将 SSL 用于应用程序时的会话超时
Posted
技术标签:
【中文标题】将 SSL 用于应用程序时的会话超时【英文标题】:Session timeout when using SSL for an application 【发布时间】:2013-04-26 06:03:53 【问题描述】:我们目前有一个 jboss 服务器,它有两个配置文件。每个配置文件都有不同的应用程序,应用程序 A 和应用程序 B 在配置文件中。当我们在 App B 中使用 SSL 时,App A 上会出现会话超时,反之亦然。有谁知道或知道为什么会发生这种情况。
在服务器中,App B 向 App A 发送远程 EJB 调用以获取数据。换句话说,App B 依赖于 App A。另外,为了启动 App B,需要启动 App A。
我们需要为 App B 启用 SSL,这是通过 IBE 配置文件的 JBOSS Web 部署文件夹中的 server.xml 文件完成的。
当同时使用 App A 和 App B(都没有 SSL)时,没有服务器超时但是当使用 App A(没有 SSL,因为我们不为 App A 使用 SSL)和带有 SSL 的 App B 时,有一个会话超时。一个例子
-
同时加载 App A 和 App B
登录应用 A(无 SSL)
在 App A 中访问屏幕或执行某些功能
转到 App B 并单击一个按钮以执行某些功能 (SSL)
App B 会话已超时
转到应用 A 并执行其他功能
应用 A 会话已超时
这是附加的Application A的server.xml
<Server>
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Use a custom version of StandardService that allows the
connectors to be started independent of the normal lifecycle
start to allow web apps to be deployed before starting the
connectors.
-->
<Service name="jboss.web">
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" address="$jboss.bind.address"
maxThreads="350" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" compression="on" />
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" address="$jboss.bind.address" protocol="AJP/1.3"
emptySessionPath="true" enableLookups="false" redirectPort="8443" />
<Engine name="jboss.web" defaultHost="localhost">
<!-- The JAAS based authentication and authorization realm implementation
that is compatible with the jboss 3.2.x realm implementation.
- certificatePrincipal : the class name of the
org.jboss.security.auth.certs.CertificatePrincipal impl
used for mapping X509[] cert chains to a Princpal.
- allRolesMode : how to handle an auth-constraint with a role-name=*,
one of strict, authOnly, strictAuthOnly
+ strict = Use the strict servlet spec interpretation which requires
that the user have one of the web-app/security-role/role-name
+ authOnly = Allow any authenticated user
+ strictAuthOnly = Allow any authenticated user only if there are no
web-app/security-roles
-->
<Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"
certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
allRolesMode="authOnly"
/>
<!-- A subclass of JBossSecurityMgrRealm that uses the authentication
behavior of JBossSecurityMgrRealm, but overrides the authorization
checks to use JACC permissions with the current java.security.Policy
to determine authorized access.
- allRolesMode : how to handle an auth-constraint with a role-name=*,
one of strict, authOnly, strictAuthOnly
+ strict = Use the strict servlet spec interpretation which requires
that the user have one of the web-app/security-role/role-name
+ authOnly = Allow any authenticated user
+ strictAuthOnly = Allow any authenticated user only if there are no
web-app/security-roles
<Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm"
certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
allRolesMode="authOnly"
/>
-->
<Host name="localhost"
autoDeploy="false" deployOnStartup="false" deployXML="false"
configClass="org.jboss.web.tomcat.security.config.JBossContextConfig"
>
<!-- Uncomment to enable request dumper. This Valve "logs interesting
contents from the specified Request (before processing) and the
corresponding Response (after processing). It is especially useful
in debugging problems related to headers and cookies."
-->
<!--
<Valve className="org.apache.catalina.valves.RequestDumperValve" />
-->
<!-- Access logger -->
<!--
<Valve className="org.apache.catalina.valves.AccessLogValve"
prefix="localhost_access_log." suffix=".log"
pattern="common" directory="$jboss.server.log.dir"
resolveHosts="false" />
-->
<!-- Uncomment to enable single sign-on across web apps
deployed to this host. Does not provide SSO across a cluster.
If this valve is used, do not use the JBoss ClusteredSingleSignOn
valve shown below.
A new configuration attribute is available beginning with
release 4.0.4:
cookieDomain configures the domain to which the SSO cookie
will be scoped (i.e. the set of hosts to
which the cookie will be presented). By default
the cookie is scoped to "/", meaning the host
that presented it. Set cookieDomain to a
wider domain (e.g. "xyz.com") to allow an SSO
to span more than one hostname.
-->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Uncomment to enable single sign-on across web apps
deployed to this host AND to all other hosts in the cluster.
If this valve is used, do not use the standard Tomcat SingleSignOn
valve shown above.
Valve uses a JBossCache instance to support SSO credential
caching and replication across the cluster. The JBossCache
instance must be configured separately. By default, the valve
shares a JBossCache with the service that supports HttpSession
replication. See the "jboss-web-cluster-service.xml" file in the
server/all/deploy directory for cache configuration details.
Besides the attributes supported by the standard Tomcat
SingleSignOn valve (see the Tomcat docs), this version also
supports the following attributes:
cookieDomain see above
treeCacheName JMX ObjectName of the JBossCache MBean used to
support credential caching and replication across
the cluster. If not set, the default value is
"jboss.cache:service=TomcatClusteringCache", the
standard ObjectName of the JBossCache MBean used
to support session replication.
-->
<!--
<Valve className="org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn" />
-->
<!-- Check for unclosed connections and transaction terminated checks
in servlets/jsps.
