Note that CAS 3.4.7 fails behind a load balancer if you're not using sticky sessions but using clustered sessions (its because each server has its own key).
Marvin's put in a fix to not have to use keys and I'll be cutting the release later. On Thu, Apr 21, 2011 at 11:19 AM, Chris Peck <[email protected]> wrote: > Round 2 - Marvin, thanks for the tips & pointers, I owe you a few... > > Based on the thread "CAS 3.4.7 login fails with clustered CAS servers > behind load balancer", it sounds like I should either stick with 3.4.5, or > build from source at this point, and, wait for 4.3.8 to arrive to move up > versions? > We plan on running 3 CAS servers behind a Netscaler Load Balancer with this > configuration, do I need to be concerned about anything else? > > I've attached my new deployerConfigContext.xml and cas.properties file for > review - many advance thanks for the review. Assuming these are reasonable, > I'll be working on Jmeter today. > -chris > > <?xml version="1.0" encoding="UTF-8"?> > <!-- > | deployerConfigContext.xml > | > | cas.wm.edu history > | 1.3 20110421 - moved users for userDetailsService to external file - > crpeck > | 1.2 20110420 - added pooled LDAP for attribute lookup - crpeck > | 1.1 20110408 - added pooled MySQL with c3p0 - crpeck > | 1.0 20110316 - intial working version with LDAP and MySQL - crpeck > | 0.0 20110209 - many thanks to Jason Zylks at tamu.edu for providing > assistance to get me up and running > | > | NOTES: diff this file with any new version that comes out for changes > | The files: /local/etc/cas.properties /local/etc/wm.properties > | contain properties for connection info > | see spring-configuration/propertyFileConfigurer.xml > | userDetailsService users are in /local/etc/users.properties > | > | deployerConfigContext.xml centralizes into one file some of the > declarative configuration that > | all CAS deployers will need to modify. > | > | This file declares some of the Spring-managed JavaBeans that make up a > CAS deployment. > | The beans declared in this file are instantiated at context > initialization time by the Spring > | ContextLoaderListener declared in web.xml. It finds this file because > this > | file is among those declared in the context parameter > "contextConfigLocation". > | > +--> > > <beans xmlns="http://www.springframework.org/schema/beans"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:p="http://www.springframework.org/schema/p"; > xmlns:tx="http://www.springframework.org/schema/tx"; > xmlns:sec="http://www.springframework.org/schema/security"; > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-3.0.xsd > http://www.springframework.org/schema/security > http://www.springframework.org/schema/security/spring-security-3.0.xsd > http://www.springframework.org/schema/tx > http://www.springframework.org/schema/tx/spring-tx-3.0.xsd";> > > <!-- > | This bean declares our AuthenticationManager. The > CentralAuthenticationService service bean > | declared in applicationContext.xml picks up this AuthenticationManager > by reference to its id, > | "authenticationManager". Most deployers will be able to use the > default AuthenticationManager > | implementation and so do not need to change the class of this bean. > We include the whole > | AuthenticationManager here in the userConfigContext.xml so that you > can see the things you will > | need to change in context. > +--> > <bean id="authenticationManager" > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > <!-- > | This is the List of CredentialToPrincipalResolvers that identify > what Principal is trying to authenticate. > | The AuthenticationManagerImpl considers them in order, finding a > CredentialToPrincipalResolver which > | supports the presented credentials. > | > | AuthenticationManagerImpl uses these resolvers for two purposes. > First, it uses them to identify the Principal > | attempting to authenticate to CAS /login . In the default > configuration, it is the DefaultCredentialsToPrincipalResolver > | that fills this role. If you are using some other kind of > credentials than UsernamePasswordCredentials, you will need to replace > | DefaultCredentialsToPrincipalResolver with a > CredentialsToPrincipalResolver that supports the credentials you are > | using. > | > | Second, AuthenticationManagerImpl uses these resolvers to identify a > service requesting a proxy granting ticket. > | In the default configuration, it is the > HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. > | You will need to change this list if you are identifying services by > something more or other than their callback URL. > +--> > <property name="credentialsToPrincipalResolvers"> > <list> > <!