CAS cluster don't replicate tickets
Claudio Tassini
claudio.tassini at gmail.com
Wed Aug 22 08:51:18 EDT 2007
Is there a method ( a test jsp or something similar) to view the contents of
the ticket registry of each instance? It seems that my ST tickets are not
replicated through the cluster, and I don't understand why... If tomcat does
the validation against the same cas that granted it, all is fine, but if it
asks to the other, it returns with an unvalid ticket error...
2007/8/21, Claudio Tassini <claudio.tassini at gmail.com>:
>
> Andrew,
>
> I don't think so, because the service works just fine if I shut down one
> of the Tomcat nodes or I disable clustering.
>
> However, we are using "CAS Filter" function from the Java CAS client (
> http://www.ja-sig.org/products/cas/client/javaclient/index.html ) :
>
>
> =========================
> application web.xml file contents :
> =========================
>
> <filter>
> <filter-name>CAS Filter</filter-name>
> <filter-class>edu.yale.its.tp.cas.client
> .filter.CASFilter</filter-class>
> <init-param>
> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
> <param-value>https://portale.inca.it/cas<https://portale.inca.it/cas/login>
> /login <https://portale.inca.it/cas/login></param-value>
> </init-param>
> <init-param>
> <param-name>edu.yale.its.tp.cas.client
> .filter.validateUrl</param-name>
> <param-value> https://portale.inca.it/cas<https://portale.inca.it/cas/proxyValidate>
> /proxyValidate <https://portale.inca.it/cas/proxyValidate></param-value>
> </init-param>
> <init-param>
> <param-name>edu.yale.its.tp.cas.client.filter.serviceUrl</param-name>
>
> <param-value>https://portale.inca.it<https://portale.inca.it/WebMail/LoginManagerServlet?action=login>
> /WebMail/LoginManagerServlet?action=login<https://portale.inca.it/WebMail/LoginManagerServlet?action=login>
> </param-value>
> </init-param>
> <!--<init-param>
> <param-name>edu.yale.its.tp.cas.client
> .filter.serverName</param-name>
> <param-value>portale.inca.it </param-value>
> </init-param>-->
> </filter>
>
> <filter-mapping>
> <filter-name>CAS Filter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> ====================
> web.xml file contents END
> ====================
>
> 2007/8/21, Andrew R Feller < afelle1 at lsu.edu>:
> >
> > Claudio,
> >
> >
> >
> > I emailed you some documentation on CAS architecture I have done for my
> > company to you personally; didn't need to bother everyone with that. As far
> > as the log information you posted, it appears that the CAS server is
> > authenticating your user correctly. I am thinking there might be an issue
> > with the CAS client you have configured on the application server; I think
> > the CAS client isn't requesting the correct service URL to validate the
> > service ticket for.
> >
> >
> >
> > Which CAS client are you using? How do you have it configured?
> >
> >
> >
> > Andrew R Feller, Analyst
> >
> > Subversion Administrator
> >
> > University Information Systems
> >
> > Louisiana State University
> >
> > afelle1 at lsu.edu
> >
> > (office) 225.578.3737
> > ------------------------------
> >
> > *From:* cas-bounces at tp.its.yale.edu [mailto: cas-bounces at tp.its.yale.edu]
> > *On Behalf Of *Claudio Tassini
> > *Sent:* Tuesday, August 21, 2007 9:25 AM
> > *To:* Yale CAS mailing list
> > *Subject:* Re: CAS cluster don't replicate tickets
> >
> >
> >
> > Thank you, something's moving.
> >
> >
> >
> > The behavior is the same, but now I've noticed something strange in the
> > log: it seems that when both the two cluster nodes are running, each single
> > instance doesn't recognize even his own granted tickets:
> >
> >
> >
> > I go to the application, it redirects me to cas, I login, error.
