Clustering CAS using JBoss

Scott Battaglia scott.battaglia at gmail.com
Wed Mar 12 14:05:13 EDT 2008 

I don't think we have different definitions of lock.  I think you're looking
at old code :-)  Which version are you using?  We don't have that in the
latest version (or most recent versions).

-Scott



On Wed, Mar 12, 2008 at 1:50 PM, Lawrence Andreutti <
Lawrence.Andreutti at activenetwork.com> wrote:

> Hi Scott,
>
>  I think we may have different interpretations of what constitutes a
> "lock".  This is the code that I'm referring to in the
> DefaultTicketRegistryCleaner:
>
> synchronized (this.ticketRegistry) {
>    log.info(ticketsToRemove.size() + " found to be removed.  Removing
> now.");
>    for (final Iterator iter = ticketsToRemove.iterator();
> iter.hasNext();) {
>        final Ticket ticket = (Ticket) iter.next();
>        this.ticketRegistry.deleteTicket(ticket.getId());
>    }
> }
>
> We have found that when the ticketRegistry reaches a size of around 5000
> tickets, the deletes become much slower.  An individual removal of a
> ticket can take as much as four seconds.  This can translate into well
> over a minute for the registry cleaner to clean out the expired tickets.
> During that period, new tickets can not be created (the code for adding
> new tickets to the registry must also run within a synchronized block).
>
> However, I appear to have found a solution for the problem.  I wrote my
> own registry cleaner which was pretty much a straight copy of the
> original with the above code modified this way:
>
> log.info(ticketsToRemove.size() + " found to be removed.  Removing
> now.");
>
> for (final Iterator iter = ticketsToRemove.iterator(); iter.hasNext();)
> {
>    final Ticket ticket = (Ticket) iter.next();
>    synchronized (this.ticketRegistry) {
>        this.ticketRegistry.deleteTicket(ticket.getId());
>    }
> }
>
> This is not as efficient because of all the additional locking and
> unlocking of the ticket registry lock flag.  While the registry cleaner
> may still take a minute or more to run with a large number of tickets,
> it does not impact the creation of new tickets (they will not have to
> wait in the ticketRegistry lock pool for more than a few seconds).
>
> Larry Andreutti
>
>
> -----Original Message-----
> From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
> On Behalf Of cas-request at tp.its.yale.edu
> Sent: March 11, 2008 8:03 AM
> To: cas at tp.its.yale.edu
> Subject: cas Digest, Vol 58, Issue 14
>
> Send cas mailing list submissions to
>        cas at tp.its.yale.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://tp.its.yale.edu/mailman/listinfo/cas
> or, via email, send a message with subject or body 'help' to
>        cas-request at tp.its.yale.edu
>
> You can reach the person managing the list at
>        cas-owner at tp.its.yale.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cas digest..."
>
>
> Today's Topics:
>
>   1. Clustering CAS using JBoss (Lawrence Andreutti)
>   2. cas + apache + svn (m.garuti at quix.it)
>   3. Re: Both krb5.conf and jcifsConfig needed? (Arnaud Lesueur)
>   4. Re: Clustering CAS using JBoss (Scott Battaglia)
>   5. Re: JBossCache Ticket Registry performance under load?
>      (Scott Battaglia)
>   6. Re: Clustering CAS - why tomcat session replication?
>      (Scott Battaglia)
>   7. Re: How do I get access to Service Registry information in
>      the view? (Scott Battaglia)
>   8. Re: Both krb5.conf and jcifsConfig needed? (Michael Str?der)
>   9. Re: cas + apache + svn (Matt Smith)
>  10. Re: cas + apache + svn (Isaac Vetter)
>  11. Re: CAS Client 3.1.1 (Teggo Lam)
>  12. Bypassing CAS Authentication system (Bocken Stefan)
>  13. password remembering in casLoginView.jsp (jehan procaccia)
>  14. Re: cas + apache + svn (Matt Smith)
>  15. [Urgent] CAS Client 3.1.1 (Teggo Lam)
>  16. Re: [Urgent] CAS Client 3.1.1 (Scott Battaglia)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 10 Mar 2008 09:18:19 -0700
> From: "Lawrence Andreutti" <Lawrence.Andreutti at activenetwork.com>
> Subject: Clustering CAS using JBoss
> To: <cas at tp.its.yale.edu>
> Message-ID:
>
> <7BB71277042A1845BC3ACADE7A621E540181A5F0 at exchange.classinfo.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi,
>
>
>
>  Does have anyone have any experience clustering CAS using JBoss?  We
> are experiencing a problem with the ticket registry becoming "locked"
> after we reach a threshold of about 5000 tickets.  Specifically, it
> looks like the DefaultTicketRegistryCleaner locks while it is looping
> through and deleting the expired tickets.  We are considering writing
> our own registry cleaner to get around the problem and we were wondering
> if anyone else has experienced a similar issue.  If so, did you write
> your own registry cleaner (in which case I'm hoping you'd be willing to
> share the code) or did you find another way to solve it?  Any help would
> be appreciated.  Thanks.
