After innumerable trial and error attempts and 3 postings to the list that went
unanswered, I reached the conclusion that you can cluster CAS but you cannot
authenticate through CAS from a clustered client application.
The error? Always something like: "Authentication Failed: ticket
'ST-2-aQJM2bMCvJfcfj4M6hhR-cas' not recognized".
The likely cause?
* If you use the cluster(/load balancer) alias in the callback to
j_spring_cas_security_check then half the time the call goes to the wrong node,
which doesn't recognize the ticket. Even clustering the session with
<distributable/> doesn't seen to do the trick.
* If you use the node hostname in the callback, then you still
(always?) get the error, probably because the hostname is different from the
cluster alias the browser used to make the original call.
Workaround:
Since you can't truly cluster, the next best thing is to setup the client
WebApp as an HighAvailability-Singleton. An HASingleton won't help you with
load, but if a node goes down your users will be able to start a new session
almost immediately. Not perfect... but better than running on Standalone hosts.
From: Bruno Melloni
Sent: Wednesday, May 19, 2010 3:06 PM
To: Bruno Melloni; The Community discussion list is for questions, comments,
feedback and issues associated with CAS and its clients.
Subject: Authentication Failed: ticket 'ST-2-aQJM2bMCvJfcfj4M6hhR-cas' not
recognized
I have been using CAS for a while. We are slowly moving to a clustered
environment. To avoid the complexity of a clustered CAS server, I set it up as
an HA-Singleton while letting the client app be clustered.
A typical call looks like:
* Browser calls the client app. Uses the cluster DNS alias that points
to the load balancer.
* Load balancer chooses a node and passes the call to the client app on
node X.
* Client app calls CAS for authentication. Uses the cluster DNS alias
that points to the load balancer.
* Load balancer passes the call to the single instance of CAS.
* CAS authenticates and calls back the app with the authenticated
ticket.
Here come the problem:
* If I use the DNS alias for the cluster the call goes to the load
balancer, which in turn may or may not pass the call to the right node. If it
goes to the wrong node, it obviously doesn't work.
* So I think, no problem... I'll add self-signed certificates to each
node and pass the node's hostname and port in the callback so that CAS will
make the callback to the right node. But this is when I get. No idea why,
although I suspect it might have something to do with the browser calling the
client with the cluster alias and CAS calling back using the node hostname name.
Help!
Callback configuration:
<bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties"
p:service="https://${appServer}:${appHttpsPort}/${appName}/j_spring_cas_security_check";
p:sendRenew="false" />
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