> >
> >
> >
> > That's what happens in the catalina.out on node1:
> >
> >
> >
> > 2007-08-21 16:15:33,602 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl]
> > - <AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler
> > successfully authenticated the user which provided the following
> > credentials: c.tassini at inca.it>
> >
> > 2007-08-21 16:15:33,602 DEBUG [org.jasig.cas.ticket.registry.JBossCacheTicketRegistry
> > ] - <Adding ticket to registry for: TGT-4-eVdATx0sKWhNUqISpy6ZKkrKs
> > Ewm5DJHqxD-inca-portal1>
> >
> > 2007-08-21 16:15:33,603 DEBUG [org.jasig.cas.ticket.registry.JBossCacheTicketRegistry]
> > - <Retrieving ticket from registry for: TGT-4-eVdATx0sKWhNUqISpy6ZKkrKsEwm5DJHqxD-inca-portal1>
> >
> >
> > 2007-08-21 16:15:33,603 DEBUG [org.jasig.cas.ticket.registry.JBossCacheTicketRegistry]
> > - <Adding ticket to registry for: ST-4-RmBlCNwPzSzZdH3TBsml6B76og
> > Ek0e92Al3-inca-portal1>
> >
> > 2007-08-21 16:15:33,603 INFO [ org.jasig.cas.CentralAuthenticationServiceImpl]
> > - <Granted service ticket [ST-4-RmBlCNwPzSzZdH3TBsml6B76ogEk0e92Al3-inca-portal1]
> > for service [ https://portale.inca.it<https://portale.inca.it/WebMail/LoginManagerServlet?action=login>
> > /WebMail/LoginManagerServlet<https://portale.inca.it/WebMail/LoginManagerServlet?action=login>
> > ?action=login<https://portale.inca.it/WebMail/LoginManagerServlet?action=login>]
> > for user [c.tassini at inca.it]>
> >
> > Aug 21, 2007 4:15:33 PM edu.yale.its.tp.cas.client.CASReceipt getReceipt
> >
> >
> > SEVERE: validation of [[edu.yale.its.tp.cas.client.ProxyTicketValidator
> > proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
> > casValidateUrl=[https://portale.inca.it/cas<https://portale.inca.it/cas/proxyValidate>/proxyValidate
> > <https://portale.inca.it/cas/proxyValidate>]
> > ticket=[ST-4-RmBlCNwPzSzZdH3TBsml6B76ogEk0e92Al3-inca-portal1]
> > service=[https%3A%2F%2Fportale.inca.it%2FWebMail%2FLoginManagerServlet%3Faction%3Dlogin]
> > errorCode=[INVALID_TICKET] errorMessage=[ticket
> > 'ST-4-RmBlCNwPzSzZdH3TBsml6B76ogEk0e92Al3-inca-portal1' not recognized]
> > renew=false entireResponse=[<cas:serviceResponse xmlns:cas='
> > http://www.yale.edu/tp/cas'>
> >
> > <cas:authenticationFailure code='INVALID_TICKET'>
> >
> > ticket 'ST-4-RmBlCNwPzSzZdH3TBsml6B76ogEk0e92Al3-inca-portal1'
> > not recognized
> >
> > </cas:authenticationFailure>
> >
> > </cas:serviceResponse>
> >
> > ]]]] was not successful.
> >
> > Aug 21, 2007 4:15:33 PM edu.yale.its.tp.cas.client.filter.CASFilter
> > doFilter
> >
> > SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
> > validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
> > proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
> > casValidateUrl=[ https://portale.inca.it/cas<https://portale.inca.it/cas/proxyValidate>
> > /proxyValidate <https://portale.inca.it/cas/proxyValidate>]
> > ticket=[ST-4-RmBlCNwPzSzZdH3TBsml6B76ogEk0e92Al3-inca-portal1]
> > service=[https%3A%2F%2Fportale.inca.it%2FWebMail%2FLoginManagerServlet%3Faction%3Dlogin]
> > errorCode=[INVALID_TICKET] errorMessage=[ticket
> > 'ST-4-RmBlCNwPzSzZdH3TBsml6B76ogEk0e92Al3-inca-portal1' not recognized]
> > renew=false entireResponse=[<cas:serviceResponse xmlns:cas='
> > http://www.yale.edu/tp/cas'>
> >
> > <cas:authenticationFailure code='INVALID_TICKET'>
> >
> > ticket 'ST-4-RmBlCNwPzSzZdH3TBsml6B76ogEk0e92Al3-inca-portal1'
> > not recognized
> >
> > </cas:authenticationFailure>
> >
> > </cas:serviceResponse>
> >
> > ]]]]
> >
> >
> >
> >
> >
> > And this is what happens on node 2:
> >
> >
> >
> > 2007-08-21 14:16:23,098 DEBUG [org.jasig.cas.ticket.registry.JBossCacheTicketRegistry]
> > - <Retrieving ticket from registry for: ST-4-RmBlCNwPzSzZdH3TBsml6B76ogEk0e92Al3-inca-portal1>
> >
> >
> >
> >
> >
> >
> > I can't understand the difference between those "TGT" tickets and "ST"
> > tickets, I'm quite confused...
