Clustering CAS using JBoss
Lawrence Andreutti
Lawrence.Andreutti at activenetwork.com
Wed Mar 12 13:50:09 EDT 2008
Hi Scott,
I think we may have different interpretations of what constitutes a
"lock". This is the code that I'm referring to in the
DefaultTicketRegistryCleaner:
synchronized (this.ticketRegistry) {
log.info(ticketsToRemove.size() + " found to be removed. Removing
now.");
for (final Iterator iter = ticketsToRemove.iterator();
iter.hasNext();) {
final Ticket ticket = (Ticket) iter.next();
this.ticketRegistry.deleteTicket(ticket.getId());
}
}
We have found that when the ticketRegistry reaches a size of around 5000
tickets, the deletes become much slower. An individual removal of a
ticket can take as much as four seconds. This can translate into well
over a minute for the registry cleaner to clean out the expired tickets.
During that period, new tickets can not be created (the code for adding
new tickets to the registry must also run within a synchronized block).
However, I appear to have found a solution for the problem. I wrote my
own registry cleaner which was pretty much a straight copy of the
original with the above code modified this way:
log.info(ticketsToRemove.size() + " found to be removed. Removing
now.");
for (final Iterator iter = ticketsToRemove.iterator(); iter.hasNext();)
{
final Ticket ticket = (Ticket) iter.next();
synchronized (this.ticketRegistry) {
this.ticketRegistry.deleteTicket(ticket.getId());
}
}
This is not as efficient because of all the additional locking and
unlocking of the ticket registry lock flag. While the registry cleaner
may still take a minute or more to run with a large number of tickets,
it does not impact the creation of new tickets (they will not have to
wait in the ticketRegistry lock pool for more than a few seconds).
Larry Andreutti
-----Original Message-----
From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of cas-request at tp.its.yale.edu
Sent: March 11, 2008 8:03 AM
To: cas at tp.its.yale.edu
Subject: cas Digest, Vol 58, Issue 14
Send cas mailing list submissions to
cas at tp.its.yale.edu
To subscribe or unsubscribe via the World Wide Web, visit
http://tp.its.yale.edu/mailman/listinfo/cas
or, via email, send a message with subject or body 'help' to
cas-request at tp.its.yale.edu
You can reach the person managing the list at
cas-owner at tp.its.yale.edu
When replying, please edit your Subject line so it is more specific
than "Re: Contents of cas digest..."
Today's Topics:
1. Clustering CAS using JBoss (Lawrence Andreutti)
2. cas + apache + svn (m.garuti at quix.it)
3. Re: Both krb5.conf and jcifsConfig needed? (Arnaud Lesueur)
4. Re: Clustering CAS using JBoss (Scott Battaglia)
5. Re: JBossCache Ticket Registry performance under load?
(Scott Battaglia)
6. Re: Clustering CAS - why tomcat session replication?
(Scott Battaglia)
7. Re: How do I get access to Service Registry information in
the view? (Scott Battaglia)
8. Re: Both krb5.conf and jcifsConfig needed? (Michael Str?der)
9. Re: cas + apache + svn (Matt Smith)
10. Re: cas + apache + svn (Isaac Vetter)
11. Re: CAS Client 3.1.1 (Teggo Lam)
12. Bypassing CAS Authentication system (Bocken Stefan)
13. password remembering in casLoginView.jsp (jehan procaccia)
14. Re: cas + apache + svn (Matt Smith)
15. [Urgent] CAS Client 3.1.1 (Teggo Lam)
16. Re: [Urgent] CAS Client 3.1.1 (Scott Battaglia)
----------------------------------------------------------------------
Message: 1
Date: Mon, 10 Mar 2008 09:18:19 -0700
From: "Lawrence Andreutti" <Lawrence.Andreutti at activenetwork.com>
Subject: Clustering CAS using JBoss
To: <cas at tp.its.yale.edu>
Message-ID:
<7BB71277042A1845BC3ACADE7A621E540181A5F0 at exchange.classinfo.com>
Content-Type: text/plain; charset="us-ascii"
Hi,
Does have anyone have any experience clustering CAS using JBoss? We
are experiencing a problem with the ticket registry becoming "locked"
after we reach a threshold of about 5000 tickets. Specifically, it
looks like the DefaultTicketRegistryCleaner locks while it is looping
through and deleting the expired tickets. We are considering writing
our own registry cleaner to get around the problem and we were wondering
if anyone else has experienced a similar issue. If so, did you write
your own registry cleaner (in which case I'm hoping you'd be willing to
share the code) or did you find another way to solve it? Any help would
be appreciated. Thanks.
