HTTP Session Failover

J2EE applications typically have significant amounts of session state data. A web shopping cart is the classic example of session state. Also, an application can cache frequently-needed data in the session object. In fact, almost all applications with significant user interactions need to maintain session state.

Configuring Availability for the Web Container

To enable and configure web container availability using asadmin, see configure-ha-persistence(1).

Alternatively, use the asadmin set command to set the configuration’s availability-service.web-container-availability.availability-enabled property to true and then configure-ha-persistence to set properties as desired.

For example, use the set command as follows, where config1 is the configuration name:

asadmin set --user admin --passwordfile password.txt 
--host localhost --port 4849 
config1.availability-service.web-container-availability.availability-enabled="true"
asadmin configure-ha-persistence --user admin --passwordfile secret.txt 
--type ha 
--frequency web-method 
--scope modified-session 
--store jdbc/hastore 
--property maxSessions=1000:reapIntervalSeconds=60 cluster1

To Enable Availability for the Web Container with Admin Console

1. In the tree component, select the desired configuration.

2. Click on Availability Service.

3. Select the Web Container Availability tab.

   Check the Availability Service box to enable availability. To disable it, uncheck the box.

4. Change other settings, as described in the following section, Availability Settings

5. Restart the server instance.

Availability Settings

The Web Container Availability tab of the Availability Service enables you to change these availability settings:

Persistence Type: Specifies the session persistence mechanism for web applications that have availability enabled. Allowed values are memory (no persistence) file (the file system) and ha (HADB).

HADB must be configured and enabled before you can use ha session persistence. For configuration details, see configure-ha-cluster(1).

If web container availability is enabled, the default is ha. Otherwise, the default is memory. For production environments that require session persistence, use ha. The first two types, memory and file persistence, do not provide high availability session persistence.

Persistence Frequency: Specifies how often the session state is stored. Applicable only if the Persistence Type is ha. Allowed values are:

• web-method - The session state is stored at the end of each web request prior to sending a response back to the client. This mode provides the best guarantee that the session state is fully updated in case of failure. This is the default.

• time-based - The session state is stored in the background at the frequency set by the reapIntervalSeconds store property. This mode provides does not guarantee that session state is fully updated. However, it can provide a significant performance improvement because the state is not stored after each request.

Persistence Scope: Specifies how much of the session object and how often session state is stored. Applicable only if the Persistence Type is ha. Allowed values are as follows:

• session - The entire session state is stored every time. This mode provides the best guarantee that your session data is correctly stored for any distributable web application. This is the default.

• modified-session - The entire session state is stored if it has been modified. A session is considered to have been modified if HttpSession.setAttribute() or HttpSession.removeAttribute() was called. You must guarantee that setAttribute() is called every time an attribute is changed. This is not a J2EE specification requirement, but it is required for this mode to work properly.

• modified-attribute - Only modified session attributes are stored. For this mode to work properly, you must follow a few guidelines:

  • Call setAttribute() every time the session state is modified.

  • Make sure there are no cross-references between attributes. The object graph under each distinct attribute key is serialized and stored separately. If there are any object cross references between the objects under each separate key, they are not serialized and deserialized correctly.

  • Distribute the session state across multiple attributes, or at least between a read-only attribute and a modifiable attribute.

Single Sign-On State: Check this box to enable persistence of the single sign-on state. To disable it, uncheck the box. For more information, see Using Single Sign-on with Session Failover

HTTP Session Store: You can change the HTTP Session Store if you changed the JDBC resource used for connections to the HADB for session persistence. For details, see configure-ha-cluster(1).

Configuring Availability for Individual Web Applications

To enable and configure availability for an individual web application, edit the application deployment descriptor file, sun-web.xml. The settings in an application’s deployment descriptor override the web container’s availability settings.

The session-manager element’s persistence-type attribute determines the type of session persistence an application uses. It must be set to ha to enable high availability session persistence.

For more information about the sun-web.xml file, see The sun-web.xml File in Sun Java System Application Server Enterprise Edition 8.2 Developer’s Guide.

Example

<sun-web-app> ... 
  <session-config> 
    <session-manager persistence-type=ha> 
      <manager-properties> 
        <property name=persistenceFrequency value=web-method /> 
      </manager-properties> 
      <store-properties> 
        <property name=persistenceScope value=session /> 
      </store-properties> 
    </session-manager> ... 
</session-config> ...

Using Single Sign-on with Session Failover

In a single application server instance, once a user is authenticated by an application, the user is not required to re-authenticate individually to other applications running on the same instance. This is called single sign-on. For more information, see User Authentication for Single Sign-on in Sun Java System Application Server Enterprise Edition 8.2 Developer’s Guide.

For this feature to continue to work even when an HTTP session fails over to another instance in a cluster, single sign-on information must be persisted to the HADB. To persist single sign-on information, first, enable availability for the server instance and the web container, then enable single-sign-on state failover.

You can enable single sign-on state failover with the Admin Console in the Web Container Availability tab of the Availability Service, as described in Configuring Availability for the Web Container asadmin set command to set the configuration’s availability-service.web-container-availability.sso-failover-enabled property to true.

For example, use the set command as follows, where config1 is the configuration name:

asadmin set --user admin --passwordfile password.txt 
--host localhost --port 4849 
config1.availability-service.web-container-availability.
sso-failover-enabled="true"

Single Sign-On Groups

Applications that can be accessed through a single name and password combination constitute a single sign-on group. For HTTP sessions corresponding to applications that are part of a single sign-on group, if one of the sessions times out, other sessions are not invalidated and continue to be available. This is because time out of one session should not affect the availability of other sessions.

As a corollary of this behavior, if a session times out and you try to access the corresponding application from the same browser window that was running the session, you are not required to authenticate again. However, a new session is created.

Take the example of a shopping cart application that is a part of a single sign-on group with two other applications. Assume that the session time out value for the other two applications is higher than the session time out value for the shopping cart application. If your session for the shopping cart application times out and you try to run the shopping cart application from the same browser window that was running the session, you are not required to authenticate again. However, the previous shopping cart is lost, and you have to create a new shopping cart. The other two applications continue to run as usual even though the session running the shopping cart application has timed out.

Similarly, suppose a session corresponding to any of the other two applications times out. You are not required to authenticate again while connecting to the application from the same browser window in which you were running the session.

This behavior applies only to cases where the session times out. If single sign-on is enabled and you invalidate one of the sessions using HttpSession.invalidate() , the sessions for all applications belonging to the single sign-on group are invalidated. If you try to access any application belonging to the single sign-on group, you are required to authenticate again, and a new session is created for the client accessing the application.