> >
> > 2007/8/21, Andrew R Feller <afelle1 at lsu.edu >:
> >
> > 2007/8/21, Andrew R Feller <afelle1 at lsu.edu >:
> >
> > Are you sure that both Tomcat clustering and CAS clustering are
> > configured correctly? By using Tomcat 5.5, I assume that you are using
> > multicasting for both Tomcat and CAS; only Tomcat 6.0 supports unicast
> > discovery via static members.
> >
> >
> >
> > I'm not really expert about tomcat , but I can say that it's clustering
> > works because I can see that each established connection generates a
> > sessionID wich is visible by both the servers using a test jsp.
> >
> > * *
> >
> > *[Andrew R Feller] *
> >
> > Hrmmm, I think the issue you might be having is that the ticket granting
> > ticket cookie (TGC) generated by CAS isn't visible to the other server.
> > IIRC, the clustering guide didn't mention that you needed to configured CAS
> > to use a higher level domain that both CAS servers can see cookies for.
> >
> >
> >
> > To fix this issue, open the *cas-servlet.xml* file and look for the *
> > warnCookieGenerator* and *ticketGrantingTicketCookieGenerator* and set
> > the *cookieDomain* property like so:
> >
> >
> >
> > <bean id="warnCookieGenerator" class="
> > org.springframework.web.util.CookieGenerator">
> >
> > *<property name="cookieDomain" value="example.com" />*
> >
> > <property name="cookieSecure" value="true" />
> >
> > <property name="cookieMaxAge" value="-1" />
> >
> > <property name="cookieName" value="CASPRIVACY" />
> >
> > <property name="cookiePath" value="/cas" />
> >
> > </bean>
> >
> >
> >
> > <bean id="ticketGrantingTicketCookieGenerator" class="
> > org.springframework.web.util.CookieGenerator">
> >
> > *<property name="cookieDomain" value="example.com" />*
> >
> > <property name="cookieSecure" value="true" />
> >
> > <property name="cookieMaxAge" value="-1" />
> >
> > <property name="cookieName" value="CASTGC" />
> >
> > <property name="cookiePath" value="/cas" />
> >
> > </bean>
> >
> >
> >
> >
> >
> > Try changing the logging level to debug for the *
> > org.apache.catalina.cluster *package to confirm that Tomcat clustering
> > works. As for CAS, I think you should be able to log at the *
> > org.jasig.cas.ticket.registry* package to monitor the JBoss Cache ticket
> > registry.
> >
> > jboss cache 2.0
> >
> > tomcat 5.5
> >
> > cas 3.0.7
> >
> >
> >
> > I'm sorry but as I said before I'm not really expert about tomcat. Could
> > you explain how to do this to me in a step-by-step way? ;P
> >
> > * *
> >
> > *[Andrew R Feller] *
> >
> > *If you want to enable logging within CAS, you can download the Log4j
> > JAR and place it within either Tomcat's lib directory or CAS's lib directory
> > and configure it to log different levels of messages based on the package /
> > class names of code being executed. To do so,*
> >
> > * *
> >
> > 1. *Read the Log4j documentation ( http://logging.apache.org
> > /log4j/docs/documentation.html) *
> > 2. *Obtain a copy of Log4j version 1.2+ and place it in either the
> > Tomcat lib directory (CATALINA_HOME/lib) or the CAS lib directory
> > (CATALINA_HOME/webapps/cas/WEB-INF/lib)*
> > 3. *Configure Log4j to log messages; a sample configuration is
> > below:
> >
> > # For JBoss: Avoid to setup Log4J outside
> > $JBOSS_HOME/server/default/deploy/log4j.xml!
