[cas-user] CAS and Terracotta

[Christian Lambertz]

We are trying to implement CAS with Terracotta-replication in a test 
environment. Our configuration:

servers:
running all Windows Server 2003
one server: Apache 2.2.15, OpenSSL, mod_jk (sticky sessions) loadbalancing with 
Tomcat Servers
two servers: Tomcat 6.0.26, CAS 3.3.5, one of these with Terracotta 3.2.1_2

Configurations changes Tomcat:
Insert into tomcat/conf/context.xml the following line:
<Valve className="org.terracotta.session.TerracottaTomcat60xSessionValve" 
tcConfigUrl="172.16.1.202:9510"> </Valve>
according to Terracotta documentation "Web Sessions Express Installation" where 
172.16.1.202 is our Terracotta server.

Configuration changes to CAS:
We changed deployerConfigContext.xml to meet our ldap-configuration
We changed the log configuration
Nothing more.

Configuration changes to Terracotta:
Using a tc-config.xml-sample send by Scott Battaglia (thanks for that), see 
attachment. We only made path adjustments to this file.

Result:
All systems start normally, logfiles are looking OK.

Test 1:
Using our CAS-Login-URL (https://cas.uni-goettingen.de):
With both CAS-Servers/Terracotta-Clients 
With one CAS-Server/Terracotta-Client deactivated while the test is running
Result: Once you are successfully authenticated and received a TGT, you stay 
authenticated regardless which CAS-Server/Terracotta-Client is actually 
running. Session stickyness between Apache and Tomcat is used and works.
So we assume, that TGTs are successfully replicated between our 
CAS-Servers/Terracotta-Clients

Test 2:
Using a web application which redirects its login to CAS and uses the 
serviceValidate-function of CAS.
It works as follows (assuming you have a valid TGT):
1. Web-application redirects Browser to CAS (sticky session)
2. CAS retrieves TGT from registry successfully
3. CAS adds a ST-Ticket to registry and delivers it back to web application 
with success
4. Web application starts a cas/serviceValidate on its own with ST-Ticket (no 
sticky session here). This goes to the other CAS-Server, which could not find 
the ST-Ticket in its registry.
5. Result: Authentication failed. We assume, that ST-Tickets are not replicated 
by our Terracotta-configuration. The attached log shows the problem very 
plainly.

Has anybody experienced the same problem and probably a solution?
I would very much appreciate any usefull reaction.

Thanks in advance
Christian


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user
<?xml version="1.0" encoding="UTF-8"?>
<tc:tc-config xmlns:tc="http://www.terracotta.org/config";
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
              xsi:schemaLocation="http://www.terracotta.org/schema/terracotta-4.xsd";>

    <!-- Sample Terracotta Configuration for CAS -->
    <!-- Contributed by SPP - http://www.spp.at/ -->

    <servers>
        <server host="%i">
            <dso-port>9510</dso-port>
            <jmx-port>9520</jmx-port>
            <data>server-%i/data</data>
            <logs>server-%i/logs</logs>
        </server>
        <update-check>
            <enabled>false</enabled>
        </update-check>
    </servers>

    <clients>
        <logs>clients/%i/logs</logs>

        <!--  You need to uncomment this when you use ether JpaTicketRegistry or JpaServicesRegistryDaoImpl
        <modules>
            <module name="clustered-hibernate-3.2.5" version="2.6.1"/>
        </modules>
        -->
    </clients>

    <application>
        <dso>
            <roots>
                <!-- Defined Shared Roots -->
                <root>
                    <!--The In-Memory Ticket Registry-->
                    <field-name>org.jasig.cas.ticket.registry.DefaultTicketRegistry.cache</field-name>
                </root>
                <root>
                    <!--The registered Services  -->
                    <field-name>org.jasig.cas.services.DefaultServicesManagerImpl.services</field-name>
                </root>
            </roots>

            <locks>
                <!--Locks for the shared Tickets-->
                <named-lock>
                    <method-expression>* org.jasig.cas.ticket.registry.DefaultTicketRegistry.*(..)</method-expression>
                    <lock-level>write</lock-level>
                    <lock-name>ticketRegistryLock</lock-name>
                </named-lock>
                <named-lock>
                    <method-expression>* org.jasig.cas.ticket.AbstractTicket.updateState(..)</method-expression>
                    <lock-level>write</lock-level>
                    <lock-name>ticketWriteLock</lock-name>
                </named-lock>
                <named-lock>
                    <method-expression>* org.jasig.cas.ticket.AbstractTicket.*(..)</method-expression>
                    <lock-level>read</lock-level>
                    <lock-name>ticketReadLock</lock-name>
                </named-lock>
                <named-lock>
                    <method-expression>* org.jasig.cas.CentralAuthenticationServiceImpl.*(..)</method-expression>
                    <lock-level>write</lock-level>
                    <lock-name>casWriteLock</lock-name>
                </named-lock>
                <named-lock>
                    <method-expression>* org.jasig.cas.ticket.TicketGrantingTicketImpl.grantServiceTicket(..)
                    </method-expression>
                    <lock-level>write</lock-level>
                    <lock-name>tgtWriteLock2</lock-name>
                </named-lock>
                <named-lock>
                    <method-expression>* org.jasig.cas.ticket.TicketGrantingTicketImpl.expire(..)</method-expression>
                    <lock-level>write</lock-level>
                    <lock-name>tgtWriteLock2</lock-name>
                </named-lock>