Larry Andreutti
The Active Network
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://tp.its.yale.edu/pipermail/cas/attachments/20080310/cf3368b2/attac
hment-0001.html
------------------------------
Message: 2
Date: Mon, 10 Mar 2008 18:13:06 +0100
From: "m.garuti at quix.it" <m.garuti at quix.it>
Subject: cas + apache + svn
To: cas at tp.its.yale.edu
Message-ID:
<24929741.60571205169187023.JavaMail.root at srvpro.quix.locale>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi,
I have a customer that wants to integrate a .net application with svn
repository (to version xml files from .net code)
There are also other modules that are written in java and are under cas
server.
the schema is:
1. user ==> .net app (non-web) ==> svn repository
2. user (browser) ==> webapp under cas
For schema 2 there are no problem...
For schema 1, i know svn run under apache and there is a module for
cas+apache (mod_auth_cas)
the question is: is possible to integrate apache+svn+cas? so only cas
konw how to authenticate users..
thant in advance
paco
------------------------------
Message: 3
Date: Mon, 10 Mar 2008 21:18:58 +0100
From: "Arnaud Lesueur" <arnaud.lesueur at gmail.com>
Subject: Re: Both krb5.conf and jcifsConfig needed?
To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
Message-ID:
<e2e8e17d0803101318ta4aba78j7670644b7c402782 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
krb5.conf is only used for test
Regards,
-Arnaud
On Sun, Mar 9, 2008 at 1:31 PM, Michael Str?der <michael at stroeder.com>
wrote:
> HI!
>
> First, many thanks for providing CAS.
>
> I'm testing CAS with SPNEGO and it works just fine following the docs
on
> http://www.ja-sig.org/wiki/display/CASUM/SPNEGO
>
> But I have one question: Is it necessary to really have both a
krb5.conf
> *and* the jcifsConfig? Or would it be possible to just use the
jcifsConfig
> with the properties jcifsServicePrincipal and jcifsServicePassword? In
> this
> case the step with ktpass and transferring the keytab would also not
be
> needed. And deployment would be much easier since I just would have to
> install a single .war file. Maybe the docs only mention /etc/krb5.conf
for
> testing the configuration with the MIT utils?
>
> I temporarily removed /etc/krb5.conf and it seems to still work. But
I'd
> be
> glad to get a definitive answer from somebody who really knows. Also,
are
> there any security considerations when solely using the jcifsConfig? I
> thought about this myself but the Tomcat server would need read access
to
> a
> server keytab anyway.
>
> Ciao, Michael.
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
--
Arnaud Lesueur
LinkedIn: http://www.linkedin.com/in/lesueur
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://tp.its.yale.edu/pipermail/cas/attachments/20080310/3040fe7e/attac
hment-0001.html
------------------------------
Message: 4
Date: Mon, 10 Mar 2008 16:46:40 -0400
From: "Scott Battaglia" <scott.battaglia at gmail.com>
Subject: Re: Clustering CAS using JBoss
To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
Message-ID:
<1bbd36a10803101346q365ce9d8y6a2d355aaacd93f7 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
The registry cleaner doesn't do any locking when it goes through and
deletes.
