front ending tomcat with apache2

Scott Battaglia scott.battaglia at gmail.com
Tue Sep 18 10:03:56 EDT 2007 

Is it generating a new TGT or a new Service Ticket.  It generates a new
Service Ticket for every request.

If its generating a new TGT for every request then the cookie may not be
being sent back to the correct server.

-Scott

On 9/18/07, David Pham <dpham6 at gmail.com> wrote:
>
> Scott,
> I am implementing the jbossCache which is not working correctly.  That
> aside, is it functionally correct that the same CAS instance would generate
> multiple tickets for one client session?  For example, a first time
> authentication generates a ticket.  Lets say the user browses to a different
> application then returns to the same casified app.  Once again a new ticket
> is generated for that session.  My understanding is that the same TGC is
> used for reauthentication unless the user logs off or terminates the
> session.
>
> Regards, David
>
> On 9/17/07, Scott Battaglia <scott.battaglia at gmail.com> wrote:
> >
> > David,
> >
> > Unless you've enabled a distributed Ticket store (i.e. The JBossCache
> > one), you may see new tickets generated (as each server maintains its own
> > collection of tickets).
> >
> > -Scott
> >
> > On 9/17/07, David Pham <dpham6 at gmail.com> wrote:
> > >
> > > Thank you all for the input.  I was able to enable SSL support for my
> > > apache loadbalancer and it does a good job of balancing requests to my CAS
> > > in a round-robin fashion.
> > >
> > > Claudio - I'm not sure if my certificates are set up like you stated.
> > > Basically I created a cert for my apache and each of my CASes have a cert.
> > > It appears that when a client is directed to the loadbalancer, only the cert
> > > for my apache is used.  In addition I believe sticky sessions is enabled by
> > > default, but I'll double-check my configurations and make sure it's
> > > implemented.
> > >
> > > Andrew - I'm using mod_jk.  I'll add the configs as suggested.
> > >
> > > One last thing, I'm not sure if this issue is related or a side effect
> > > of the load balancer , but it appears my CAS instances is constantly
> > > generating new tickets even for the same client session.  After
> > > authentication, the client receives a TGC and each time the same casified
> > > application is accessed, a new TGC is generated w/o regards to the existing
> > > ticket.  Is this normal behavior?
> > >
> > > Regards, David
> > >
> > > On 9/17/07, Andrew R Feller < afelle1 at lsu.edu> wrote:
> > > >
> > > >  David,
> > > >
> > > >
> > > >
> > > > If you are using Apache HTTPD and Tomcat, then you can use either
> > > > mod_jk or the newer mod_proxy_ajp module.  I have used both and find them
> > > > both fairly easy to use.  The only security concern I am aware of is with
> > > > the Connector used for the AJP communication over port 8009.  Specify the
> > > > address attribute to localhost (127.0.0.1) in order to avoid it
> > > > receiving requests from only Apache HTTPD on the machine it runs on:
> > > >
> > > >
> > > >
> > > > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
> > > >
> > > > tomcatAuthentication="false" address="127.0.0.1"
> > > > enableLookups="false" />
> > > >
> > > >
> > > >
> > > > HTH,
> > > >
> > > >
> > > >
> > > > Andrew R Feller, Analyst
> > > >
> > > > Subversion Administrator
> > > >
> > > > University Information Systems
> > > >
> > > > Louisiana State University
> > > >
> > > > afelle1 at lsu.edu
> > > >
> > > > (office) 225.578.3737
> > > >   ------------------------------
> > > >
> > > > *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
> > > > *On Behalf Of *Scott Battaglia
> > > > *Sent:* Saturday, September 15, 2007 10:43 PM
> > > > *To:* Yale CAS mailing list
> > > > *Subject:* Re: front ending tomcat with apache2
> > > >
> > > >
> > > >
> > > > David,
> > > >
> > > > I believe most people just use mod_jk between the Apache server and
> > > > Tomcat.  I'm not aware of any additional secure configuration you can do to
> > > > mod_jk.
> > > >
> > > > Your Apache's http connector obviously should be SSL ;-)
> > > >
> > > > -Scott
> > > >
> > > > On 9/14/07, *David Pham* <dpham6 at gmail.com> wrote:
> > > >
> > > > I am front ending my CASes, which run on Tomcat 5.5, with an Apache2
> > > > load balancer that uses mod_jk and I am assuming
> > > > a SSL connector will be needed in order for the load balancer to
> > > > redirect requests to the CAS servers.  Does anyone have
> > > > any useful documentation on how this can be done?
> > > >
> > > > Thank you in advance.
> > > >
> > > > David
> > > >
> > > > _______________________________________________
> > > > Yale CAS mailing list
> > > > cas at tp.its.yale.edu
> > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > -Scott Battaglia
> > > >
> > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > > >
> > > > _______________________________________________
> > > > Yale CAS mailing list
> > > > cas at tp.its.yale.edu
> > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > >
> > > >
> > >
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > >
> >
> >
> > --
> > -Scott Battaglia
> >
> > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>


-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070918/c6f4a6e6/attachment.html

More information about the cas mailing list