-- > | UsernamePasswordCredentialsToPrincipalResolver supports the > UsernamePasswordCredentials that we use for /login > | by default and produces SimplePrincipal instances conveying the > username from the credentials. > | > | If you've changed your LoginFormAction to use credentials other > than UsernamePasswordCredentials then you will also > | need to change this bean declaration (or add additional > declarations) to declare a CredentialsToPrincipalResolver that supports the > | Credentials you are using. > +--> > <bean > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"> > <property name="attributeRepository"> > <ref bean="attributeRepository" /> > </property> > </bean> > > <!-- > | HttpBasedServiceCredentialsToPrincipalResolver supports > HttpBasedCredentials. It supports the CAS 2.0 approach of > | authenticating services by SSL callback, extracting the callback > URL from the Credentials and representing it as a > | SimpleService identified by that callback URL. > | > | If you are representing services by something more or other than > an HTTPS URL whereat they are able to > | receive a proxy callback, you will need to change this bean > declaration (or add additional declarations). > +--> > <bean > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" > /> > > </list> > </property> > > <!-- > | Whereas CredentialsToPrincipalResolvers identify who it is some > Credentials might authenticate, > | AuthenticationHandlers actually authenticate credentials. Here we > declare the AuthenticationHandlers that > | authenticate the Principals that the CredentialsToPrincipalResolvers > identified. CAS will try these handlers in turn > | until it finds one that both supports the Credentials presented and > succeeds in authenticating. > +--> > <property name="authenticationHandlers"> > <list> > <!-- > | This is the authentication handler that authenticates services > by means of callback via SSL, thereby validating > | a server side SSL certificate. > +--> > <bean > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" > p:httpClient-ref="httpClient" /> > > <!-- > | FastBindLdap authentication handler, tries a BIND with uid and > password supplied > +--> > <bean > class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" > > <property name="filter" value="uid=%u,${ldap.searchBase}" /> > <property name="contextSource" ref="contextSource" /> > </bean> > > </list> > </property> > </bean> > > <bean id="contextSource" > class="org.springframework.ldap.core.support.LdapContextSource"> > <property name="pooled" value="false"/> > <property name="urls" value="${ldap.URL}" /> > </bean> > > <!-- Bind to LDAP to lookup users and attributes, used by > pooledLDAPContextSource > | Binds with ldap.BindDN to lookup attributes > +--> > > <bean id="LDAPcontextSource" > class="org.springframework.ldap.core.support.LdapContextSource"> > <property name="pooled" value="false"/> > <property name="urls" value="${ldap.URL}" /> > <property name="userDn" value="${ldap.BindDN}"/> > <property name="password" value="${ldap.BindPW}"/> > <property name="baseEnvironmentProperties"> > <map> > <entry> > <key> > <value>java.naming.security.authentication</value> > </key> > <value>simple</value> > </entry> > </map> > </property> > </bean> > > <!-- > pooled ldap for attribute repository > --> > <bean id="pooledLDAPContextSource" > class="org.springframework.ldap.pool.factory.PoolingContextSource" > p:minIdle="${ldap.pool.minIdle}" > p:maxIdle="${ldap.pool.maxIdle}" > p:maxActive="${ldap.pool.maxSize}" > p:maxTotal="${ldap.pool.maxTotal}" > p:maxWait="${ldap.pool.maxWait}" > p:timeBetweenEvictionRunsMillis="${ldap.pool.evictionPeriod}" > p:minEvictableIdleTimeMillis="${ldap.pool.idleTime}" > p:testOnBorrow="${ldap.pool.testOnBorrow}" > p:testWhileIdle="${ldap.pool.testWhileIdle}" > p:dirContextValidator-ref="LDAPDirContextValidator" > p:contextSource-ref="LDAPcontextSource" /> > > <!-- Query RootDSE for no attributes at suggestion of dhawes --> > <bean id="LDAPDirContextValidator" > class="org.springframework.ldap.pool.validation.DefaultDirContextValidator" > p:base="" > p:filter="objectclass=*"> > <property name="searchControls"> > <bean class="javax.naming.directory.SearchControls" > p:timeLimit="1000" > p:countLimit="1" > p:searchScope="0" > p:returningAttributes="" /> > </property> > </bean> > > <!