>
>
>
> Larry Andreutti
>
> The Active Network
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080310/cf3368b2/attac
> hment-0001.html<http://tp.its.yale.edu/pipermail/cas/attachments/20080310/cf3368b2/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 10 Mar 2008 18:13:06 +0100
> From: "m.garuti at quix.it" <m.garuti at quix.it>
> Subject: cas + apache + svn
> To: cas at tp.its.yale.edu
> Message-ID:
>        <24929741.60571205169187023.JavaMail.root at srvpro.quix.locale>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hi,
>
> I have a customer that wants to integrate a .net application with svn
> repository (to version xml files from .net code)
> There are also other modules that are written in java and are under cas
> server.
>
> the schema is:
>
> 1. user ==> .net app (non-web) ==> svn repository
> 2. user (browser) ==>  webapp under cas
>
> For schema 2 there are no problem...
> For schema 1, i know svn run under apache and there is a module for
> cas+apache (mod_auth_cas)
>
> the question is: is possible to integrate apache+svn+cas? so only cas
> konw how to authenticate users..
>
> thant in advance
> paco
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 10 Mar 2008 21:18:58 +0100
> From: "Arnaud Lesueur" <arnaud.lesueur at gmail.com>
> Subject: Re: Both krb5.conf and jcifsConfig needed?
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
>        <e2e8e17d0803101318ta4aba78j7670644b7c402782 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> krb5.conf is only used for test
>
> Regards,
>
> -Arnaud
>
> On Sun, Mar 9, 2008 at 1:31 PM, Michael Str?der <michael at stroeder.com>
> wrote:
>
> > HI!
> >
> > First, many thanks for providing CAS.
> >
> > I'm testing CAS with SPNEGO and it works just fine following the docs
> on
> > http://www.ja-sig.org/wiki/display/CASUM/SPNEGO
> >
> > But I have one question: Is it necessary to really have both a
> krb5.conf
> > *and* the jcifsConfig? Or would it be possible to just use the
> jcifsConfig
> > with the properties jcifsServicePrincipal and jcifsServicePassword? In
> > this
> > case the step with ktpass and transferring the keytab would also not
> be
> > needed. And deployment would be much easier since I just would have to
> > install a single .war file. Maybe the docs only mention /etc/krb5.conf
> for
> > testing the configuration with the MIT utils?
> >
> > I temporarily removed /etc/krb5.conf and it seems to still work. But
> I'd
> > be
> > glad to get a definitive answer from somebody who really knows. Also,
> are
> > there any security considerations when solely using the jcifsConfig? I
> > thought about this myself but the Tomcat server would need read access
> to
> > a
> > server keytab anyway.
> >
> > Ciao, Michael.
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
>
>
>
> --
> Arnaud Lesueur
>
> LinkedIn: http://www.linkedin.com/in/lesueur
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080310/3040fe7e/attac
> hment-0001.html<http://tp.its.yale.edu/pipermail/cas/attachments/20080310/3040fe7e/attachment-0001.html>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 10 Mar 2008 16:46:40 -0400
> From: "Scott Battaglia" <scott.battaglia at gmail.com>
> Subject: Re: Clustering CAS using JBoss
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
>        <1bbd36a10803101346q365ce9d8y6a2d355aaacd93f7 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> The registry cleaner doesn't do any locking when it goes through and
> deletes.
>
> -Scott
>
> On Mon, Mar 10, 2008 at 12:18 PM, Lawrence Andreutti <
> Lawrence.Andreutti at activenetwork.com> wrote:
>
> >  Hi,
> >
> >
> >
> >   Does have anyone have any experience clustering CAS using JBoss?  We
> are
> > experiencing a problem with the ticket registry becoming "locked"
> after we
> > reach a threshold of about 5000 tickets.  Specifically, it looks like
> the
> > DefaultTicketRegistryCleaner locks while it is looping through and
> deleting
> > the expired tickets.  We are considering writing our own registry
> cleaner to
> > get around the problem and we were wondering if anyone else has
> experienced
> > a similar issue.  If so, did you write your own registry cleaner (in
> which
> > case I'm hoping you'd be willing to share the code) or did you find
> another
> > way to solve it?  Any help would be appreciated.  Thanks.
