Re: [cas-user] Re: Cookies Problem in Clustered Environment

Thu, 19 Apr 2018 06:23:37 -0700 

Hi,

We seem to have the following in server.xml:

<Engine name="Catalina" defaultHost="localhost">
    ...
    <Host name="localhost"  appBase="webapps"
          unpackWARs="true" autoDeploy="true">
        ...
        <Valve className="org.apache.catalina.valves.RemoteIpValve" 
internalProxies=".*" />
    </Host>
</Engine>

On Thursday, 19 April 2018 10:35:54 UTC+3, Priyambada Madala wrote:
>
> Hi Tom, 
>
> I am facing similar problem . Would you mind sharing the exact changes in 
> server.xml of tomcat . 
>
> On Tuesday, April 5, 2016 at 4:15:57 PM UTC+5:30, Tom Andersson wrote:
>>
>> Just in case anyone else is experiencing this issue, I got this resolved 
>> by using RemoteIpValve on Tomcat end:
>>
>>
>> https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
>>
>> Tom
>>
>> On Tuesday, 5 April 2016 11:23:19 UTC+3, Tom Andersson wrote:
>>>
>>> Just to fill up on this, I'm guessing that using the X-Forwarded-For 
>>> -header instead of HttpServletRequest.getRemoteAddr() would work, but I 
>>> would not like to go forking the CAS code.. is that the only way if 
>>> 'session stickiness' on the proxy level is out of the question? 
>>>
>>> BR,
>>> Tom
>>>
>>> On Tuesday, 5 April 2016 10:14:45 UTC+3, Tom Andersson wrote:
>>>>
>>>> Hi!
>>>>
>>>> Were you able to resolve this issue? I am having a similar problem, 
>>>> where I have a clustered reverse proxy in front of CAS. It seems that the 
>>>> TGC can only be verified when the request is coming from the same proxy IP 
>>>> than the request by which the cookie was generated. What might be the most 
>>>> meaningful way to resolve this issue?
>>>>
>>>> 2016-04-05 06:55:19,244 DEBUG 
>>>> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Invalid 
>>>> cookie. Required remote addres
>>>> s does not match 157.200.40.117
>>>> java.lang.IllegalStateException: Invalid cookie. Required remote 
>>>> address does not match 157.200.40.117
>>>>         at 
>>>> org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:110)
>>>>         at 
>>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:116)
>>>>
>>>> Thanks you for any suggestions!
>>>> Tom
>>>>
>>>> On Wednesday, 20 January 2016 18:46:46 UTC+2, Artur Stöcklin wrote:
>>>>>
>>>>> Hi Community
>>>>>
>>>>> We are facing the following problem with TGC cookies in clustered 
>>>>> environment.
>>>>>
>>>>> 1. We have 2 active /active CAS nodes installed on Apache Tomcat 8.0. 
>>>>> The tickets are synchronized through EhCache
>>>>> 2. Each tomcat is behind a Apache Webserver which does the proxy.
>>>>> 3. Both webserver are behind a load balancer.
>>>>>
>>>>>
>>>>> When the user logs in and gets a valid TGC from node 1 then in a next 
>>>>> request the LoadBalancer sends him to node 2 the second CAS node throws a 
>>>>>
>>>>> java.lang.IllegalStateException: Invalid cookie. Required remote 
>>>>> address does not match "IP adress of node one"
>>>>>  at 
>>>>> org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue_aroundBody2(DefaultCasCookieValueManager.java:110)
>>>>>         at 
>>>>> org.jasig.cas.web.support.DefaultCasCookieValueManager$AjcClosure3.run(DefaultCasCookieValueManager.java:1)
>>>>>         at 
>>>>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
>>>>>         at 
>>>>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
>>>>>         at 
>>>>> org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:89)
>>>>>         at 
>>>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue_aroundBody2(CookieRetrievingCookieGenerator.java:109)
>>>>>         at 
>>>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3.run_aroundBody0(CookieRetrievingCookieGenerator.java:1)
>>>>>         at 
>>>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3$AjcClosure1.run(CookieRetrievingCookieGenerator.java:1)
>>>>>         at 
>>>>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
>>>>>         at 
>>>>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
>>>>>         at 
>>>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3.run(CookieRetrievingCookieGenerator.java:1)
>>>>>         at 
>>>>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
>>>>>         at 
>>>>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
>>>>>         at 
>>>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:107)
>>>>>         at 
>>>>> org.jasig.cas.web.flow.InitialFlowSetupAction.doExecute(InitialFlowSetupAction.java:91)
>>>>>         at 
>>>>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
>>>>>         at 
>>>>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
>>>>>         at 
>>>>> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
>>>>>         at 
>>>>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
>>>>>         at 
>>>>> org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)
>>>>>         at 
>>>>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
>>>>>         at 
>>>>> org.springframework.webflow.engine.ActionList.execute(ActionList.java:154)
>>>>>         at org.springframework.webflow.engine.Flow.start(Flow.java:526)
>>>>>         at 
>>>>> org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)
>>>>>         at 
>>>>> org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223)
>>>>>         at 
>>>>> org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)
>>>>>         at 
>>>>> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:238)
>>>>>         at 
>>>>> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
>>>>>         at 
>>>>> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
>>>>>         at 
>>>>> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:966)
>>>>>         at 
>>>>> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:857)
>>>>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
>>>>>         at 
>>>>> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842)
>>>>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>         at 
>>>>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>         at 
>>>>> org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:296)
>>>>>         at 
>>>>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
>>>>>         at 
>>>>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>         at 
>>>>> org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>         at 
>>>>> org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
>>>>>         at 
>>>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
>>>>>         at 
>>>>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
>>>>>         at 
>>>>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>         at 
>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:217)
>>>>>
>>>>>
>>>>> We can see in the log file of node 1 that the TGC is created with the 
>>>>> IP adress of the node itself:
>>>>> 2016-01-20 17:30:23,837 [http-nio-8443-exec-7] DEBUG 
>>>>> [org.jasig.cas.web.support.DefaultCasCookieValueManager] Encoding cookie 
>>>>> value 
>>>>> [TGT-**********************************************UVLxcrqeOB-node2@192.168.
>>>>> 220.168@Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 
>>>>> Firefox/24.0]
>>>>>
>>>>> we have tried to solve that with the configuration of vhost on the 
>>>>> apache webserver itself. The ProxyPreserveHost On attribute did not help.
>>>>>
>>>>> Any suggestions? This problem should actually not occur in High 
>>>>> Availabilty environments, should it?
>>>>>
>>>>> Thank you
>>>>> Regards
>>>>> Artur
>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>> You received this message because you are subscribed to the Google 
>>>> Groups "CAS Community" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>> an email to cas-user+u...@apereo.org.
>>>> Visit this group at 
>>>> https://groups.google.com/a/apereo.org/group/cas-user/.
>>>> To view this discussion on the web visit 
>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/631d6a07-77f5-49d4-b819-02e0eb0e65b0%40apereo.org
>>>>  
>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/631d6a07-77f5-49d4-b819-02e0eb0e65b0%40apereo.org?utm_medium=email&utm_source=footer>
>>>> .
>>>> For more options, visit https://groups.google.com/a/apereo.org/d/optout
>>>> .
>>>>
>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5e8f41b8-3faa-47b9-84b4-48baae0c14d1%40apereo.org.

Reply via email to