-Scott
On Mon, Mar 10, 2008 at 12:18 PM, Lawrence Andreutti <
Lawrence.Andreutti at activenetwork.com> wrote:
> Hi,
>
>
>
> Does have anyone have any experience clustering CAS using JBoss? We
are
> experiencing a problem with the ticket registry becoming "locked"
after we
> reach a threshold of about 5000 tickets. Specifically, it looks like
the
> DefaultTicketRegistryCleaner locks while it is looping through and
deleting
> the expired tickets. We are considering writing our own registry
cleaner to
> get around the problem and we were wondering if anyone else has
experienced
> a similar issue. If so, did you write your own registry cleaner (in
which
> case I'm hoping you'd be willing to share the code) or did you find
another
> way to solve it? Any help would be appreciated. Thanks.
>
>
>
> Larry Andreutti
>
> The Active Network
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://tp.its.yale.edu/pipermail/cas/attachments/20080310/650d1810/attac
hment-0001.html
------------------------------
Message: 5
Date: Mon, 10 Mar 2008 16:47:54 -0400
From: "Scott Battaglia" <scott.battaglia at gmail.com>
Subject: Re: JBossCache Ticket Registry performance under load?
To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
Message-ID:
<1bbd36a10803101347y4d4c4df0n7ed12d728f4724db at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Pat,
We saw a bunch of replication errors also. We haven't had too much time
to
delve into it as we had to loadtest a large set of scenarios
(distributed,
database, single machine). If you find anything interesting or an
optimal
configuration please let the list know and update it in Confluence, if
you
can ;-)
Thanks
-Scott
On Sun, Mar 9, 2008 at 9:24 AM, Pat Hennessy <lists-cas at dtcc.edu> wrote:
>
> So the first message I got was..
>
> 2008-03-06 23:51:20,838 ERROR
> [org.jasig.cas.ticket.registry.JBossCacheTicketRegistry] -
> <org.jboss.cache.ReplicationException: rsp=sender=138.1
> 23.130.81:32772, retval=null, received=false, suspected=false>
> org.jboss.cache.ReplicationException: rsp=sender=138.123.130.81:32772,
> retval=null, received=false, suspected=false
>
> I found an old message on the list..
>
> http://tp.its.yale.edu/pipermail/cas/2006-September/003412.html
>
> I'm using our VMWare Infrastructure for our two nodes. I had them on
> two different hosts, so I then moved them to the same VMWare host and
> everything appeared to be better. So, next week I plan on talking to
> the network guy about using multicast on that switch (I had spoken to
> him earlier and he thought the settings on it should be fine).
>
> I left one of my casified apps in the browser all night. This app
does
> a page refresh and uses one of the apache module, so it's been helpful
> in finding these problems.
>
> The next day, I found another exception...
>
> 2008-03-08 11:02:09,130 ERROR
> [org.apache.catalina.core.ContainerBase.[Catalina].[c-cas-02.dtcc.edu
> ].[/cas].[cas]]
> - <Servlet.service() for servlet cas threw exception>
> org.jboss.cache.lock.TimeoutException: Response timed out:
> sender=138.123.130.81:32772, retval=null, received=false,
suspected=false
>
> These are happening on either node and it does appear that I get get
> tickets and appear validated from both nodes. So the clustering is
> working ok, but there seems to be a timing issue.
>
> Did some more searching and saw references on some Japanese site for
> some totally different application to the "SyncReplTimeout" value. I
> also found some document on Redhat's site about setting up JBoss. So,
I
> made some adjustments to the different timeouts. I think I read
> something somewhere on some JBoss site that some timeouts need to be
> shorter than others. I'm no Tomcat or JBoss expert, but I set the
below
> settings and I think it's been behaving as expected..
>
> <attribute name="InitialStateRetrievalTimeout">15000</attribute>
>
> <attribute name="SyncReplTimeout">20000</attribute>
>
> <attribute name="LockAcquisitionTimeout">25000</attribute>
>
> I also wonder if the JBoss replication stuff is dependent on the
system
> clock. I noticed one of them was off and had to fiddle with ntp.
>
> My next goal is to load test logins with JMeter. I did try another
> program that someone posted on the list, but I thought JMeter looked
> better. I haven't exactly gotten that one working yet. But just
> hitting the servers with page retrievals doesn't seem to cause any
> exceptions.