> >
> >
> >
> > Larry Andreutti
> >
> > The Active Network
> >
> >
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080310/650d1810/attac
> hment-0001.html<http://tp.its.yale.edu/pipermail/cas/attachments/20080310/650d1810/attachment-0001.html>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 10 Mar 2008 16:47:54 -0400
> From: "Scott Battaglia" <scott.battaglia at gmail.com>
> Subject: Re: JBossCache Ticket Registry performance under load?
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
>        <1bbd36a10803101347y4d4c4df0n7ed12d728f4724db at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Pat,
>
> We saw a bunch of replication errors also. We haven't had too much time
> to
> delve into it as we had to loadtest a large set of scenarios
> (distributed,
> database, single machine).  If you find anything interesting or an
> optimal
> configuration please let the list know and update it in Confluence, if
> you
> can ;-)
>
> Thanks
> -Scott
>
> On Sun, Mar 9, 2008 at 9:24 AM, Pat Hennessy <lists-cas at dtcc.edu> wrote:
>
> >
> > So the first message I got was..
> >
> > 2008-03-06 23:51:20,838 ERROR
> > [org.jasig.cas.ticket.registry.JBossCacheTicketRegistry] -
> > <org.jboss.cache.ReplicationException: rsp=sender=138.1
> > 23.130.81:32772, retval=null, received=false, suspected=false>
> > org.jboss.cache.ReplicationException: rsp=sender=138.123.130.81:32772,
> > retval=null, received=false, suspected=false
> >
> > I found an old message on the list..
> >
> > http://tp.its.yale.edu/pipermail/cas/2006-September/003412.html
> >
> > I'm using our VMWare Infrastructure for our two nodes.  I had them on
> > two different hosts, so I then moved them to the same VMWare host and
> > everything appeared to be better.  So, next week I plan on talking to
> > the network guy about using multicast on that switch (I had spoken to
> > him earlier and he thought the settings on it should be fine).
> >
> > I left one of my casified apps in the browser all night.  This app
> does
> > a page refresh and uses one of the apache module, so it's been helpful
> > in finding these problems.
> >
> > The next day, I found another exception...
> >
> > 2008-03-08 11:02:09,130 ERROR
> > [org.apache.catalina.core.ContainerBase.[Catalina].[c-cas-02.dtcc.edu
> > ].[/cas].[cas]]
> > - <Servlet.service() for servlet cas threw exception>
> > org.jboss.cache.lock.TimeoutException: Response timed out:
> > sender=138.123.130.81:32772, retval=null, received=false,
> suspected=false
> >
> > These are happening on either node and it does appear that I get get
> > tickets and appear validated from both nodes.  So the clustering is
> > working ok, but there seems to be a timing issue.
> >
> > Did some more searching and saw references on some Japanese site for
> > some totally different application to the "SyncReplTimeout" value.  I
> > also found some document on Redhat's site about setting up JBoss.  So,
> I
> > made some adjustments to the different timeouts.  I think I read
> > something somewhere on some JBoss site that some timeouts need to be
> > shorter than others.  I'm no Tomcat or JBoss expert, but I set the
> below
> > settings and I think it's been behaving as expected..
> >
> > <attribute name="InitialStateRetrievalTimeout">15000</attribute>
> >
> > <attribute name="SyncReplTimeout">20000</attribute>
> >
> > <attribute name="LockAcquisitionTimeout">25000</attribute>
> >
> > I also wonder if the JBoss replication stuff is dependent on the
> system
> > clock.  I noticed one of them was off and had to fiddle with ntp.
> >
> > My next goal is to load test logins with JMeter.  I did try another
> > program that someone posted on the list, but I thought JMeter looked
> > better.  I haven't exactly gotten that one working yet.  But just
> > hitting the servers with page retrievals doesn't seem to cause any
> > exceptions.
> >
> > Pat
> >
> > On 3/7/08 5:25 PM, Pat Hennessy wrote:
> > > On 7/23/2007 11:45 AM, Brian Donnelly wrote:
> > >> Thanks Scott,
> > >>
> > >> I've attached my jbossCache.xml config file.  It is almost
> identical to
> > the jbossTestCache.xml configuration included in CAS 3.0.6.  I did
> have to
> > comment out the authentication protocol version tag because it was
> > generating errors.
