会话混淆 - apache httpd 与 mod_jk、tomcat、spring security - 服务其他用户的数据 [英] Session mix up - apache httpd with mod_jk, tomcat, spring security - serving data of other user

问题描述

最近我们遇到了一个严重的问题，即向一个用户提供了另一个用户的数据.这个问题几乎不可能重现.

Recently we have faced a serious problem, that one user was served data of another user. This problem is almost impossible to reproduce.

我们正在使用 Spring-security 提供的标准登录用户管理，我们确信问题不在于将用户存储在我们的应用程序中的实例变量或类似的并发性内容中.

We are using standard logged-users-management provided by Spring-security, and we are sure that the problem isn't in storing user in instance variable or similar concurrency stuff in our app.

我们真的怀疑问题出在SpringSecurity还是Tomcat本身.

We really doubt that the problem is in SpringSecurity or Tomcat itself.

我们的前端服务器是apache httpd，通过ajp连接器(mod_jk)连接到tomcat.我们没有做任何负载平衡(httpd 只关心 SSL、一些 url 重写和一些 php 模块)

Our front-server is apache httpd, connected to tomcat via ajp connector (mod_jk). We are not doing any load balancing (httpd cares just about SSL, some url rewrites and serving some php modules)

这是我们的设置:

## OS
OS Name:        Linux 
OS Version:     2.6.32-5-686
Architecture:   i386

## Apache httpd
Server version: Apache/2.2.16 (Debian)
Server built:   Sep  4 2011 20:27:42

## mod_jk
mod_jk/1.2.30 (installed via apt-get)

## JVM
JVM Version:    1.6.0_18-b18
JVM Vendor:     Sun Microsystems Inc.

## Tomcat
Server version: Apache Tomcat/6.0.28
Server built:   February 12 2011 1443

我们把这个会话中的 httpd/mod_jk 搞混了，所以我们唯一的解决方案是删除 apache httpd.但在我们离开这个流行且广泛使用的配置之前，我们想知道是否有人遇到过类似的问题.

We blame httpd / mod_jk from this session mix up so our only solution would be to remove apache httpd. But before we leave this popular and widely used configuration, we would like to know if anyone has faced the similar problem.

我发现的唯一类似问题是负载均衡或 mod_jk.

The only similar problems I have found were in load ballancing or mod_jk.

您是否遇到过类似的问题?任何提示、想法、链接或经验将不胜感激.谢谢！

Have you ever faced some similar problem? Any hints, ideas, links or experience will be highly appreciated. Thanks!

推荐答案

到目前为止我们还没有能够重现这个错误，但是我们发现有些人在使用 mod_jk 时遇到了同样的问题:

So far we were not able to reproduce the bug, but we have found that some people faced same problem with mod_jk:

• https://issues.apache.org/bugzilla/show_bug.cgi?id=47714
• http://grails.1312388.n4.nabble.com/Spring-Security-after-log-in-user-changed-and-session-mixed-up-td4636714.html(在底部)

所以现在我们使用这个设置运行:

So now we are running with this settings:

• JkOptions DisableReuse : http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html
• worker retries = 0 : http://tomcat.apache.org/connectors-doc/reference/workers.html#Advanced 工人指令

我们正计划将 mod_jk 切换为 mod_proxy_http.

And we are planning to switch mod_jk for mod_proxy_http.

我没有回答这个问题，因为我不能保证(而且没有人面临同样的问题能够保证)解决方案修复了错误.

I am leaving this question not-answered, because I can't assure (and nobody facing same problem was able to assure) that the solution fixes the bug.

如果有人可以分享任何信息，我将不胜感激！谢谢.

If anyone could share any information, I would appreciate it a lot! Thanks.

这篇关于会话混淆 - apache httpd 与 mod_jk、tomcat、spring security - 服务其他用户的数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！