>
> Pat
>
> On 3/7/08 5:25 PM, Pat Hennessy wrote:
> > On 7/23/2007 11:45 AM, Brian Donnelly wrote:
> >> Thanks Scott,
> >>
> >> I've attached my jbossCache.xml config file. It is almost
identical to
> the jbossTestCache.xml configuration included in CAS 3.0.6. I did
have to
> comment out the authentication protocol version tag because it was
> generating errors.
> >>
> >> If anyone has any pointers or would be willing to send their
JBossCache
> configuation parameters, I'd be very appreciative.
> >>
> >
> > Brian,
> >
> > Did you ever find a fix for the org.jboss.cache.ReplicationException
> > error you found?
> >
> > I just setup the jboss replication using the directions on the CAS
wiki
> > (and the jbossTestCache.xml file). On the dev cluster, I didn't get
the
> > error. After putting it on our new to be production cluster, I've
been
> > finding the same error showing up as a RuntimeException with some of
our
> > test apps. I don't think we putting these services under any real
load
> > though.
> >
> > Pat
> >
> >> Thanks,
> >>
> >> Brian Donnelly
> >> --
> >> Brian Donnelly
> >> University of Calfornia, Davis
> >> Information and Educational Technology
> >> Middleware Team
> >> (530) 754-5909
> >> bdonnelly at ucdavis.edu
> >>
> >> -----Original Message-----
> >> From: Scott Battaglia [mailto:scott.battaglia at gmail.com]
> >> Sent: Fri 7/20/2007 6:29 AM
> >> To: Brian Donnelly; Yale CAS mailing list
> >> Subject: Re: JBossCache Ticket Registry performance under load?
> >>
> >> Brian,
> >>
> >> We don't deploy that at Rutgers so I can't comment on that. A few
> people
> >> have deployed it in production without issues. Maybe you can
include
> your
> >> configuration file and those who have deployed it successfully can
> compare
> >> it to theirs if they get a minute (hopefully).
> >>
> >> Thanks
> >> -Scott
> >>
> >> On 7/18/07, Brian Donnelly <bdonnelly at ucdavis.edu> wrote:
> >>> Hi all,
> >>>
> >>> We're getting ready at UC Davis to switch to a JBossCache
Clustered
> >>> configuration for our CAS installation. I have been load testing
two
> >>> Redhat EL 5 clustered nodes running CAS 3.0.6 using the default
> >>> JBossCache implementation, (UDP multicast.)
> >>>
> >>> I've been using JMeter to generate ~7 login actions per second.
Both
> >>> clustered servers perform fine for several hours. Somewhere in
the
> >>> third hour of testing, I start seeing the following errors in the
> logs:
> >>>
> >>> 2007-07-18 13:43:54,813 ERROR
> >>> [org.jasig.cas.ticket.registry.JBossCacheTicketRegistry] -
> >>> <org.jboss.cache.ReplicationException: rsp=sender=
> 169.237.104.235:53768,
> >>> retval=null, received=false, suspected=false>
> >>>
> >>> and
> >>>
> >>> 2007-07-18 13:48:33,448 ERROR
> >>> [org.apache.catalina.core.ContainerBase
> .[Catalina].[localhost].[/cas].[cas]]
> >>> - <Servlet.service() for servlet cas threw exception>
> >>>
> >>> These start piling up until both servers stop responding to
incoming
> >>> requests. A restart is required to restore service.
> >>>
> >>> Has anyone else encountered errors of this type in their testing
of
> the
> >>> JBossCache registry?