> > >>
> > >> If anyone has any pointers or would be willing to send their
> JBossCache
> > configuation parameters, I'd be very appreciative.
> > >>
> > >
> > > Brian,
> > >
> > > Did you ever find a fix for the org.jboss.cache.ReplicationException
> > > error you found?
> > >
> > > I just setup the jboss replication using the directions on the CAS
> wiki
> > > (and the jbossTestCache.xml file).  On the dev cluster, I didn't get
> the
> > > error.  After putting it on our new to be production cluster, I've
> been
> > > finding the same error showing up as a RuntimeException with some of
> our
> > > test apps.  I don't think we putting these services under any real
> load
> > > though.
> > >
> > > Pat
> > >
> > >> Thanks,
> > >>
> > >> Brian Donnelly
> > >> --
> > >> Brian Donnelly
> > >> University of Calfornia, Davis
> > >> Information and Educational Technology
> > >> Middleware Team
> > >> (530) 754-5909
> > >> bdonnelly at ucdavis.edu
> > >>
> > >> -----Original Message-----
> > >> From: Scott Battaglia [mailto:scott.battaglia at gmail.com]
> > >> Sent: Fri 7/20/2007 6:29 AM
> > >> To: Brian Donnelly; Yale CAS mailing list
> > >> Subject: Re: JBossCache Ticket Registry performance under load?
> > >>
> > >> Brian,
> > >>
> > >> We don't deploy that at Rutgers so I can't comment on that.  A few
> > people
> > >> have deployed it in production without issues.  Maybe you can
> include
> > your
> > >> configuration file and those who have deployed it successfully can
> > compare
> > >> it to theirs if they get a minute (hopefully).
> > >>
> > >> Thanks
> > >> -Scott
> > >>
> > >> On 7/18/07, Brian Donnelly <bdonnelly at ucdavis.edu> wrote:
> > >>> Hi all,
> > >>>
> > >>> We're getting ready at UC Davis to switch to a JBossCache
> Clustered
> > >>> configuration for our CAS installation.  I have been load testing
> two
> > >>> Redhat EL 5 clustered nodes running CAS 3.0.6 using the default
> > >>> JBossCache implementation, (UDP multicast.)
> > >>>
> > >>> I've been using JMeter to generate ~7 login actions per second.
> Both
> > >>> clustered servers perform fine for several hours.  Somewhere in
> the
> > >>> third hour of testing, I start seeing the following errors in the
> > logs:
> > >>>
> > >>> 2007-07-18 13:43:54,813 ERROR
> > >>> [org.jasig.cas.ticket.registry.JBossCacheTicketRegistry] -
> > >>> <org.jboss.cache.ReplicationException: rsp=sender=
> > 169.237.104.235:53768,
> > >>> retval=null, received=false, suspected=false>
> > >>>
> > >>> and
> > >>>
> > >>> 2007-07-18 13:48:33,448 ERROR
> > >>> [org.apache.catalina.core.ContainerBase
> > .[Catalina].[localhost].[/cas].[cas]]
> > >>> - <Servlet.service() for servlet cas threw exception>
> > >>>
> > >>> These start piling up until both servers stop responding to
> incoming
> > >>> requests.  A restart is required to restore service.
> > >>>
> > >>> Has anyone else encountered errors of this type in their testing
> of
> > the
> > >>> JBossCache registry?
> > >>>
> > >>> Thanks,
> > >>>
> > >>> Brian Donnelly
> > >>> --
> > >>> Brian Donnelly
> > >>> University of Calfornia, Davis
> > >>> Information and Educational Technology
> > >>> Middleware Team
> > >>> (530) 754-5909
> > >>> bdonnelly at ucdavis.edu
> > >>> _______________________________________________
> > >>> Yale CAS mailing list
> > >>> cas at tp.its.yale.edu
> > >>> http://tp.its.yale.edu/mailman/listinfo/cas
> > >>>
> > >>
> > >>
> > >
> > >
> >
> >
> > --
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> > Pat Hennessy, RHCE                        (path at dtcc.edu)
> >
> > Senior Systems Specialist
> > Division of Information and Educational Technology
> > Delaware Technical and Community College
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
>
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080310/e4c9d5ee/attac
> hment-0001.html<http://tp.its.yale.edu/pipermail/cas/attachments/20080310/e4c9d5ee/attachment-0001.html>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 10 Mar 2008 16:49:53 -0400
> From: "Scott Battaglia" <scott.battaglia at gmail.com>
> Subject: Re: Clustering CAS - why tomcat session replication?
