front ending tomcat with apache2

Scott Battaglia scott.battaglia at gmail.com
Tue Sep 18 12:28:03 EDT 2007 

David,

Yes, you're seeing requests for Service Tickets.  Service Tickets are
generated each time an application requests authentication.  Ticket Granting
Tickets are generated when credentials are requested (i.e. form
authentication).

If you are prompted for a form (and its not via renew=true) then you will be
given a new TicketGrantingTicket.

-Scott

On 9/18/07, David Pham <dpham6 at gmail.com> wrote:
>
> You've made an important distinction.  I think what I am seeing is
> multiple service tickets being generated according to the
> catalina log.  At first I thought that the logs were indicating new TGTs.
> I assume the only way to see a TGT is in the URL of the browser?
>
> Here is an example of what I am seeing in the logs.
>
> 2007-09-18 11:33:01,608 INFO [
> org.jasig.cas.authentication.AuthenticationManagerImpl] -
> <AuthenticationHandler:
> org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandlersuccessfully authenticated the user which provided the following
> credentials: ezeke1>
> 2007-09-18 11:33:01,977 INFO [
> org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket
> [ST-5-KEPW0asbZTA7mKTfJ7HbVxOkzcikpB5OP0a-<CAS2>] for service [
> http://cas.scit.com/jsp-examples/] for user [ezeke1]>
> 2007-09-18 11:33:31,269 INFO [
> org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket
> [ST-6-CRc3NFncN3f2TAboWN4SZgIATmahqb4YEF4-<CAS2>] for service [
> http://cas.scit.com/jsp-examples/] for user [ezeke1]>
>
>
> Regards, David
>
> On 9/18/07, Scott Battaglia <scott.battaglia at gmail.com> wrote:
> >
> > Is it generating a new TGT or a new Service Ticket.  It generates a new
> > Service Ticket for every request.
> >
> > If its generating a new TGT for every request then the cookie may not be
> > being sent back to the correct server.
> >
> > -Scott
> >
> > On 9/18/07, David Pham < dpham6 at gmail.com> wrote:
> > >
> > > Scott,
> > > I am implementing the jbossCache which is not working correctly.  That
> > > aside, is it functionally correct that the same CAS instance would generate
> > > multiple tickets for one client session?  For example, a first time
> > > authentication generates a ticket.  Lets say the user browses to a different
> > > application then returns to the same casified app.  Once again a new ticket
> > > is generated for that session.  My understanding is that the same TGC is
> > > used for reauthentication unless the user logs off or terminates the
> > > session.
> > >
> > > Regards, David
> > >
> > > On 9/17/07, Scott Battaglia < scott.battaglia at gmail.com> wrote:
> > > >
> > > > David,
> > > >
> > > > Unless you've enabled a distributed Ticket store (i.e. The
> > > > JBossCache one), you may see new tickets generated (as each server maintains
> > > > its own collection of tickets).
> > > >
> > > > -Scott
> > > >
> > > > On 9/17/07, David Pham <dpham6 at gmail.com> wrote:
> > > > >
> > > > > Thank you all for the input.  I was able to enable SSL support for
> > > > > my apache loadbalancer and it does a good job of balancing requests to my
> > > > > CAS in a round-robin fashion.
> > > > >
> > > > > Claudio - I'm not sure if my certificates are set up like you
> > > > > stated.  Basically I created a cert for my apache and each of my CASes have
> > > > > a cert.  It appears that when a client is directed to the loadbalancer, only
> > > > > the cert for my apache is used.  In addition I believe sticky sessions is
> > > > > enabled by default, but I'll double-check my configurations and make sure
> > > > > it's implemented.
> > > > >
> > > > > Andrew - I'm using mod_jk.  I'll add the configs as suggested.
> > > > >
> > > > > One last thing, I'm not sure if this issue is related or a side
> > > > > effect of the load balancer , but it appears my CAS instances is constantly
> > > > > generating new tickets even for the same client session.  After
> > > > > authentication, the client receives a TGC and each time the same casified
> > > > > application is accessed, a new TGC is generated w/o regards to the existing
> > > > > ticket.  Is this normal behavior?
> > > > >
> > > > > Regards, David
> > > > >
> > > > > On 9/17/07, Andrew R Feller < afelle1 at lsu.edu> wrote:
> > > > > >
> > > > > >  David,
> > > > > >
> > > > > >
> > > > > >
> > > > > > If you are using Apache HTTPD and Tomcat, then you can use
> > > > > > either mod_jk or the newer mod_proxy_ajp module.  I have used both and find
> > > > > > them both fairly easy to use.  The only security concern I am aware of is
> > > > > > with the Connector used for the AJP communication over port 8009.  Specify
> > > > > > the address attribute to localhost (127.0.0.1) in order to avoid
> > > > > > it receiving requests from only Apache HTTPD on the machine it runs on:
> > > > > >
> > > > > >
> > > > > >
> > > > > > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
> > > > > >
> > > > > > tomcatAuthentication="false" address="127.0.0.1"
> > > > > > enableLookups="false" />
> > > > > >
> > > > > >
> > > > > >
> > > > > > HTH,
> > > > > >
> > > > > >
> > > > > >
> > > > > > Andrew R Feller, Analyst
> > > > > >
> > > > > > Subversion Administrator
> > > > > >
> > > > > > University Information Systems
> > > > > >
> > > > > > Louisiana State University
> > > > > >
> > > > > > afelle1 at lsu.edu
> > > > > >
> > > > > > (office) 225.578.3737
> > > > > >   ------------------------------
> > > > > >
> > > > > > *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
> > > > > > *On Behalf Of *Scott Battaglia
> > > > > > *Sent:* Saturday, September 15, 2007 10:43 PM
> > > > > > *To:* Yale CAS mailing list
> > > > > > *Subject:* Re: front ending tomcat with apache2
> > > > > >
> > > > > >
> > > > > >
> > > > > > David,
> > > > > >
> > > > > > I believe most people just use mod_jk between the Apache server
> > > > > > and Tomcat.  I'm not aware of any additional secure configuration you can do
> > > > > > to mod_jk.
> > > > > >
> > > > > > Your Apache's http connector obviously should be SSL ;-)
> > > > > >
> > > > > > -Scott
> > > > > >
> > > > > > On 9/14/07, *David Pham* <dpham6 at gmail.com> wrote:
> > > > > >
> > > > > > I am front ending my CASes, which run on Tomcat 5.5, with an
> > > > > > Apache2 load balancer that uses mod_jk and I am assuming
> > > > > > a SSL connector will be needed in order for the load balancer to
> > > > > > redirect requests to the CAS servers.  Does anyone have
> > > > > > any useful documentation on how this can be done?
> > > > > >
> > > > > > Thank you in advance.
> > > > > >
> > > > > > David
> > > > > >
> > > > > > _______________________________________________
> > > > > > Yale CAS mailing list
> > > > > > cas at tp.its.yale.edu
> > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > -Scott Battaglia
> > > > > >
> > > > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > > > > >
> > > > > > _______________________________________________
> > > > > > Yale CAS mailing list
> > > > > > cas at tp.its.yale.edu
> > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > >
> > > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Yale CAS mailing list
> > > > > cas at tp.its.yale.edu
> > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > -Scott Battaglia
> > > >
> > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > > >
> > > > _______________________________________________
> > > > Yale CAS mailing list
> > > > cas at tp.its.yale.edu
> > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > >
> > > >
> > >
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > >
> >
> >
> > --
> > -Scott Battaglia
> >
> > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>


-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070918/28c91972/attachment.html

More information about the cas mailing list