> >>>
> >>> Thanks,
> >>>
> >>> Brian Donnelly
> >>> --
> >>> Brian Donnelly
> >>> University of Calfornia, Davis
> >>> Information and Educational Technology
> >>> Middleware Team
> >>> (530) 754-5909
> >>> bdonnelly at ucdavis.edu
> >>> _______________________________________________
> >>> Yale CAS mailing list
> >>> cas at tp.its.yale.edu
> >>> http://tp.its.yale.edu/mailman/listinfo/cas
> >>>
> >>
> >>
> >
> >
>
>
> --
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Pat Hennessy, RHCE (path at dtcc.edu)
>
> Senior Systems Specialist
> Division of Information and Educational Technology
> Delaware Technical and Community College
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://tp.its.yale.edu/pipermail/cas/attachments/20080310/e4c9d5ee/attac
hment-0001.html
------------------------------
Message: 6
Date: Mon, 10 Mar 2008 16:49:53 -0400
From: "Scott Battaglia" <scott.battaglia at gmail.com>
Subject: Re: Clustering CAS - why tomcat session replication?
To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
Message-ID:
<1bbd36a10803101349rb9f5126v2e140d83af6e981c at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
All of the information required by a flow is base64 encoded into a
request
parameter using this method. So the flow can be reconstructed on any
machine.
The default CAS instance doesn't story anything sensitive in the
repository
so the default should be fine. Your only concern could be older
browsers
that improperly cache POST results.
-Scott
On Fri, Mar 7, 2008 at 3:06 PM, Andrew R Feller <afelle1 at lsu.edu> wrote:
> Hey Scott,
>
>
>
> I did search the archives (
>
http://www.nabble.com/CAS-Cluster-without-sticky-sessions-to7583161.html
#a7584962)
> as we were interested in this issue, too. After reading the
documentation
> on the ClientContinuationFlowExecutionRepository, we think we can live
with
> it once we customize it a little. However, we have the concern
whether one
> CAS server can continue the flow execution from another using this
only.
>
>
>
> How much do you know about this?
>
>
>
> Thanks,
>
> Andy
>
>
>
> Andrew R Feller, Analyst
>
> University Information Systems
>
> 200 Fred Frey Building
>
> Louisiana State University <http://www.lsu.edu/>
>
> Baton Rouge, LA, 70803
>
> (225) 578-3737 (Office)
>
> (225) 578-6400 (Fax)
>
>
> ------------------------------
>
> *From:* cas-bounces at tp.its.yale.edu
[mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Scott Battaglia
> *Sent:* Wednesday, March 05, 2008 8:31 AM
> *To:* Yale CAS mailing list
> *Subject:* Re: Clustering CAS - why tomcat session replication?
>
>
>
> If you search our archives a little bit, you will find some details on
> ways to reconfigure the Spring Web Flow such that it doesn't require
> sessions. If you do that you should ensure that your users use
relatively
> recent browsers that won't have any issues with the back button
resubmitting
> POSTs (such as the credentials you provided).
>
> -Scott
>
> On Wed, Mar 5, 2008 at 5:56 AM, Arnaud Lesueur
<arnaud.lesueur at gmail.com>
> wrote:
>
> Step 2 is required for load balancing without a frontal load balancer
> which handles sticky sessions in front (the login webflow is using
tomcat
> session)
>
> In case of a simple failover, this step is not mandatory.
>
> Regards,
>
> -Arnaud
>
> On Wed, Mar 5, 2008 at 9:49 AM, Ina M?ller <
> ina.mueller at zdv.uni-tuebingen.de> wrote:
>
> Hello,
>
> we want to use CAS in a HA solution, so I had a look at
> http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS.
>
> It describes three steps:
> 1.- Ticket Uniqueness
> 2.- Tomcat Session Replication
> 3.- Ticket Cache Replication
>
> Steps 1 and 3 are clear. But for what scenario do I need step 2?
> What CAS specific stuff in session state has to be replicated?
> Isn't it enough to distribute the TGTs among the CAS servers to have a
> failover solution?
>
> Or lets restate the question: if I omit step 2, what can go wrong in
case
> of failover to another server?
>
> Thank you for your help, Ina
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> Arnaud Lesueur
>
> LinkedIn: http://www.linkedin.com/in/lesueur
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://tp.its.yale.edu/pipermail/cas/attachments/20080310/cfe338cd/attac
hment-0001.html
------------------------------
Message: 7
Date: Mon, 10 Mar 2008 17:47:13 -0400
From: "Scott Battaglia" <scott.battaglia at gmail.com>
Subject: Re: How do I get access to Service Registry information in
the view?
