Proposal for Handling Logins with Load-Balancing

In this document the term user is the same as research group in the e-Lab. It is the name used to log on.

Requirements: We need a generic URL (e.g., www.i2u2.org/login/ ) that goes to a login page that is on the Apache server and can be bookmarked without including a specific machine (www11, www13, etc.)

• The user can choose which e-Lab to go to.

• This generic URL would allow the user to log in to any of the machines available for load-balancing. This pool could change and the code still works.

• The actual login code must execute on a Tomcat server (one of the load-balancing machine) because it has access to the user database and other variables associated with the e-Lab and the user.

• The login will take teachers and students to the appropriate page. (project.jsp, home.jsp, first.jsp- see below).

• The login will support guest logins to each e-Lab. Currently we use a convention of naming the guest user [elabname]guest (except for cosmic which is guest). For example, ligoguest.

• The login must use the correct sslport for each machine. This probably has to be standardized. However on our development machines we have allowed logins on non-ssl ports depending on the settings. (See more below).

Some Background:

The actual login code on each server (login.jsp) currently can go to a number of places after it is run. For example, if the user goes to milestones_map.jsp and is not logged in, it will take hime to a login form with prevPage=milestones_map.jsp. When he logs in he goes directly to milestones_map.jsp. Here are the places a user goes when loggin in from the home or teacher page,

• first.jsp for guest, new research groups (depends on user and role)
• showStudents.jsp for a research group who has students that neeed to take the pretest.
• home.jsp for the rest of the student research groups.

For teachers, we want it to go to: q project.jsp if logging on with a research group that has role "teacher". This is controlled by setting prevPage in the call.

Other Issues:

We may decide the teacher should go to the teacher page or project page here. For now I am assuming "project.jsp".

It is impossible to do a real test on this right now because we have no way to put a file on the apache server and have the URL work because it automatically goes to www11. How do we control when the load-balancer or redirection takes over. When can we legitmately go to www.i2u2.org and not be redirected to some other machine? Could we make the redirection to each machine occur only when we went to two levels down on www.i2u2.org/ For example, www.i2u2.org/elab/cosmic?

There is also an issue of what URL we call. There is an include file in each e-Lab that defines variables that are important to decide what the URL is for the login.jsp file.

String loginURLBase;

if(System.getProperty("sslport") != null) {
    loginURLBase = "https://" + System.getProperty("host") + System.getProperty("sslport");
} else {
    loginURLBase = "http://" + System.getProperty("host") + System.getProperty("port");
}

If we could assume that we always wanted to go to the sslport and use https: for all e-Labs, then it would simplify the redirect.

We need to figure out how to handle how to bookmark the splash page. There should be a different splash page per e-Lab. Currently we tell the teachers to bookmark this page, but the bookmark has the wwwnn in the URL. We could allow them to select this when they login and have it default to home.jsp. See the suggestion below about converting the current logins to go to the load-balancing login to solve this..

Implementation:

We can have a pull-down list of e-Labs to select from. Perhaps we could have a cookie that remembers which e-Lab they last selected so it would default to the one they selected the last time they went to this page.

For example, www.i2u2.org/login/ or www.i2u2.org/login.html

* Login Diagram:

We could use Eric's suggestion of having a link to the login page on the top right on the other i2u2 intro pages for people who go to www.i2u2.org/

Solution 1: Using Javascript

I have mocked up a version of this on http://www13.i2u2.org:8080/login/index.html This should really be on the Apache server, but I don't know how to put a file on there without it automatically redirecting to www11. I use javascript to construct the actual URLs to redirect to because we currently use java to do some of this and the main i2u2 server does not have Tomcat running. For example the login for the guest user sets the login name to [elabname]guest. We may do away with having different guest user names in the future, but right now each guest user is associated with a teacher in that e-Lab. I developed a test version described below.

This implementation takes advantage of the current login.jsp for each e-Lab, user?s ?role? controls whether we go to a teacher or student page.

I am not sure that this is secure enough because it created a new URL with all the parameters included to go to the e-Lab selected. www.i2u2.org/elab/cosmic/login.jsp depending on the e-Lab and then set location.href to this new URL.

Under the current system, I discovered that I had to include wwwnn, port number and use https: in the URL for it to work. It took a lot of time so the URL showed in the address field in the browser. If I used https://www.i2u2.org:43, it did not work because I assume there is not port 443 on www.i2u2.org Perhaps this can be made to work.

If I tried to go to wwwi.i2u2.org/elab/cosmic/login.jsp, I went to http://www11.i2u2.org:8080/elab/cosmic/login.jsp but I did not succeed in getting the login to work because we need "https:"

Maybe the javascript could do the load-balancing by using a random number to choose one of the available machines! I did not explore this.

Question: Can we emulate the "post" instead of "get" when we set location.href in Javascript so we don't see the URL in the address bar.

Solution 2 Java

Have the form with ?post? on the login page on the Apache Server go directly to login_setup.jsp on one of the Tomcat machines (using www.i2u2.org:8080/elab/login_setup.jsp) and use java instead of the javascript to

• redirect to login.jsp with the correct port based on login_URL_base.jsp and the properties files
• use the"guest" information passed to generate the right username and password
• take advantage of the existing login.jsp code
• use the project information in the URL it redirect to.
• Redirect to a new machine from the pool of machines. (Essentially do the load-balancing in login_setup.jsp, but have this code reside on each machine.)

However we may still need to go to port 443 for this to be secure. and then we have the same problem we had with the javascript approach where using the www.i2u2.org:443 does not work.

Requirement for Both:

Both of the above solutions have this issue of having to create a URL with a specific machine and port 443 to work. We need a Load-balancer that recognizes when the call is to login.jsp and redirects using port 443 and https: and passes all the parameters to one of the Tomcat servers. I am assuming we can call a cgi which can do the work of load-balancing.

This might also be implemented by providing the code on Apache server port 443.

* Login Redirection:

Solution for the currently bookmarked pages

If we change the home.jsp and teacher.jsp pages to go to the load-balancing URL, then even though the user starts on the bookmarked machine, he may be redirected to another machine. This would allow them to keep their splash bookmark as well because it just takes them to home.jsp where they will be redirected when they log in. The only time we could get in trouble with this is if the bookmarked machine was down and the user could not even get to it to do the login that would redirect them.

Related to this, we might want to decide whether we want to alter the form on the login.jsp page on each Tomcat Server so that it goes to the load-balancer. This form is generated if someone

• makes a mistake logging in
• tries to go to a page other than home.jsp and teacher.jsp without logging in.

-- Main.LizQuigg - 22 Jun 2007