Hi Tom, I am facing similar problem . Would you mind sharing the exact changes in server.xml of tomcat .
On Tuesday, April 5, 2016 at 4:15:57 PM UTC+5:30, Tom Andersson wrote: > > Just in case anyone else is experiencing this issue, I got this resolved > by using RemoteIpValve on Tomcat end: > > > https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html > > Tom > > On Tuesday, 5 April 2016 11:23:19 UTC+3, Tom Andersson wrote: >> >> Just to fill up on this, I'm guessing that using the X-Forwarded-For >> -header instead of HttpServletRequest.getRemoteAddr() would work, but I >> would not like to go forking the CAS code.. is that the only way if >> 'session stickiness' on the proxy level is out of the question? >> >> BR, >> Tom >> >> On Tuesday, 5 April 2016 10:14:45 UTC+3, Tom Andersson wrote: >>> >>> Hi! >>> >>> Were you able to resolve this issue? I am having a similar problem, >>> where I have a clustered reverse proxy in front of CAS. It seems that the >>> TGC can only be verified when the request is coming from the same proxy IP >>> than the request by which the cookie was generated. What might be the most >>> meaningful way to resolve this issue? >>> >>> 2016-04-05 06:55:19,244 DEBUG >>> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Invalid >>> cookie. Required remote addres >>> s does not match 157.200.40.117 >>> java.lang.IllegalStateException: Invalid cookie. Required remote address >>> does not match 157.200.40.117 >>> at >>> org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:110) >>> at >>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:116) >>> >>> Thanks you for any suggestions! >>> Tom >>> >>> On Wednesday, 20 January 2016 18:46:46 UTC+2, Artur Stöcklin wrote: >>>> >>>> Hi Community >>>> >>>> We are facing the following problem with TGC cookies in clustered >>>> environment. >>>> >>>> 1. We have 2 active /active CAS nodes installed on Apache Tomcat 8.0. >>>> The tickets are synchronized through EhCache >>>> 2. Each tomcat is behind a Apache Webserver which does the proxy. >>>> 3. Both webserver are behind a load balancer. >>>> >>>> >>>> When the user logs in and gets a valid TGC from node 1 then in a next >>>> request the LoadBalancer sends him to node 2 the second CAS node throws a >>>> >>>> java.lang.IllegalStateException: Invalid cookie. Required remote >>>> address does not match "IP adress of node one" >>>> at >>>> org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue_aroundBody2(DefaultCasCookieValueManager.java:110) >>>> at >>>> org.jasig.cas.web.support.DefaultCasCookieValueManager$AjcClosure3.run(DefaultCasCookieValueManager.java:1) >>>> at >>>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) >>>> at >>>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44) >>>> at >>>> org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:89) >>>> at >>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue_aroundBody2(CookieRetrievingCookieGenerator.java:109) >>>> at >>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3.run_aroundBody0(CookieRetrievingCookieGenerator.java:1) >>>> at >>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3$AjcClosure1.run(CookieRetrievingCookieGenerator.java:1) >>>> at >>>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) >>>> at >>>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44) >>>> at >>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3.run(CookieRetrievingCookieGenerator.java:1) >>>> at >>>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) >>>> at >>>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44) >>>> at >>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:107) >>>> at >>>> org.jasig.cas.web.flow.InitialFlowSetupAction.doExecute(InitialFlowSetupAction.java:91) >>>> at >>>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) >>>> at >>>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) >>>> at >>>> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) >>>> at >>>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) >>>> at >>>> org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145) >>>> at >>>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) >>>> at >>>> org.springframework.webflow.engine.ActionList.execute(ActionList.java:154) >>>> at org.springframework.webflow.engine.Flow.start(Flow.java:526) >>>> at >>>> org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368) >>>> at >>>> org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223) >>>> at >>>> org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140) >>>> at >>>> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:238) >>>> at >>>> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959) >>>> at >>>> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893) >>>> at >>>> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:966) >>>> at >>>> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:857) >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:622) >>>> at >>>> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842) >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>> at >>>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>> at >>>> org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:296) >>>> at >>>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344) >>>> at >>>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>> at >>>> org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>> at >>>> org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85) >>>> at >>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) >>>> at >>>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344) >>>> at >>>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>> at >>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:217) >>>> >>>> >>>> We can see in the log file of node 1 that the TGC is created with the >>>> IP adress of the node itself: >>>> 2016-01-20 17:30:23,837 [http-nio-8443-exec-7] DEBUG >>>> [org.jasig.cas.web.support.DefaultCasCookieValueManager] Encoding cookie >>>> value >>>> [TGT-**********************************************[email protected]. >>>> 220.168@Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 >>>> Firefox/24.0] >>>> >>>> we have tried to solve that with the configuration of vhost on the >>>> apache webserver itself. The ProxyPreserveHost On attribute did not help. >>>> >>>> Any suggestions? This problem should actually not occur in High >>>> Availabilty environments, should it? >>>> >>>> Thank you >>>> Regards >>>> Artur >>>> >>>> >>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected] <javascript:>. >>> Visit this group at >>> https://groups.google.com/a/apereo.org/group/cas-user/. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/631d6a07-77f5-49d4-b819-02e0eb0e65b0%40apereo.org >>> >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/631d6a07-77f5-49d4-b819-02e0eb0e65b0%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/a/apereo.org/d/optout. >>> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0222aa75-7d35-42dc-82ef-88281cc036f1%40apereo.org.