To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
Message-ID:
<1bbd36a10803101447u2cf3a769h611ea8d56941031f at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Lucas,
Because of the CentralAuthenticationService interface being what it is
we
can't return the service via that method. Your best bet is to create a
HandlerInterceptor at the web tier and obtain the service via the
ServiceManager (similar to what the ServiceThemeResolver does) and place
that in the model so that you have access to it.
-Scott
On Tue, Mar 4, 2008 at 5:23 PM, Lucas Rockwell <lr at berkeley.edu> wrote:
> Hi all,
>
> I am using the Service Registry and I want to be able to put
> something like the following on the login page:
>
> "Authentication for 'xyz service'"
>
> Where 'xyz service' is the "name" of the service in the registry. How
> do I get access to this information in the view?
>
> I apologize if this has been answered before, but I have looked
> though my past emails, and could not find anything on the subject.
>
> Many thanks.
>
> -lucas
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://tp.its.yale.edu/pipermail/cas/attachments/20080310/6033c4aa/attac
hment-0001.html
------------------------------
Message: 8
Date: Mon, 10 Mar 2008 23:41:36 +0100
From: Michael Str?der <michael at stroeder.com>
Subject: Re: Both krb5.conf and jcifsConfig needed?
To: Yale CAS mailing list <cas at tp.its.yale.edu>
Message-ID: <47D5B920.1060007 at stroeder.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Arnaud Lesueur wrote:
>> On Sun, Mar 9, 2008 at 1:31 PM, Michael Str?der <michael at stroeder.com
>> <mailto:michael at stroeder.com>> wrote:
>>
>> I'm testing CAS with SPNEGO and it works just fine following the
docs on
>> http://www.ja-sig.org/wiki/display/CASUM/SPNEGO
>>
>> But I have one question: Is it necessary to really have both a
krb5.conf
>> *and* the jcifsConfig? Or would it be possible to just use the
>> jcifsConfig
>> with the properties jcifsServicePrincipal and
jcifsServicePassword?
>
> krb5.conf is only used for test
Thanks for responding.
So I don't need the step with ktpass and copying the server's keytab to
the
CAS system either?
Ciao, Michael.
------------------------------
Message: 9
Date: Mon, 10 Mar 2008 20:48:38 -0400
From: "Matt Smith" <matt at forsetti.com>
Subject: Re: cas + apache + svn
To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
Message-ID:
<44a3206d0803101748o4fe67ce1iea347eaec33adef0 at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
It *is* possible to protect SVN's simple browser access with CAS.
It *is not* possible to protect SVN access from non-browser access, such
as
the command line svn tools, or TortoiseSVN, etc.
Personally, I use Kerberos as the primary authentication system. My CAS
server authenticates against Kerberos, and my web apps are CAS-enabled.
My
non-web apps are Kerberos-enabled. I use mod_auth_kerb to protect my
SVN
repository. The svn command line tools, and TortoiseSVN support
kerberized
("negotiate" or SPNEGO) access.
I use CAS to protect Trac (or any other web based subversion display
such as
ViewVCS).
HTH,
-Matt
On Mon, Mar 10, 2008 at 1:13 PM, m.garuti at quix.it <m.garuti at quix.it>
wrote:
> Hi,
>
> I have a customer that wants to integrate a .net application with svn
> repository (to version xml files from .net code)
> There are also other modules that are written in java and are under
cas
> server.
>
> the schema is:
>
> 1. user ==> .net app (non-web) ==> svn repository
> 2. user (browser) ==> webapp under cas
>
> For schema 2 there are no problem...
> For schema 1, i know svn run under apache and there is a module for
> cas+apache (mod_auth_cas)
>
> the question is: is possible to integrate apache+svn+cas? so only cas
> konw how to authenticate users..
