Time  Nick     Message
16:16 pdurbin  semiosis: can I show you my Java session problem?
16:17 semiosis um, ok
16:18 pdurbin  [dvn-auth] Fwd: User sessions mixed up when Java app deployed to Glassfish is fronted with Apache httpd - https://lists.iq.harvard.edu/pipermail/dvn-auth/2014-October/000020.html
16:29 semiosis pdurbin: you have exactly one apache/glassfish server?  or are there more than one?
16:32 pdurbin  exactly one. all on the same box
16:37 semiosis pdurbin: experiment... what if you use http instead of ajp for the apache-glassfish connection?
16:37 pdurbin  yeah, that's what's being suggested here: http://shibboleth.net/pipermail/users/2014-October/017895.html
16:38 pdurbin  maybe AJP is buggy in Glassfish. dunno
16:38 semiosis tbh, more likely our understanding of AJP is buggy :)
16:38 pdurbin  in the post it sounds like using mod_proxy_http is less secure
16:39 semiosis well, it's localhost
16:39 pdurbin  semiosis: amen to that. I just want something that works
16:39 semiosis ajp is more performant
16:39 pdurbin  ok
16:40 pdurbin  "Yes, I'm suggesting if the issue turns out to be AJP (or to rule that out), you can do what WebLogic does, and use a reverse HTTP proxy in Apache to do the front-ending. You switch the ajp:// forwards to http:// or https:// forwards, and use headers to pass the attribute data in."
16:40 pdurbin  I guess it's something to try.
16:40 semiosis also beware, with http proxying you need to enable ProxyPreserveHost -- http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypreservehost
16:40 semiosis this is automagic with ajp
16:40 semiosis well, you may not *need* to, but it's probably a good idea
16:40 pdurbin  so hard to reproduce this bug reliably though. things will be fine for a few hours or days and then suddenly sessions start getting scrambled.
16:41 semiosis oh that's very interesting
16:42 pdurbin  yeah. you restart glassfish and httpd and the problem goes away for a while
16:42 pdurbin  semiosis: thanks for the tip about ProxyPreserveHost
16:42 semiosis yw
16:43 semiosis also note, with http proxying your remoteip will be localhost, whereas with ajp glassfish would see the true remote ip
16:43 semiosis i think apache will put the remote ip in the XForwardedFor header
16:43 pdurbin  hmm. that's a problem. we have a mandate to support IP groups
16:43 semiosis tomcat has a RemoteIPValve to address this situation, https://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
16:44 semiosis idk how that works on glassfish though
16:44 semiosis the tomcat remoteip valve reads the xforwardedfor & xforwardedproto and sets the request remote IP & security
16:44 pdurbin  Whither IP Groups? - Google Groups - https://groups.google.com/forum/#!msg/dataverse-community/hQO1UDMa-yY/GlhMVIbYR_8J
16:44 pdurbin  ok
16:45 semiosis for example, our AWS ELBs handle SSL, and set those two headers, which tomcat then reads so our java app thinks it has a real HTTPS connection to RemoeIP
16:45 semiosis remember I said our old system had a lot of wizardry?
16:45 pdurbin  :)
16:45 semiosis this is part of it
16:45 pdurbin  so you can see the real remote ip, which is good
16:46 semiosis apache 2.4 has mod_remoteip, which i look forward to using in the very near future
16:47 pdurbin  hmm. ok
16:54 semiosis pdurbin: where are your sessions stored?  in glassfish & apache?  or just glassfish?
16:56 semiosis in any case, try lowering your session timeouts to something really short... one minute maybe.  i suspect that will either solve or exacerbate the problem.
17:02 pdurbin  both? dunno
17:03 semiosis well, i'm pretty sure apache itself doesnt do sessions, although mod_shib may
17:04 semiosis look at the cookies your client gets
17:04 semiosis that'll tell you
18:23 semiosis yes! http://speling.shemnon.com/blog/2014/09/12/maven-javafx-plugin-8-dot-1-released/
18:29 pdurbin  even when I see the username change in the corner of the app, the JSESSIONID in the cookie is the same (using livehttpheaders in firefox)
18:30 semiosis well
18:30 semiosis the plot thickens
18:38 pdurbin  the cookie crumbles
18:51 semiosis pdurbin: did you switch to http?
18:52 pdurbin  not yet
18:53 semiosis starting to think some bean is being reused between requests without being reinitialized from the new request/session
18:53 semiosis or perhaps a singleton object
18:54 semiosis maybe AJP is confusing the request handler because the connection stays up
18:54 semiosis wild theory
18:55 pdurbin  semiosis: did you see the thing about beans at http://shibboleth.net/pipermail/users/2014-October/017885.html ?
18:57 semiosis not until now
18:58 pdurbin  semiosis: switching "ProxyPass / ajp://localhost:8009/" to "ProxyPass / http://localhost:8080/" works in that I can still get at the app. Not sure if it will fix the problem or not.
18:59 semiosis how about the remoteip issue?  unless you sort that out everyone will appear as localhost to java
18:59 pdurbin  yeah, will need to figure that out
20:50 pdurbin  doesn't "just work" with my shib code. and there are security implications of using request headers: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess
21:15 semiosis pdurbin: why couldn't you do shibboleth in java?
21:17 semiosis imho, making a java app depend on apache is an antipattern
21:17 semiosis having been there & done that myself
23:48 pdurbin  semiosis: about a year ago (!) I tried using a pure Java solution for Shibboleth/SAML: OIOSAML which is based on OpenSAML: https://lists.iq.harvard.edu/pipermail/dvn-auth/2013-October/000002.html
23:52 pdurbin  but I had all kinds of trouble with it: Investigate use of standard JAXP in OpenSAML 3.0?, was Re: Deploy Shib2 IdP in Glassfish 3 - http://shibboleth.net/pipermail/users/2013-November/012900.html