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
>        <1bbd36a10803101349rb9f5126v2e140d83af6e981c at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> All of the information required by a flow is base64 encoded into a
> request
> parameter using this method.  So the flow can be reconstructed on any
> machine.
>
> The default CAS instance doesn't story anything sensitive in the
> repository
> so the default should be fine.  Your only concern could be older
> browsers
> that improperly cache POST results.
>
> -Scott
>
> On Fri, Mar 7, 2008 at 3:06 PM, Andrew R Feller <afelle1 at lsu.edu> wrote:
>
> >  Hey Scott,
> >
> >
> >
> > I did search the archives (
> >
> http://www.nabble.com/CAS-Cluster-without-sticky-sessions-to7583161.html
> #a7584962)
> > as we were interested in this issue, too.  After reading the
> documentation
> > on the ClientContinuationFlowExecutionRepository, we think we can live
> with
> > it once we customize it a little.  However, we have the concern
> whether one
> > CAS server can continue the flow execution from another using this
> only.
> >
> >
> >
> > How much do you know about this?
> >
> >
> >
> > Thanks,
> >
> > Andy
> >
> >
> >
> > Andrew R Feller, Analyst
> >
> > University Information Systems
> >
> > 200 Fred Frey Building
> >
> > Louisiana State University <http://www.lsu.edu/>
> >
> > Baton Rouge, LA, 70803
> >
> > (225) 578-3737 (Office)
> >
> > (225) 578-6400 (Fax)
> >
> >
> >  ------------------------------
> >
> > *From:* cas-bounces at tp.its.yale.edu
> [mailto:cas-bounces at tp.its.yale.edu] *On
> > Behalf Of *Scott Battaglia
> > *Sent:* Wednesday, March 05, 2008 8:31 AM
> > *To:* Yale CAS mailing list
> > *Subject:* Re: Clustering CAS - why tomcat session replication?
> >
> >
> >
> > If you search our archives a little bit, you will find some details on
> > ways to reconfigure the Spring Web Flow such that it doesn't require
> > sessions. If you do that you should ensure that your users use
> relatively
> > recent browsers that won't have any issues with the back button
> resubmitting
> > POSTs (such as the credentials you provided).
> >
> > -Scott
> >
> > On Wed, Mar 5, 2008 at 5:56 AM, Arnaud Lesueur
> <arnaud.lesueur at gmail.com>
> > wrote:
> >
> > Step 2 is required for load balancing without a frontal load balancer
> > which handles sticky sessions in front (the login webflow is using
> tomcat
> > session)
> >
> > In case of a simple failover, this step is not mandatory.
> >
> > Regards,
> >
> > -Arnaud
> >
> >   On Wed, Mar 5, 2008 at 9:49 AM, Ina M?ller <
> > ina.mueller at zdv.uni-tuebingen.de> wrote:
> >
> >  Hello,
> >
> > we want to use CAS in a HA solution, so I had a look at
> > http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS.
> >
> > It describes three steps:
> > 1.- Ticket Uniqueness
> > 2.- Tomcat Session Replication
> > 3.- Ticket Cache Replication
> >
> > Steps 1 and 3 are clear. But for what scenario do I need step 2?
> > What CAS specific stuff in session state has to be replicated?
> > Isn't it enough to distribute the TGTs among the CAS servers to have a
> > failover solution?
> >
> > Or lets restate the question:  if I omit step 2, what can go wrong in
> case
> > of failover to another server?
> >
> > Thank you for your help, Ina
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> >
> >
> > --
> > Arnaud Lesueur
> >
> > LinkedIn: http://www.linkedin.com/in/lesueur
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> >
> >
> > --
> > -Scott Battaglia
> > PGP Public Key Id: 0x383733AA
> > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080310/cfe338cd/attac
> hment-0001.html<http://tp.its.yale.edu/pipermail/cas/attachments/20080310/cfe338cd/attachment-0001.html>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 10 Mar 2008 17:47:13 -0400
> From: "Scott Battaglia" <scott.battaglia at gmail.com>
> Subject: Re: How do I get access to Service Registry information in
>        the view?
