CAS cluster don't replicate tickets

Andrew R Feller afelle1 at lsu.edu
Tue Aug 21 08:48:31 EDT 2007 

Are you sure that both Tomcat clustering and CAS clustering are
configured correctly?  By using Tomcat 5.5, I assume that you are using
multicasting for both Tomcat and CAS; only Tomcat 6.0 supports unicast
discovery via static members.

 

Try changing the logging level to debug for the
org.apache.catalina.cluster package to confirm that Tomcat clustering
works.  As for CAS, I think you should be able to log at the
org.jasig.cas.ticket.registry package to monitor the JBoss Cache ticket
registry.

 

Hope that helps,

 

Andrew R Feller, Analyst

Subversion Administrator

University Information Systems

Louisiana State University

afelle1 at lsu.edu

(office) 225.578.3737

________________________________

From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Claudio Tassini
Sent: Tuesday, August 21, 2007 7:10 AM
To: cas at tp.its.yale.edu
Subject: CAS cluster don't replicate tickets

 

Hi all,

 

we're trying to configure a clustered CAS 3.0.7 platform, following the
instructions at
http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS#ClusteringCAS-re
ferences
<http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS#ClusteringCAS-r
eferences>   .

 

We connect to a webapp which redirects to the cas login url. Once the
login is done, cas redirects the user to the webapp page. cas and the
webapp are on the same tomcat ( 5.5).

All is working flawlessly with a single-server environment, but after
having configured cas and tomcat to replicate sessions and tickets among
two server, we have this behavior:

 

The user goes to http://oursite.domain.it/application . The application
doesn't find a suitable ticket, so redirects the browser to
https://oursite.domain.it/cas/login . The user logs in successfully and
cas tries to redirect the browser back to
http://oursite.domain.it/application , which find that the given ticket
is not valid because obtained from the remote server. Shouldn't they be
syncronized? What could be wrong? 

With the same configuration, and shutting down one of the two servers,
all works fine.

 

This is an extract from the log, on the server that grants the ticket: 

 

2007-08-21 11:52:07,947 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully
authenticated the user which provided the following credentials:
c.tassini at domain.it>

2007-08-21 11:52:07,949 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl ] - <Granted service
ticket [ST-3-tqk4bNPe05dvGmgaeJCkBidNCEvNOndyekq-server2] for service
[http://mysite.domain.it/Application] for user [ c.tassini at domain.it
<mailto:c.tassini at domain.it> ]>

 

 

And this is from the other server, contacted by the application for
validation:


 

Aug 21, 2007 2:02:29 PM edu.yale.its.tp.cas.client.CASReceipt getReceipt

SEVERE: validation of [[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://mysite.domain.it/cas/proxyValidate]
ticket=[ST-3-tqk4bNPe05dvGmgaeJCkBidNCEvNOndyekq-server2]
service=[http%3A%2F%2Fmysite.domain.it%3A8080%2FApplication]
errorCode=[INVALID_TICKET] errorMessage=[ticket
'ST-3-tqk4bNPe05dvGmgaeJCkBidNCEvNOndyekq-server2' not recognized]
renew=false entireResponse=[<cas:serviceResponse xmlns:cas='
http://www.yale.edu/tp/cas'>

        <cas:authenticationFailure code='INVALID_TICKET'>

                ticket
'ST-3-tqk4bNPe05dvGmgaeJCkBidNCEvNOndyekq-server2' not recognized 

        </cas:authenticationFailure>

</cas:serviceResponse>

]]]] was not successful.
 

 

Any idea about what could be wrong? 

 

Thanks in advance.

 


-- 
Claudio Tassini 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070821/ad2d553c/attachment.html

More information about the cas mailing list