> > # For all other servers: Comment out the Log4J listener in web.xmlto activate Log4J.
> > log4j.rootLogger=ERROR, stdout, logfile
> > log4j.appender.stdout=org.apache.log4j.ConsoleAppender
> > log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
> > log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - <%m>%n
> >
> > log4j.appender.logfile=org.apache.log4j.RollingFileAppender
> > log4j.appender.logfile.File=cas.log
> > log4j.appender.logfile.MaxFileSize=512KB
> > # Keep three backup files.
> > log4j.appender.logfile.MaxBackupIndex=3
> > # Pattern to output: date priority [category] – message
> > log4j.appender.logfile.layout=org.apache.log4j.PatternLayout
> > log4j.appender.logfile.layout.ConversionPattern=%d %p [%c] - %m%n
> >
> > # WARNING: Setting the org.springframework logger to DEBUG
> > displays debug information about
> > # the request parameter values being bound to the command
> > objects. This could expose your
> > # password in the log file. If you are sharing your log files, it
> > is recommend you selectively
> > # apply DEBUG level logging on a an org.springframework.* package
> > level (i.e. org.springframework.dao)
> > log4j.logger.org.springframework=WARN
> > #log4j.logger.org.springframework.web.servlet.i18n=DEBUG
> > #log4j.logger.org.springframework.web.servlet.view=DEBUG
> > #log4j.logger.org.quartz=DEBUG
> >
> > log4j.logger.org.jasig=INFO
> > # WARNING: Setting the flow package to DEBUG will display
> > # the parameters posted to the login servlet including
> > # cleartext authentication credentials
> > log4j.logger.org.jasig.cas.web.flow=INFO
> > #log4j.logger.org.jasig.cas.authentication=DEBUG
> > #log4j.logger.org.jasig.cas.web.flow.TicketGrantingTicketC
> > heckAction=DEBUG
> > #log4j.logger.org.jasig.cas.services.DefaultServiceRegistry=DEBUG
> > #log4j.logger.org.org.jasig.cas.services=DEBUG*
> >
> > Furthermore, we're using Jboss Cache 1.4.1SP4, Tomcat 5.5 and CAS 3.0.7with JDK
> > 1.6. Should these versions be compatble with each other?
> >
> > * *
> >
> > *[Andrew R Feller] *
> >
> > *These versions should be compatible. I am currently using JBoss Cache
> > 1.4.1 SP4, Tomcat 6, CAS 3.0.7, and JDK 1.6.2 and it works fine.*
> >
> > * *
> >
> >
> >
> >
> >
> > Hope that helps,
> >
> >
> >
> > Andrew R Feller, Analyst
> >
> > Subversion Administrator
> >
> > University Information Systems
> >
> > Louisiana State University
> >
> > afelle1 at lsu.edu
> >
> > (office) 225.578.3737
> > ------------------------------
> >
> > *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
> > *On Behalf Of *Claudio Tassini
> > *Sent:* Tuesday, August 21, 2007 7:10 AM
> > *To:* cas at tp.its.yale.edu
> > *Subject:* CAS cluster don't replicate tickets
> >
> >
> >
> > Hi all,
> >
> >
> >
> > we're trying to configure a clustered CAS 3.0.7 platform, following the
> > instructions at http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS
> > #ClusteringCAS-references .
> >
> >
> >
> > We connect to a webapp which redirects to the cas login url. Once the
> > login is done, cas redirects the user to the webapp page. cas and the webapp
> > are on the same tomcat ( 5.5).
