Re: [cas-user] Re: Cookies Problem in Clustered Environment

Thu, 19 Apr 2018 06:23:37 -0700 

Hi,

We seem to have the following in server.xml:

<Engine name="Catalina" defaultHost="localhost">
    ...
    <Host name="localhost"  appBase="webapps"
          unpackWARs="true" autoDeploy="true">
        ...
        <Valve className="org.apache.catalina.valves.RemoteIpValve" 
internalProxies=".*" />
    </Host>
</Engine>

On Thursday, 19 April 2018 10:35:54 UTC+3, Priyambada Madala wrote:
>
> Hi Tom, 
>
> I am facing similar problem . Would you mind sharing the exact changes in 
> server.xml of tomcat . 
>
> On Tuesday, April 5, 2016 at 4:15:57 PM UTC+5:30, Tom Andersson wrote:
>>
>> Just in case anyone else is experiencing this issue, I got this resolved 
>> by using RemoteIpValve on Tomcat end:
>>
>>
>> https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
>>
>> Tom
>>
>> On Tuesday, 5 April 2016 11:23:19 UTC+3, Tom Andersson wrote:
>>>
>>> Just to fill up on this, I'm guessing that using the X-Forwarded-For 
>>> -header instead of HttpServletRequest.getRemoteAddr() would work, but I 
>>> would not like to go forking the CAS code.. is that the only way if 
>>> 'session stickiness' on the proxy level is out of the question? 
>>>
>>> BR,
>>> Tom
>>>
>>> On Tuesday, 5 April 2016 10:14:45 UTC+3, Tom Andersson wrote:
>>>>
>>>> Hi!
>>>>
>>>> Were you able to resolve this issue? I am having a similar problem, 
>>>> where I have a clustered reverse proxy in front of CAS. It seems that the 
>>>> TGC can only be verified when the request is coming from the same proxy IP 
>>>> than the request by which the cookie was generated. What might be the most 
>>>> meaningful way to resolve this issue?
>>>>
>>>> 2016-04-05 06:55:19,244 DEBUG 
>>>> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Invalid 
>>>> cookie. Required remote addres
>>>> s does not match 157.200.40.117
>>>> java.lang.IllegalStateException: Invalid cookie. Required remote 
>>>> address does not match 157.200.40.117
>>>>         at 
>>>> org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:110)
>>>>         at 
>>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:116)
>>>>
>>>> Thanks you for any suggestions!
>>>> Tom
>>>>
>>>> On Wednesday, 20 January 2016 18:46:46 UTC+2, Artur Stöcklin wrote:
>>>>>
>>>>> Hi Community
>>>>>
>>>>> We are facing the following problem with TGC cookies in clustered 
>>>>> environment.
>>>>>
>>>>> 1. We have 2 active /active CAS nodes installed on Apache Tomcat 8.0. 
>>>>> The tickets are synchronized through EhCache
>>>>> 2. Each tomcat is behind a Apache Webserver which does the proxy.
>>>>> 3. Both webserver are behind a load balancer.
>>>>>
>>>>>
>>>>> When the user logs in and gets a valid TGC from node 1 then in a next 
>>>>> request the LoadBalancer sends him to node 2 the second CAS node throws a 
>>>>>
>>>>> java.lang.IllegalStateException: Invalid cookie. Required remote 
>>>>> address does not match "IP adress of node one"
>>>>>  at 
>>>>> org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue_aroundBody2(DefaultCasCookieValueManager.java:110)
>>>>>         at 
>>>>> org.jasig.cas.web.support.DefaultCasCookieValueManager$AjcClosure3.run(DefaultCasCookieValueManager.java:1)
>>>>>         at 
>>>>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
>>>>>         at 
>>>>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
>>>>>         at 
>>>>> org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:89)
>>>>>         at 
>>>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue_aroundBody2(CookieRetrievingCookieGenerator.java:109)
>>>>>         at 
>>>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3.run_aroundBody0(CookieRetrievingCookieGenerator.java:1)
>>>>>         at 
>>>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3$AjcClosure1.run(CookieRetrievingCookieGenerator.java:1)
>>>>>         at 
>>>>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
>>>>>         at 
>>>>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
>>>>>         at 
>>>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3.run(CookieRetrievingCookieGenerator.java:1)
>>>>>         at 
>>>>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
>>>>>         at 
>>>>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
>>>>>         at 
>>>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:107)
>>>>>         at 
>>>>> org.jasig.cas.web.flow.InitialFlowSetupAction.doExecute(InitialFlowSetupAction.java:91)
>>>>>         at 
>>>>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
>>>>>         at 
>>>>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
>>>>>         at 
>>>>> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
>>>>>         at 
>>>>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
>>>>>         at 
>>>>> org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)
>>>>>         at 
>>>>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
>>>>>         at 
>>>>> org.springframework.webflow.engine.ActionList.execute(ActionList.java:154)
>>>>>         at org.springframework.webflow.engine.Flow.start(Flow.java:526)
>>>>>         at 
>>>>> org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)
>>>>>         at 
>>>>> org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223)
>>>>>         at 
>>>>> org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)
>>>>>         at 
>>>>> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:238)
>>>>>         at 
>>>>> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
>>>>>         at 
>>>>> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
>>>>>         at 
>>>>> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:966)
>>>>>         at 
>>>>> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:857)
>>>>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
>>>>>         at 
>>>>> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842)
>>>>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>         at 
>>>>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>         at 
>>>>> org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:296)
>>>>>         at 
>>>>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
>>>>>         at 
>>>>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>         at 
>>>>> org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>         at 
>>>>> org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
>>>>>         at 
>>>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
>>>>>         at 
>>>>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
>>>>>         at 
>>>>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
>>>>>         at 
>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>         at 
>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:217)
>>>>>
>>>>>
>>>>> We can see in the log file of node 1 that the TGC is created with the 
>>>>> IP adress of the node itself:
>>>>> 2016-01-20 17:30:23,837 [http-nio-8443-exec-7] DEBUG 
>>>>> [org.jasig.cas.web.support.DefaultCasCookieValueManager] Encoding cookie 
>>>>> value 
>>>>> [TGT-**********************************************[email protected].
>>>>> 220.168@Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 
>>>>> Firefox/24.0]
>>>>>
>>>>> we have tried to solve that with the configuration of vhost on the 
>>>>> apache webserver itself. The ProxyPreserveHost On attribute did not help.
>>>>>
>>>>> Any suggestions? This problem should actually not occur in High 
>>>>> Availabilty environments, should it?
>>>>>
>>>>> Thank you
>>>>> Regards
>>>>> Artur
>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>> You received this message because you are subscribed to the Google 
>>>> Groups "CAS Community" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>> an email to [email protected].
>>>> Visit this group at 
>>>> https://groups.google.com/a/apereo.org/group/cas-user/.
>>>> To view this discussion on the web visit 
>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/631d6a07-77f5-49d4-b819-02e0eb0e65b0%40apereo.org
>>>>  
>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/631d6a07-77f5-49d4-b819-02e0eb0e65b0%40apereo.org?utm_medium=email&utm_source=footer>
>>>> .
>>>> For more options, visit https://groups.google.com/a/apereo.org/d/optout
>>>> .
>>>>
>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5e8f41b8-3faa-47b9-84b4-48baae0c14d1%40apereo.org.

Reply via email to