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
>        <1bbd36a10803101447u2cf3a769h611ea8d56941031f at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Lucas,
>
> Because of the CentralAuthenticationService interface being what it is
> we
> can't return the service via that method. Your best bet is to create a
> HandlerInterceptor at the web tier and obtain the service via the
> ServiceManager (similar to what the ServiceThemeResolver does) and place
> that in the model so that you have access to it.
>
> -Scott
>
> On Tue, Mar 4, 2008 at 5:23 PM, Lucas Rockwell <lr at berkeley.edu> wrote:
>
> > Hi all,
> >
> > I am using the Service Registry and I want to be able to put
> > something like the following on the login page:
> >
> >    "Authentication for 'xyz service'"
> >
> > Where 'xyz service' is the "name" of the service in the registry. How
> > do I get access to this information in the view?
> >
> > I apologize if this has been answered before, but I have looked
> > though my past emails, and could not find anything on the subject.
> >
> > Many thanks.
> >
> > -lucas
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
>
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080310/6033c4aa/attac
> hment-0001.html<http://tp.its.yale.edu/pipermail/cas/attachments/20080310/6033c4aa/attachment-0001.html>
>
> ------------------------------
>
> Message: 8
> Date: Mon, 10 Mar 2008 23:41:36 +0100
> From: Michael Str?der <michael at stroeder.com>
> Subject: Re: Both krb5.conf and jcifsConfig needed?
> To: Yale CAS mailing list <cas at tp.its.yale.edu>
> Message-ID: <47D5B920.1060007 at stroeder.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Arnaud Lesueur wrote:
> >> On Sun, Mar 9, 2008 at 1:31 PM, Michael Str?der <michael at stroeder.com
>
> >> <mailto:michael at stroeder.com>> wrote:
> >>
> >>     I'm testing CAS with SPNEGO and it works just fine following the
> docs on
> >>     http://www.ja-sig.org/wiki/display/CASUM/SPNEGO
> >>
> >>     But I have one question: Is it necessary to really have both a
> krb5.conf
> >>     *and* the jcifsConfig? Or would it be possible to just use the
> >>     jcifsConfig
> >>     with the properties jcifsServicePrincipal and
> jcifsServicePassword?
>  >
> > krb5.conf is only used for test
>
> Thanks for responding.
>
> So I don't need the step with ktpass and copying the server's keytab to
> the
> CAS system either?
>
> Ciao, Michael.
>
>
> ------------------------------
>
> Message: 9
> Date: Mon, 10 Mar 2008 20:48:38 -0400
> From: "Matt Smith" <matt at forsetti.com>
> Subject: Re: cas + apache + svn
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
>        <44a3206d0803101748o4fe67ce1iea347eaec33adef0 at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> It *is* possible to protect SVN's simple browser access with CAS.
>
> It *is not* possible to protect SVN access from non-browser access, such
> as
> the command line svn tools, or TortoiseSVN, etc.
>
> Personally, I use Kerberos as the primary authentication system.  My CAS
> server authenticates against Kerberos, and my web apps are CAS-enabled.
> My
> non-web apps are Kerberos-enabled.  I use mod_auth_kerb to protect my
> SVN
> repository.  The svn command line tools, and TortoiseSVN support
> kerberized
> ("negotiate" or SPNEGO) access.
>
> I use CAS to protect Trac (or any other web based subversion display
> such as
> ViewVCS).
>
> HTH,
> -Matt
> On Mon, Mar 10, 2008 at 1:13 PM, m.garuti at quix.it <m.garuti at quix.it>
> wrote:
>
> > Hi,
> >
> > I have a customer that wants to integrate a .net application with svn
> > repository (to version xml files from .net code)
> > There are also other modules that are written in java and are under
> cas
> > server.
> >
> > the schema is:
> >
> > 1. user ==> .net app (non-web) ==> svn repository
> > 2. user (browser) ==>  webapp under cas
> >
> > For schema 2 there are no problem...
> > For schema 1, i know svn run under apache and there is a module for
> > cas+apache (mod_auth_cas)
> >
> > the question is: is possible to integrate apache+svn+cas? so only cas
> > konw how to authenticate users..
> >
> > thant in advance
> > paco
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
>
>
>
> --
> matt at forsetti.com
> Key ID:D6EEC5B5
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080310/6cfc2b23/attac
> hment-0001.html<http://tp.its.yale.edu/pipermail/cas/attachments/20080310/6cfc2b23/attachment-0001.html>
>
> ------------------------------
>
> Message: 10
> Date: Mon, 10 Mar 2008 22:01:52 -0400
> From: "Isaac Vetter" <ivetter at math.purdue.edu>
> Subject: Re: cas + apache + svn
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
>        <bbc696260803101901t654007c0w2b102de20cfa2b5e at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On Mon, Mar 10, 2008 at 8:48 PM, Matt Smith <matt at forsetti.com> wrote:
>
> > It *is* possible to protect SVN's simple browser access with CAS.
