I have been using CAS for a while. We are slowly moving to a clustered
environment. To avoid the complexity of a clustered CAS server, I set it up as
an HA-Singleton while letting the client app be clustered.
A typical call looks like:
* Browser calls the client app. Uses the cluster DNS alias that points
to the load balancer.
* Load balancer chooses a node and passes the call to the client app on
node X.
* Client app calls CAS for authentication. Uses the cluster DNS alias
that points to the load balancer.
* Load balancer passes the call to the single instance of CAS.
* CAS authenticates and calls back the app with the authenticated
ticket.
Here come the problem:
* If I use the DNS alias for the cluster the call goes to the load
balancer, which in turn may or may not pass the call to the right node. If it
goes to the wrong node, it obviously doesn't work.
* So I think, no problem... I'll add self-signed certificates to each
node and pass the node's hostname and port in the callback so that CAS will
make the callback to the right node. But this is when I get "Authentication
Failed: ticket 'ST-2-aQJM2bMCvJfcfj4M6hhR-cas' not recognized". No idea why,
although I suspect it might have something to do with the browser calling the
client with the cluster alias and CAS calling back using the node hostname name.
Help!
Callback configuration:
<bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties"
p:service="https://${appServer}:${appHttpsPort}/${appName}/j_spring_cas_security_check";
p:sendRenew="false" />
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
