CAS clustering ?

Kothari, Amit Amit.Kothari at lionbridge.com
Fri Jun 30 08:20:35 EDT 2006 

Hi Scott,

Thanks for the quick reply.

It's good to know CAS is not a process-intensive application.
Post user authentication, to-fro communication between cas-client & cas-server, led me to believe that CAS server response might slow-down under heavy load. Are you aware of any benchmarks done on how many requests CAS can handle, let's say, per minute or so ?
For our application, the no. of users getting authenticated could go upto 10K within a span of 5 minutes, in some cases. 
Any insight on this will be helpful.

If possible, we may plan on setting up multiple CAS servers at different sites, and a user authenticated by any one CAS, can browse applications protected by other CAS. Without a cluster-setup or a load balancer, will the ticket registry on 1 server be able to communicate with other ticket registries ?

Generating TicketIds with a suffix might work, but that means some more customization/parameterization of the CAS server will be needed to identify the appropriate server for redirection of user request, based on suffix.
Please correct me if I am wrong.

Is this implementation on the roadmap for CAS ?


Thanks,

Amit



-----Original Message-----
From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]On
Behalf Of Scott Battaglia
Sent: Wednesday, June 28, 2006 8:02 PM
To: Yale CAS mailing list
Subject: Re: CAS clustering ?


Amit,

What kind of load are you expecting?  You may not need a cluster (if 
you're only interested in stopping excessive load).  CAS itself is not a 
very process-intensive application. 

That said, its possible to cluster CAS (the easiest way is to use sticky 
sessions on your load balancer and a distributed registry).  3.0.5 
includes an EhCacheDistributedRegistry.  This was tested by one group 
and they are having trouble optimizing it to prevent deadlock (the 
synchronous updates of EhCache caused deadlock while making them 
unsynchronized lost messages).  We have a JGroups implementation that I 
can forward to you (we haven't included in the core because it uses a 
deprecated JGroups class).

We also came up with another alternative at Rutgers (that we haven't 
implemented) if you're only interested in load balancing and not 
redundancy/high-availability.  Each TicketIdGenerator allows you to 
specify a suffix to a ticket.  So if each server specifies a unique 
suffix, then a load balancer that can read the request (if they can 
decrypt SSL) can look at the suffix and redirect the request to the 
proper server.

-Scott

Scott Battaglia
Application Developer, Architecture & Engineering Team
Enterprise Systems and Services, Rutgers University
v: 732.445.0097 | f: 732.445.5493 | scott_battaglia at rutgers.edu 



Kothari, Amit wrote:
> Greetings everybody,
>  
> We are evaluating CAS for SSO-enabling our applications. Is clustering 
> of CAS servers possible ?
> To avoid excessive server load during high volume of authentication 
> requests, we plan to setup multiple CAS servers to handle 
> authentication requests.
> Let's say our applications (cas-client)  and CAS servers will 
> be configured like this:
>  
> Users redirecting to App1, App2 will be authenticated by CASServer1.
> Users redirecting to App3 will be authenticated by CASServer2.
> Users redirecting to App4 will be authenticated by CASServer3.
>  
> Once a user gets authenticated by any one CASServer, the user should 
> be able to browse any other application protected by a different 
> CASServer.
> *_E.g_*: Once user1 gets authenticated by CASServer1, user1 can 
> successfully browse App1 and App2. So far so good.
> _Requirement_ --> user1 should be able to browse App3 and App4 without 
> being authenticated.
>  
> Is this possible ? Has anybody tried something like this before ?
> We are using Tomcat 5.0.x for CAS server & client deployments. CAS 
> Server --> 3.0.4 and Yale CAS Client --> 2.0.11
>  
> Since CAS server 3.0.5 supports distributed ticket registries, can we 
> use 3.0.5 ? How much code /configuration will be needed to achieve the 
> desired functionality ?
> I couldn't find any documentation about enabling distributed ticket 
> registries. Any pointers will be appreciated.
>  
> Thanks in advance,
>  
> - Amit
>  
> ------------------------------------------------------------------------
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>   
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

More information about the cas mailing list