Important: The dependency on the CachedConnectionManager
in META-INF/jboss-service.xml must be uncommented, too
-->
<Valve className="org.jboss.web.tomcat.service.jca.CachedConnectionValve"
cachedConnectionManagerObjectName="jboss.jca:service=CachedConnectionManager"
transactionManagerObjectName="jboss:service=TransactionManager" />
</Host>
</Engine>
</Service>
</Server>
这是附加的启用 SSL 的应用程序 B 的 server.xml
<Server>
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Use a custom version of StandardService that allows the
connectors to be started independent of the normal lifecycle
start to allow web apps to be deployed before starting the
connectors.
-->
<Service name="jboss.web">
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8180" address="$jboss.bind.address"
maxThreads="350" maxHttpHeaderSize="8192"
emptySessionPath="false" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8543" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" compression="on" />
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<Connector port="8543" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" connectionTimeout="20000"
clientAuth="false" sslProtocol="TLS" disableUploadTimeout="true"
keystoreFile="$jboss.server.home.dir/conf/application.keystore"
keystorePass="application"
/>
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8010" address="$jboss.bind.address" protocol="AJP/1.3"
emptySessionPath="true" enableLookups="false" redirectPort="8543" />
<Engine name="jboss.web" defaultHost="localhost">
<!-- The JAAS based authentication and authorization realm implementation
that is compatible with the jboss 3.2.x realm implementation.
- certificatePrincipal : the class name of the
org.jboss.security.auth.certs.CertificatePrincipal impl
used for mapping X509[] cert chains to a Princpal.
- allRolesMode : how to handle an auth-constraint with a role-name=*,
one of strict, authOnly, strictAuthOnly
+ strict = Use the strict servlet spec interpretation which requires
that the user have one of the web-app/security-role/role-name
+ authOnly = Allow any authenticated user
+ strictAuthOnly = Allow any authenticated user only if there are no
web-app/security-roles
-->
<Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"
certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
allRolesMode="authOnly"
/>
<!-- A subclass of JBossSecurityMgrRealm that uses the authentication
behavior of JBossSecurityMgrRealm, but overrides the authorization
checks to use JACC permissions with the current java.security.Policy
to determine authorized access.
- allRolesMode : how to handle an auth-constraint with a role-name=*,
one of strict, authOnly, strictAuthOnly
+ strict = Use the strict servlet spec interpretation which requires
that the user have one of the web-app/security-role/role-name
+ authOnly = Allow any authenticated user
+ strictAuthOnly = Allow any authenticated user only if there are no
web-app/security-roles
<Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm"
certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
allRolesMode="authOnly"
/>
-->
<Host name="localhost"
autoDeploy="false" deployOnStartup="false" deployXML="false"
configClass="org.jboss.web.tomcat.security.config.JBossContextConfig"
>
<!-- Uncomment to enable request dumper. This Valve "logs interesting
contents from the specified Request (before processing) and the
corresponding Response (after processing). It is especially useful
in debugging problems related to headers and cookies."
-->
<!--
<Valve className="org.apache.catalina.valves.RequestDumperValve" />
-->
<!-- Access logger -->
<!--
<Valve className="org.apache.catalina.valves.AccessLogValve"
prefix="localhost_access_log." suffix=".log"
pattern="common" directory="$jboss.server.log.dir"
resolveHosts="false" />
-->
<!-- Uncomment to enable single sign-on across web apps
deployed to this host. Does not provide SSO across a cluster.
If this valve is used, do not use the JBoss ClusteredSingleSignOn
valve shown below.
A new configuration attribute is available beginning with
release 4.0.4:
cookieDomain configures the domain to which the SSO cookie
will be scoped (i.e. the set of hosts to
which the cookie will be presented). By default
the cookie is scoped to "/", meaning the host
that presented it. Set cookieDomain to a
wider domain (e.g. "xyz.com") to allow an SSO
to span more than one hostname.
-->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Uncomment to enable single sign-on across web apps
deployed to this host AND to all other hosts in the cluster.
If this valve is used, do not use the standard Tomcat SingleSignOn
valve shown above.
Valve uses a JBossCache instance to support SSO credential
caching and replication across the cluster. The JBossCache
instance must be configured separately. By default, the valve
shares a JBossCache with the service that supports HttpSession
replication. See the "jboss-web-cluster-service.xml" file in the
server/all/deploy directory for cache configuration details.
Besides the attributes supported by the standard Tomcat
SingleSignOn valve (see the Tomcat docs), this version also
supports the following attributes:
cookieDomain see above
treeCacheName JMX ObjectName of the JBossCache MBean used to
support credential caching and replication across
the cluster. If not set, the default value is
"jboss.cache:service=TomcatClusteringCache", the
standard ObjectName of the JBossCache MBean used
to support session replication.
-->
<!--
<Valve className="org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn" />
-->
<!-- Check for unclosed connections and transaction terminated checks
in servlets/jsps.
Important: The dependency on the CachedConnectionManager
in META-INF/jboss-service.xml must be uncommented, too
-->
<Valve className="org.jboss.web.tomcat.service.jca.CachedConnectionValve"
cachedConnectionManagerObjectName="jboss.jca:service=CachedConnectionManager"
transactionManagerObjectName="jboss:service=TransactionManager" />
</Host>
</Engine>
</Service>
</Server>
问候, 米琳达
【问题讨论】:
【参考方案1】:连接超时设置为 20 秒。会不会是这个问题?
【讨论】:
以上是关于将 SSL 用于应用程序时的会话超时的主要内容,如果未能解决你的问题,请参考以下文章