum team. If product owner has other responsibilities or vision is not clear, we might end up in a situation where team “catches up”. Suddenly confusion increases because team is not sure what to do next and how to do it. The role of the hare can also be played by other system that team is trying integrate to. If both “client and server” are developed simultanously, client code can be ready before server which will hinder final testing.
An advise “Just make sure everything is ready enough when implementation starts” is very easy to give, but harder to implement in practise. You should, however, be aware of this if you want to avoid “the tale of the catching team” ;)
EXT JS, jQTouch and Raphaël joining forces.
published June 18, 2010
This combination sounds very interesting. We are working with Ext JS and I feel strong momentum with HTML 5 applications. New company is called Sencha and they already have HTML 5 based javascript framework built for iOS and Android devices. There is definitely a need for this and frameworks like it will help us to build exciting new applications.
mod_rewrite 101
published May 11, 2010
mod_rewrite is a popular apache module for rewriting urls and making redirects. I decided to write small introduction about it, since I had to configure it on project test server. Reason why we are using it, is our upcoming release in which we will need to forward our customers to new liferay community instead of default /web/guest.
So, after rewrite engine is turned on from apache configuration, it will filter all matched requests and apply special rules for it. Request is passed through this chain of rules and if match is found, redirect is sent by apache.
mod_rewrite’s work horses are RewriteRule and RewriteCond directives which are used to build rule chain. Processing works so that
1) config files and .htaccess files are parsed for RewriteRules from top to bottom.
2) First RewriteRule is selected and request is compared against RewriteRule’s pattern.
3) If match is found and there are RewriteCond elements introduced, they are tested against the request.
4) If conditions match, redirect to new rewritten url is made.
5) If there was no match, request is passed onwards to next RewriteRule in chain, if such exist.
Configurations
Below is a simple configuration for redirect
# Turn on rewrite engine processing
RewriteEngine On
# Write log here
RewriteLog /var/log/httpd/rewrite.log
# Log everything
RewriteLogLevel 9
# Redirect context root to new community /web/new/
RewriteRule ^/$ http://%{SERVER_NAME}/web/new/
# Do not allow access to old /web/guest
RewriteRule ^/web/guest(.*)$ http://%{SERVER_NAME}/web/new/
There is loads of stuff you can do with this module, check it out.
Subscribe to RSS feed
The Tag Cloud
Agile Business Coaching Coding horror Conference Customer Design of Experiments Future Group dynamics ITIL It should not be that hard Java EE Kanban Leadership Lean Liferay Methodologies Natural UI Performance tuning Process Productivity Quality Retrospective RIA Scrum Six Sigma Social psychology Software Software architecture Testing This is great TOGAF
WP Cumulus Flash tag cloud by Roy Tanck and Luke Morton requires Flash Player 9 or better.
Samuli's Links
The Blog Archive
February 2012 (1)
January 2012 (1)
November 2011 (1)
June 2011 (2)
May 2011 (1)
April 2011 (2)
March 2011 (2)
February 2011 (1)
January 2011 (1)
December 2010 (1)
November 2010 (1)
October 2010 (3)
September 2010 (3)
August 2010 (5)
July 2010 (2)
June 2010 (3)
May 2010 (4)
April 2010 (2)
March 2010 (6)
February 2010 (7)
January 2010 (3)
December 2009 (7)
November 2009 (6)
