NotSerializableException MemoryUser?

Hi,

I'm running Tomcat 6.0.20 in a cluster on 3 nodes. If I restart one I get this exception:


Caused by: java.io.NotSerializableException: org.apache.catalina.users.MemoryUser
   at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1156)
   at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:326)
   at java.util.LinkedList.writeObject(LinkedList.java:943)
   at sun.reflect.GeneratedMethodAccessor127.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:945)
   at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1461)
   at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1392)
<Server port="8005" shutdown="SHUTDOWN">

 <GlobalNamingResources>
   <!-- Used by Manager webapp -->
   <Resource name="UserDatabase" auth="Container"
             type="org.apache.catalina.UserDatabase"
      description="User database that can be updated and saved"
          factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
         pathname="conf/tomcat-users.xml" />
 </GlobalNamingResources>

 <Service name="Catalina">
   <Connector port="8080" maxHttpHeaderSize="8192"
              maxThreads="300" minSpareThreads="25" maxSpareThreads="75"
              enableLookups="false" redirectPort="8443" acceptCount="1024"
              connectionTimeout="20000" disableUploadTimeout="true"
              compression="on"
              compressableMimeTypes="text/html,text/xml,text/plain,text/javascript,text/css"/>

   <Connector port="8443" debug="0" scheme="https" secure="true" SSLEnabled="true"
              clientAuth="false" sslProtocol="TLS"
              keystoreFile="/etc/tomcat6/STAR_example.com.p12"
              keystoreType="PKCS12"
              keystorePass="*****" />

   <Engine name="Catalina" defaultHost="www.example.com">
     <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
            resourceName="UserDatabase" />
               <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster">
                       <Channel className="org.apache.catalina.tribes.group.GroupChannel">
                               <Membership className="org.apache.catalina.tribes.membership.McastService" port="45525" />
                       </Channel>
               </Cluster>

       <!-- Zorg dat de appBase regel direct na de 'Host name' regel staat -->
       <Host name="www.example.com"
               appBase="/data/webapps/crm-VERSIE_2_5/deployed"
               unpackWARs="true" autoDeploy="false" reloadable="false"
               usePooling="false"
               xmlValidation="false" xmlNamespaceAware="true">
       <Alias>www2.example.com</Alias>
       </Host>
   </Engine>

 </Service>
</Server>

What can I do to make the MemoryUser  serializable and why is it trying to sync it with other nodes?

Ronald.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ronald,

On 7/3/2009 6:34 AM, Ronald Klop wrote:
> I'm running Tomcat 6.0.20 in a cluster on 3 nodes. If I restart one I
> get this exception:
>
>
> Caused by: java.io.NotSerializableException:
> org.apache.catalina.users.MemoryUser

That's an easy one: MemoryUser does not implement Serializable.

>   <!-- Used by Manager webapp -->
>   <Resource name="UserDatabase" auth="Container"
>             type="org.apache.catalina.UserDatabase"
>      description="User database that can be updated and saved"
>          factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>         pathname="conf/tomcat-users.xml" />

This is likely to be the problem: the manager app is trying to share its
users across the cluster. Uh... don't do that. Either undeploy the
manager app or use a different <Realm> that doesn't use that type of
User object. Or, write your own factory that returns serializable objects.

> What can I do to make the MemoryUser  serializable and why is it trying
> to sync it with other nodes?

It's probably trying to sync the session with other nodes, and this
object is stored in the session. The rest of the stack trace would
probably indicate that the cluster is trying to replicate sessions (or
just this object, as it is being inserted into the session) or something
like that.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAkpOGjoACgkQ9CaO5/Lv0PAKfgCVGPJmrP+xs5Aypo60NEU8uk2y
TwCfTuaeseQX6b4g3qJNFCU85oezZGU=
=iNCj
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Christopher Schultz wrote:
Unlikely. The manager app isn't marked as distributable.

My money would be on an app using the same Realm and putting the authenticated
Principal object in the session.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

On 7/3/2009 11:48 AM, Mark Thomas wrote:
I was seduced by the "Used by Manager webapp" comment in the server.xml.
I should have known better :)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkpQrp0ACgkQ9CaO5/Lv0PDWKwCgryyDFfb8f+/w2sjzyppDvm2N
vFgAmwTsGnzVRfodO8rj2ZcJfi27m7Ui
=YLsf
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Op vrijdag, 3 juli 2009 17:48 schreef Mark Thomas <markt@...>:>
Hi,

Thanks for your answers. The context has a security-constraint in web.xml for some password-protected pages for metainfo/stats about the running app. This takes a user defined in tomcat-users.xml.

I looked a little into the Tomcat code. In ./java/org/apache/catalina/connector/Request.java on line 1752 Tomcat puts the 'javax.security.auth.subject' on the session. This is the MemoryUser in my case I think.

Is there a way to use the security-constraint in a clustered environment?

Ronald.

Ronald Klop wrote:
Looking into the history a little, the reason for this is a performance
optimisation when using a SecurityManager.

Possible workarounds:
- disable the security manager
- use a HttpSessionActivationListener and remove this attribute before
the session gets passivated

It looks like a Tomcat bug to me. If you add it to Bugzilla someone will
take a look. Possible patches include:
- make memory user serializable
- use a session note rather than an attribute

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Op donderdag, 9 juli 2009 14:22 schreef Mark Thomas <markt@...>:


Yep. I thought the same. The SecurityManager is needed for RMI as far as I know. So I can't get rid of that one. The session clustering doesn't mean the session is passivated every time I think, but I will take a look on that one. Maybe a SessionBindingListener which directly removes the attribute. All ugly hacks in my opinion.

I wil file a bug report.

Thanks,

Ronald.

Ronald Klop wrote:

> Yep. I thought the same. The SecurityManager is needed for RMI as far as
> I know. So I can't get rid of that one. The session clustering doesn't
> mean the session is passivated every time I think, but I will take a
> look on that one.

It think it is when Tomcat shuts down. I haven't checked the code. It
might even be configurable on shut down.

 Maybe a SessionBindingListener which directly removes
> the attribute. All ugly hacks in my opinion.

Yep :) I didn't say they would be pretty ;)

> I wil file a bug report.

Seen it. Thanks.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...