Error in clustered environment - SSPAuthentication not serializable

Jan 12, 2011 at 3:36 PM

If I use tomcatspnego with the <distibutable/> setting in web.xml, which requires that all session variables are serializable I get an error as follows:

java.lang.IllegalArgumentException: setAttribute: Non-serializable attribute

This is caused because the class SSPAuthentication does not implement Serializable.

Are there plans to make the objects to be placed in the session serializable so that they can be used in a clustered environment?

If I modify the code by making all the necessary classes serializable will I run into further problems because tomcatspnego is coded only for a non-clustered environment?

Coordinator
Jan 12, 2011 at 4:32 PM
Edited Jan 12, 2011 at 6:49 PM

Hello,

  • If the browser choose Kerberos, SSPAuthenticator is not set in a session.
  • With NTLM, there is more than one exchange between the browser and tomcat, so, in this case, you MUST be on the same computer. You must use a sticky session.

To use Kerberos with many servers, tomcat cannot use the account SYSTEM or NETWORK Service.  You must use a new account used by all the services. All the services Tomcat must be running with this same account, and you must add a Service principal Name to this account:

If the DNS name name of your cluster is tomcatappli.mydomain.net and the account used is MYDOMAIN\tomcatsvc, you must add the SPN http/tomcatappli.mydomain.net to the account.
The command line is :
setspn.exe -A http/tomcatappli.mydomain.org MYDOMAIN\tomcatsvc 

Remarque: If you use Negoserver, Negoserver must be running with the account MYDOMAIN\tomcatsvc. Tomcat can be running with an other account.. If tomcat is running on Unix, Negoserver must be also running with MYDOMAIN\tomcatsvc.

Is tomcat running on Windows? on Unix?

It is possible to modify SSPAuthenticator to refuse NTLM. I could add this parameter in the next version., but before, test with the new account.

Give the results of your test.

Dominique Guerin 

Jan 13, 2011 at 7:35 AM

I am Windows/Tomcat6/jdk1.5.

I would prefer to use NTLM, seems to work out the box for me, which was very impressive and gratifying.

Sticky sessions in the cluster is not a problem either - the app is AdobeFlex and once I mark its session as authenticated we can do silent failovers which is our primary reason for the cluster.

However, simply because SSPAuthentication is not serializable I can't replicate the session - it actually results in a total TC crash (EXCEPTION_ACCESS_VIOLATION Problematic frame: jna17891.dll+0x2e2c).

I marked SSPAuthentication as serializable and this fixes things.

Thanks for the info

John Williams

Coordinator
Mar 7, 2011 at 8:44 PM

Did you only add "implements Serializable" to the class SSPAuthentication?

Dominique Guerin

Mar 8, 2011 at 6:44 AM

yes

From: doumeguerin [email removed]
Sent: 07 March 2011 10:45 PM
To: John Williams
Subject: Re: Error in clustered environment - SSPAuthentication not serializable [tomcatspnego:241451]

From: doumeguerin

Did you only add "implements Serializable" to the class SSPAuthentication?

Dominique Guerin