>
> thant in advance
> paco
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
--
matt at forsetti.com
Key ID:D6EEC5B5
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://tp.its.yale.edu/pipermail/cas/attachments/20080310/6cfc2b23/attac
hment-0001.html
------------------------------
Message: 10
Date: Mon, 10 Mar 2008 22:01:52 -0400
From: "Isaac Vetter" <ivetter at math.purdue.edu>
Subject: Re: cas + apache + svn
To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
Message-ID:
<bbc696260803101901t654007c0w2b102de20cfa2b5e at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
On Mon, Mar 10, 2008 at 8:48 PM, Matt Smith <matt at forsetti.com> wrote:
> It *is* possible to protect SVN's simple browser access with CAS.
>
> It *is not* possible to protect SVN access from non-browser access,
such
> as the command line svn tools, or TortoiseSVN, etc.
Hi Matt, Paco;
I'm not sure if I'm disagreeing with the previous email or clarifying
it. At
any rate, this is probably off-topic.
apache+svn+cas is possible, and can be secured.
One of the options for running subversion is to use apache as the svn
server, thereby allowing you to use any apache authentication modules.
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html
In this case, even "non-browser" access (GUI clients and the command
line
client) access the repository over HTTP(s) through apache.
By requiring authentication via mod_auth_cas in apache and not running
svnserve and securing the filesystem of the svn repository, the only way
to
access the repository is through CAS.
Isaac Vetter
On Mon, Mar 10, 2008 at 1:13 PM, m.garuti at quix.it <m.garuti at quix.it>
wrote:
>
> > Hi,
> >
> > I have a customer that wants to integrate a .net application with
svn
> > repository (to version xml files from .net code)
> > There are also other modules that are written in java and are under
cas
> > server.
> >
> > the schema is:
> >
> > 1. user ==> .net app (non-web) ==> svn repository
> > 2. user (browser) ==> webapp under cas
> >
> > For schema 2 there are no problem...
> > For schema 1, i know svn run under apache and there is a module for
> > cas+apache (mod_auth_cas)
> >
> > the question is: is possible to integrate apache+svn+cas? so only
cas
> > konw how to authenticate users..
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://tp.its.yale.edu/pipermail/cas/attachments/20080310/868dad18/attac
hment-0001.html
------------------------------
Message: 11
Date: Tue, 11 Mar 2008 09:15:20 +0000
From: "Teggo Lam" <teggolam at gmail.com>
Subject: Re: CAS Client 3.1.1
To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
Message-ID:
<656eaecb0803110215w19645844v950296244407aa9d at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Thanks Scott, but now I have another ERROR:
com.liferay.portal.NoSuchUserException: No User exists with the primary
key
0
com.liferay.portal.NoSuchUserException: No User exists with the primary
key
0
at
com.liferay.portal.service.persistence.UserPersistenceImpl.findByPrimary
Key(
UserPersistenceImpl.java:228)
*****************************************
I think that the problem is on the key provided by CAS server to Liferay
after authenticating user?!!
I have an other question about the document above "
http://www.ja-sig.org/wiki/display/CASUM/Single+Sign+Out"
Could you tell me what would you mean by :
Where Single Sign Out Doesn't Work Does it mean that we can not
configure
SSOut when the session management consists of cookies???
I tell you this because I use Liferay and its session management
consists of
cookies!!!!
Thanks for reply and Sorry for my bad English
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://tp.its.yale.edu/pipermail/cas/attachments/20080311/9e59b59c/attac
hment-0001.html
------------------------------
Message: 12
Date: Tue, 11 Mar 2008 13:51:04 +0100
From: "Bocken Stefan" <Stefan.Bocken at is4u.be>
Subject: Bypassing CAS Authentication system
To: <cas at tp.its.yale.edu>
Message-ID:
<163D0C6CE33E4648B4C98FC6756A68ABF64C29 at ws03-exchange.iconos.be>
Content-Type: text/plain; charset="us-ascii"
Hi all,
I have a question regarding the authentication system of CAS. In short I
want to bypass the authentication system and create the session myself.
Because I'm trying to federate between to CAS servers my user is logged
in on the Identity Provider side and I have attributes like username and
serviceID.
Now I want to know if it is possible to create my own session. If so,
where can I find more information about this?
