I am running a CAS authenticated client which is load-balanced in a High availability environment.
Sign out is a problem. The hardware load balancer will not necessarily send the sign out POST from the CAS server to the same resource that the client browser is stuck to. Browser -> HW LB -> Tomcat 1 CAS Server-> HW LB -> Tomcat 2 The ticket for the browser that authenticated to Tomcat 1 won't be in the HashMapBackedSessionStorage for Tomcat 2 so the session won't be invalidated even though Tomcat 1 and Tomcat 2 are in a cluster. I've considered a memcached based HashMap for the sign out filter session-ticket map (SessionMappingStorage), but the org.jasig.cas.client.session.SignOutFilter is coded in such a way as the SESSION_MAPPING_STORAGE is not easily replaced with a new implementation. (Would that the setSessionMappingStorage also have been declared static!) Has anybody solved this problem with load balancing logout? Marc Kenig ****************************************************************** DemandTec Email Notice This email and any attachments may contain confidential and/or proprietary information and is intended solely for the use of the addressee. If you are not the intended recipient we request that you notify us via email or telephone and delete all copies of the message from your systems. Additionally, although DemandTec has taken reasonable precautions to ensure the security of this email and any attachments, we encourage you to take similar precautions and accept no liability for any loss or damage resulting from its use. DemandTec, 1 Circle Star Way, Suite 200, San Carlos, CA 94070, 650-226-4600 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