> >
> > All is working flawlessly with a single-server environment, but after
> > having configured cas and tomcat to replicate sessions and tickets among two
> > server, we have this behavior:
> >
> >
> >
> > The user goes to http://oursite.domain.it /application<http://oursite.domain.it/application>. The application doesn't find a suitable ticket, so redirects the browser
> > to https://oursite.domain.it/cas <https://oursite.domain.it/cas/login>
> > /login <https://oursite.domain.it/cas/login> . The user logs in
> > successfully and cas tries to redirect the browser back to http://oursite.domain.it
> > <http://oursite.domain.it/application>/application<http://oursite.domain.it/application>, which find that the given ticket is not valid because obtained from the
> > remote server. Shouldn't they be syncronized? What could be wrong?
> >
> > With the same configuration, and shutting down one of the two servers,
> > all works fine.
> >
> >
> >
> > This is an extract from the log, on the server that grants the ticket:
> >
> >
> >
> > 2007-08-21 11:52:07,947 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl]
> > - <AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler
> > successfully authenticated the user which provided the following
> > credentials: c.tassini at domain.it>
> >
> > 2007-08-21 11:52:07,949 INFO [org.jasig.cas.CentralAuthenticationServiceImpl
> > ] - <Granted service ticket [ST-3-tqk4bNPe05dvGmgaeJCkBidNCEvNOndyekq-server2]
> > for service [http://mysite.domain.it<http://mysite.domain.it/Application>/Application<http://mysite.domain.it/Application>]
> > for user [ c.tassini at domain.it]>
> >
> >
> >
> >
> >
> > And this is from the other server, contacted by the application for
> > validation:
> >
> >
> >
> >
> > Aug 21, 2007 2:02:29 PM edu.yale.its.tp.cas.client.CASReceipt getReceipt
> >
> > SEVERE: validation of [[edu.yale.its.tp.cas.client.ProxyTicketValidator
> > proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
> > casValidateUrl=[https://mysite.domain.it/cas<https://mysite.domain.it/cas/proxyValidate>/proxyValidate<https://mysite.domain.it/cas/proxyValidate>]
> > ticket=[ST-3-tqk4bNPe05dvGmgaeJCkBidNCEvNOndyekq-server2]
> > service=[http%3A%2F%2Fmysite.domain.it%3A8080%2FApplication]
> > errorCode=[INVALID_TICKET] errorMessage=[ticket
> > 'ST-3-tqk4bNPe05dvGmgaeJCkBidNCEvNOndyekq-server2' not recognized]
> > renew=false entireResponse=[<cas:serviceResponse xmlns:cas='
> > http://www.yale.edu/tp/cas'>
> >
> > <cas:authenticationFailure code='INVALID_TICKET'>
> >
> > ticket 'ST-3-tqk4bNPe05dvGmgaeJCkBidNCEvNOndyekq-server2' not
> > recognized
> >
> > </cas:authenticationFailure>
> >
> > </cas:serviceResponse>
> >
> > ]]]] was not successful.
> >
> >
> >
> >
> > Any idea about what could be wrong?
> >
> >
> >
> > Thanks in advance.
> >
> >
> >
> >
> > --
> > Claudio Tassini
> >
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman<http://tp.its.yale.edu/mailman/listinfo/cas>/listinfo/cas<http://tp.its.yale.edu/mailman/listinfo/cas>
> >
> >
> >
> >
> > --
> > Claudio Tassini
> >
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman<http://tp.its.yale.edu/mailman/listinfo/cas>/listinfo/cas<http://tp.its.yale.edu/mailman/listinfo/cas>
> >
> >
> >
> >
> > --
> > Claudio Tassini
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman<http://tp.its.yale.edu/mailman/listinfo/cas>
> > /listinfo/cas <http://tp.its.yale.edu/mailman/listinfo/cas>
> >
> >
>
>
> --
> Claudio Tassini
>
--
Claudio Tassini
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070822/86627811/attachment-0001.html
More information about the cas
mailing list