Many thanks and best regards
Stefan Bocken
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://tp.its.yale.edu/pipermail/cas/attachments/20080311/337c3982/attac
hment-0001.html
------------------------------
Message: 13
Date: Tue, 11 Mar 2008 14:14:48 +0100
From: jehan procaccia <jehan.procaccia at int-evry.fr>
Subject: password remembering in casLoginView.jsp
To: Yale CAS mailing list <cas at tp.its.yale.edu>
Message-ID: <47D685C8.2010802 at int-evry.fr>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
hello
since I upgraded to cas 3.1.2, I noticed that by default users can now
"remember" typed password :-( !
I removed that "feature" by setting autocomplete="off" in the
corresponding jsp:
[root at cas1
~/cas-toolbox-3.1.2-1/custom.tmsp1/webpages/WEB-INF/view/jsp/tmsp1Vues/u
i]
$ grep "autocomplete=\"off\"" casLoginView.jsp
<form:password cssClass="required" cssErrorClass="error" id="password"
size="25" tabindex="2" path="password"
accesskey="${passwordAccessKey}" autocomplete="off" htmlEscape="true" />
Is there a reason why this remembering feature had been reintroduced ?
Older realeases didn't allowed that by default.
It seems to me as beeing a security issue !?
Thanks.
------------------------------
Message: 14
Date: Tue, 11 Mar 2008 09:15:57 -0400
From: "Matt Smith" <matt at forsetti.com>
Subject: Re: cas + apache + svn
To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
Message-ID:
<44a3206d0803110615g64243aa9o7d9b71a291a8927c at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Isaac is correct, this statement needs clarifcation:
> It *is not* possible to protect SVN access from non-browser access,
such
> as the command line svn tools, or TortoiseSVN, etc.
I should have said:
It is not possible *to use mod_auth_cas* to protect SVN access from
non-browser access, such as the command line svn tools, or TortoiseSVN,
etc.
Does that help?
--
matt at forsetti.com
Key ID:D6EEC5B5
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://tp.its.yale.edu/pipermail/cas/attachments/20080311/db2de206/attac
hment-0001.html
------------------------------
Message: 15
Date: Tue, 11 Mar 2008 14:05:58 +0000
From: "Teggo Lam" <teggolam at gmail.com>
Subject: [Urgent] CAS Client 3.1.1
To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
Message-ID:
<656eaecb0803110705l6a2b3c9ct1ba063a1fc35d599 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Please I need response, Its very urgent.
Thanks for reply
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://tp.its.yale.edu/pipermail/cas/attachments/20080311/a1af83a1/attac
hment-0001.html
------------------------------
Message: 16
Date: Tue, 11 Mar 2008 11:02:45 -0400
From: "Scott Battaglia" <scott.battaglia at gmail.com>
Subject: Re: [Urgent] CAS Client 3.1.1
To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
Message-ID:
<1bbd36a10803110802v47e87925l5753179343414294 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
The CAS mailing list is a volunteer effort where people respond as best
they
can to things that interest them (or that they feel qualified to
answer).
Therefore, responses are not guaranteed in any timely matter (if at
all).
If you have specific needs and require guaranteed support (beyond best
effort), the CAS project maintains a list of commercial entities who are
happy to provide guaranteed support and consulting services:
http://www.ja-sig.org/products/cas/community/support/index.html
We do not actively encourage or discourage people from using the
commercial
support provided by these companies (nor do we endorse any). We merely
list
them as a service to our users who require guaranteed support that may
extend beyond the volunteer efforts provided by those who watch the
mailing
list.
Thanks
-Scott
On Tue, Mar 11, 2008 at 10:05 AM, Teggo Lam <teggolam at gmail.com> wrote:
>
>
> Please I need response, Its very urgent.
>
>
>
> Thanks for reply
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://tp.its.yale.edu/pipermail/cas/attachments/20080311/984e4158/attac
hment.html
------------------------------
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
End of cas Digest, Vol 58, Issue 14
***********************************
More information about the cas
mailing list