> >
> > It *is not* possible to protect SVN access from non-browser access,
> such
> > as the command line svn tools, or TortoiseSVN, etc.
>
>
> Hi Matt, Paco;
>
> I'm not sure if I'm disagreeing with the previous email or clarifying
> it. At
> any rate, this is probably off-topic.
>
> apache+svn+cas is possible, and can be secured.
>
> One of the options for running subversion is to use apache as the svn
> server, thereby allowing you to use any apache authentication modules.
> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html
>
> In this case, even "non-browser" access (GUI clients and the command
> line
> client) access the repository over HTTP(s) through apache.
>
> By requiring authentication via mod_auth_cas in apache and not running
> svnserve and securing the filesystem of the svn repository, the only way
> to
> access the repository is through CAS.
>
> Isaac Vetter
>
> On Mon, Mar 10, 2008 at 1:13 PM, m.garuti at quix.it <m.garuti at quix.it>
> wrote:
> >
> > > Hi,
> > >
> > > I have a customer that wants to integrate a .net application with
> svn
> > > repository (to version xml files from .net code)
> > > There are also other modules that are written in java and are under
> cas
> > > server.
> > >
> > > the schema is:
> > >
> > > 1. user ==> .net app (non-web) ==> svn repository
> > > 2. user (browser) ==>  webapp under cas
> > >
> > > For schema 2 there are no problem...
> > > For schema 1, i know svn run under apache and there is a module for
> > > cas+apache (mod_auth_cas)
> > >
> > > the question is: is possible to integrate apache+svn+cas? so only
> cas
> > > konw how to authenticate users..
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080310/868dad18/attac
> hment-0001.html<http://tp.its.yale.edu/pipermail/cas/attachments/20080310/868dad18/attachment-0001.html>
>
> ------------------------------
>
> Message: 11
> Date: Tue, 11 Mar 2008 09:15:20 +0000
> From: "Teggo Lam" <teggolam at gmail.com>
> Subject: Re: CAS Client 3.1.1
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
>        <656eaecb0803110215w19645844v950296244407aa9d at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Thanks Scott, but now I have another ERROR:
>
> com.liferay.portal.NoSuchUserException: No User exists with the primary
> key
> 0
> com.liferay.portal.NoSuchUserException: No User exists with the primary
> key
> 0
>    at
> com.liferay.portal.service.persistence.UserPersistenceImpl.findByPrimary
> Key(
> UserPersistenceImpl.java:228)
> *****************************************
>
> I think that the problem is on the key provided by CAS server to Liferay
> after authenticating user?!!
>
> I have an other question about the document above "
> http://www.ja-sig.org/wiki/display/CASUM/Single+Sign+Out"
>
> Could you tell me what would you mean by :
> Where Single Sign Out Doesn't Work Does it mean that we can not
> configure
> SSOut when the session management consists of cookies???
>
> I tell you this because I use Liferay and its session management
> consists of
> cookies!!!!
>
>
> Thanks for reply and Sorry for my bad English
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080311/9e59b59c/attac
> hment-0001.html<http://tp.its.yale.edu/pipermail/cas/attachments/20080311/9e59b59c/attachment-0001.html>
>
> ------------------------------
>
> Message: 12
> Date: Tue, 11 Mar 2008 13:51:04 +0100
> From: "Bocken Stefan" <Stefan.Bocken at is4u.be>
> Subject: Bypassing CAS Authentication system
> To: <cas at tp.its.yale.edu>
> Message-ID:
>        <163D0C6CE33E4648B4C98FC6756A68ABF64C29 at ws03-exchange.iconos.be>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi all,
>
>
>
> I have a question regarding the authentication system of CAS. In short I
> want to bypass the authentication system and create the session myself.
>
> Because I'm trying to federate between to CAS servers my user is logged
> in on the Identity Provider side and I have attributes like username and
> serviceID.
>
> Now I want to know if it is possible to create my own session. If so,
> where can I find more information about this?