                <!-- Service Registry Distribution Locks -->
                <named-lock>
                    <method-expression>* org.jasig.cas.services.DefaultServicesManagerImpl.findServiceBy(..)
                    </method-expression>
                    <lock-level>read</lock-level>
                    <lock-name>serviceFindReadLock</lock-name>
                </named-lock>
                <named-lock>
                    <method-expression>* org.jasig.cas.services.DefaultServicesManagerImpl.getAllServices(..)
                    </method-expression>
                    <lock-level>read</lock-level>
                    <lock-name>serviceReadLock</lock-name>
                </named-lock>
                <named-lock>
                    <method-expression>* org.jasig.cas.services.DefaultServicesManagerImpl.*(..)</method-expression>
                    <lock-level>write</lock-level>
                    <lock-name>serviceWriteLock</lock-name>
                </named-lock>
                <named-lock>
                    <method-expression>* org.jasig.cas.web.flow.GenerateServiceTicketAction.doExecute(..)
                    </method-expression>
                    <lock-level>write</lock-level>
                    <lock-name>stActionWriteLock</lock-name>
                </named-lock>


            </locks>

            <instrumented-classes>
                <include>
                    <class-expression>org.jasig.cas.ticket.*</class-expression>
                </include>
                <include>
                    <class-expression>org.jasig.cas.ticket.support.*</class-expression>
                </include>
                <include>
                    <class-expression>org.jasig.cas.authentication.principal.*</class-expression>
                </include>
                <include>
                    <class-expression>org.jasig.cas.util.*</class-expression>
                </include>
                <include>
                    <class-expression>org.jasig.cas.authentication.*</class-expression>
                </include>
                <include>
                    <class-expression>org.jasig.cas.services.RegisteredServiceImpl</class-expression>
                </include>
            </instrumented-classes>

        </dso>
    </application>

</tc:tc-config>

CAS-Server vs77
2010-08-11 18:10:43,451 DEBUG 
[org.jasig.cas.web.flow.GenerateServiceTicketAction] - Action 
'GenerateServiceTicketAction' beginning execution
2010-08-11 18:10:43,451 DEBUG 
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve 
ticket [TGT-125-ijay9tkK3qq2e0VJpTtOepndMLIixtloXD4zzvUruzZ0TjWLfM-cas]
2010-08-11 18:10:43,451 DEBUG 
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket 
[TGT-125-ijay9tkK3qq2e0VJpTtOepndMLIixtloXD4zzvUruzZ0TjWLfM-cas] found in 
registry.
2010-08-11 18:10:43,466 DEBUG 
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket 
[ST-152-XUlJcZ9udPanaIyHMlBl-cas] to registry.
2010-08-11 18:10:43,466 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - 
Granted service ticket [ST-152-XUlJcZ9udPanaIyHMlBl-cas] for service 
[https://ug-uzdv-vs59.zvw.uni-goettingen.de/sb_12_2_portal/rds?state=user&type=1]
 for user [m.musterfrau]
2010-08-11 18:10:43,466 DEBUG 
[org.jasig.cas.web.flow.GenerateServiceTicketAction] - Action 
'GenerateServiceTicketAction' completed execution; result is 'success'

CAS-Server vs76
2010-08-11 18:10:44,490 DEBUG 
[org.springframework.web.servlet.DispatcherServlet] - DispatcherServlet with 
name 'cas' determining Last-Modified value for [/cas/serviceValidate]
2010-08-11 18:10:44,490 DEBUG 
[org.springframework.web.servlet.handler.SimpleUrlHandlerMapping] - Mapping 
[/serviceValidate] to handler 
'org.jasig.cas.web.servicevalidatecontrol...@14ab266'
2010-08-11 18:10:44,490 DEBUG 
[org.springframework.web.servlet.DispatcherServlet] - Last-Modified value for 
[/cas/serviceValidate] is: -1
2010-08-11 18:10:44,490 DEBUG 
[org.springframework.web.servlet.DispatcherServlet] - DispatcherServlet with 
name 'cas' processing request for [/cas/serviceValidate]
2010-08-11 18:10:44,506 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] 
- Extractor generated service for: 
https://ug-uzdv-vs59.zvw.uni-goettingen.de/sb_12_2_portal/rds?state=user&type=1
2010-08-11 18:10:44,506 DEBUG 
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve 
ticket [ST-152-XUlJcZ9udPanaIyHMlBl-cas]
2010-08-11 18:10:44,506 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] 
- ServiceTicket [ST-152-XUlJcZ9udPanaIyHMlBl-cas] does not exist.