>
>
>
> Many thanks and best regards
>
>
>
> Stefan Bocken
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080311/337c3982/attac
> hment-0001.html<http://tp.its.yale.edu/pipermail/cas/attachments/20080311/337c3982/attachment-0001.html>
>
> ------------------------------
>
> Message: 13
> Date: Tue, 11 Mar 2008 14:14:48 +0100
> From: jehan procaccia <jehan.procaccia at int-evry.fr>
> Subject: password remembering in casLoginView.jsp
> To: Yale CAS mailing list <cas at tp.its.yale.edu>
> Message-ID: <47D685C8.2010802 at int-evry.fr>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> hello
>
> since I upgraded to cas 3.1.2,  I noticed that by default users can now
> "remember" typed password :-( !
> I removed that "feature" by setting autocomplete="off" in the
> corresponding jsp:
>
> [root at cas1
> ~/cas-toolbox-3.1.2-1/custom.tmsp1/webpages/WEB-INF/view/jsp/tmsp1Vues/u
> i]
> $ grep "autocomplete=\"off\"" casLoginView.jsp
> <form:password cssClass="required" cssErrorClass="error" id="password"
> size="25" tabindex="2" path="password"
> accesskey="${passwordAccessKey}" autocomplete="off" htmlEscape="true" />
>
> Is there a reason why this remembering feature had been reintroduced ?
> Older realeases didn't allowed that by default.
> It seems to me as beeing a security issue !?
>
> Thanks.
>
>
>
> ------------------------------
>
> Message: 14
> Date: Tue, 11 Mar 2008 09:15:57 -0400
> From: "Matt Smith" <matt at forsetti.com>
> Subject: Re: cas + apache + svn
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
>        <44a3206d0803110615g64243aa9o7d9b71a291a8927c at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Isaac is correct, this statement needs clarifcation:
>
> > It *is not* possible to protect SVN access from non-browser access,
> such
> > as the command line svn tools, or TortoiseSVN, etc.
>
>
> I should have said:
> It is not possible *to use mod_auth_cas* to protect SVN access from
> non-browser access, such as the command line svn tools, or TortoiseSVN,
> etc.
>
> Does that help?
>
>
> --
> matt at forsetti.com
> Key ID:D6EEC5B5
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080311/db2de206/attac
> hment-0001.html<http://tp.its.yale.edu/pipermail/cas/attachments/20080311/db2de206/attachment-0001.html>
>
> ------------------------------
>
> Message: 15
> Date: Tue, 11 Mar 2008 14:05:58 +0000
> From: "Teggo Lam" <teggolam at gmail.com>
> Subject: [Urgent] CAS Client 3.1.1
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
>        <656eaecb0803110705l6a2b3c9ct1ba063a1fc35d599 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Please I need response, Its very urgent.
>
>
>
> Thanks for reply
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080311/a1af83a1/attac
> hment-0001.html<http://tp.its.yale.edu/pipermail/cas/attachments/20080311/a1af83a1/attachment-0001.html>
>
> ------------------------------
>
> Message: 16
> Date: Tue, 11 Mar 2008 11:02:45 -0400
> From: "Scott Battaglia" <scott.battaglia at gmail.com>
> Subject: Re: [Urgent] CAS Client 3.1.1
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
>        <1bbd36a10803110802v47e87925l5753179343414294 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> The CAS mailing list is a volunteer effort where people respond as best
> they
> can to things that interest them (or that they feel qualified to
> answer).
> Therefore, responses are not guaranteed in any timely matter (if at
> all).
> If you have specific needs and require guaranteed support (beyond best
> effort), the CAS project maintains a list of commercial entities who are
> happy to provide guaranteed support and consulting services:
>
> http://www.ja-sig.org/products/cas/community/support/index.html
>
> We do not actively encourage or discourage people from using the
> commercial
> support provided by these companies (nor do we endorse any).  We merely
> list
> them as a service to our users who require guaranteed support that may
> extend beyond the volunteer efforts provided by those who watch the
> mailing
> list.
>
> Thanks
> -Scott
>
> On Tue, Mar 11, 2008 at 10:05 AM, Teggo Lam <teggolam at gmail.com> wrote:
>
> >
> >
> > Please I need response, Its very urgent.
> >
> >
> >
> > Thanks for reply
> >
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080311/984e4158/attac
> hment.html<http://tp.its.yale.edu/pipermail/cas/attachments/20080311/984e4158/attachment.html>
>
> ------------------------------
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
> End of cas Digest, Vol 58, Issue 14
> ***********************************
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>



-- 
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080312/c25f3f9c/attachment.html

More information about the cas mailing list