-- > | Bean that defines the attributes that a service may return. > | The id should remain "attributeRepository" though. > +--> > > <bean id="attributeRepository" > > class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> > <property name="contextSource" ref="pooledLDAPContextSource" /> > <property name="baseDN" value="${ldap.baseDN}" /> > <property name="requireAllQueryAttributes" value="false" /> > > <!-- > Attribute mapping beetween principal (key) and LDAP (value) names > used to perform the LDAP search. By default, multiple search criteria > are ANDed together. Set the queryType property to change to OR. > --> > <property name="queryAttributeMapping"> > <map> > <entry key="username" value="uid" /> > </map> > </property> > > <!-- > | This is a list of attributes that CAS can return via SAML1.1 > | These must be highlighted within the Services Manager Configuration > Webpage > | for a service (URL) to be able to have access to them, eg phpCAS > +--> > <property name="resultAttributeMapping"> > <map> > <!-- Mapping beetween LDAP entry attributes (key) and Principal's > (value) --> > <entry key="uid" value="uid" /> > <entry key="cn" value="Name" /> > <entry key="dn" value="dn" /> > <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> > <entry key="eduPersonPrimaryAffiliation" > value="eduPersonPrimaryAffiliation" /> > <entry key="eduPersonPrincipalName" value="eduPersonPrincipalName" > /> > </map> > </property> > </bean> > > > > <!-- > | This bean defines the security roles for the Services Management > application. Simple deployments can use the in-memory version. > | More robust deployments will want to use another option, such as the > Jdbc version. > | The name of this should remain "userDetailsService" in order for > Spring Security to find it. > | This defines the users allowed to login to CAS Services Manager > webpage > +--> > > <sec:user-service id="userDetailsService" > properties="file:/local/etc/users.properties"/> > > <bean id="entityManagerFactory" > class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> > <property name="dataSource" ref="dataSource"/> > <property name="jpaVendorAdapter"> > <bean > class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"> > <property name="generateDdl" value="true"/> > <property name="showSql" value="true" /> > </bean> > </property> > <property name="jpaProperties"> > <props> > <prop > key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop> > <prop key="hibernate.hbm2ddl.auto">update</prop> > </props> > </property> > </bean> > > <!-- Use database for transactions, services and tickets - pooled --> > > <bean > id="dataSource" > class="com.mchange.v2.c3p0.ComboPooledDataSource" > p:driverClass="${database.driverClass}" > p:jdbcUrl="${database.url}" > p:user="${database.user}" > p:password="${database.password}" > p:initialPoolSize="${database.pool.minSize}" > p:minPoolSize="${database.pool.minSize}" > p:maxPoolSize="${database.pool.maxSize}" > p:maxIdleTimeExcessConnections="${database.pool.maxIdleTime}" > p:checkoutTimeout="${database.pool.maxWait}" > p:acquireIncrement="${database.pool.acquireIncrement}" > p:acquireRetryAttempts="${database.pool.acquireRetryAttempts}" > p:acquireRetryDelay="${database.pool.acquireRetryDelay}" > p:idleConnectionTestPeriod="${database.pool.idleConnectionTestPeriod}" > p:preferredTestQuery="${database.pool.connectionHealthQuery}" > /> > > <!-- Services are registered in the DB --> > > <bean id="serviceRegistryDao" > class="org.jasig.cas.services.JpaServiceRegistryDaoImpl" > p:entityManagerFactory-ref="entityManagerFactory" /> > > <!-- Transactions are stored in the DB --> > <bean id="transactionManager" > class="org.springframework.orm.jpa.JpaTransactionManager" > p:entityManagerFactory-ref="entityManagerFactory" > /> > <tx:annotation-driven transaction-manager="transactionManager"/> > > <!-- Log audit and statistics to a logfile - see log4j for more > information --> > <!-- By default - these go to stdout for tomcat - the catlina.out file --> > <bean id="auditTrailManager" > class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> > > </beans> > > > > > # cas.properties > # > # Search for WMCAS to find system specific info > # this file contains configuration info used by CAS > # information specific to test or production servers > > cas.securityContext.serviceProperties.service= > http://localhost:8080/cas/services/j_acegi_cas_security_check > cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN > cas.securityContext.casProcessingFilterEntryPoint.loginUrl= > http://localhost:8080/cas/login > cas.securityContext.ticketValidator.casServerUrlPrefix= > http://localhost:8080/cas > # note - users allowed access are in /local/etc/users.properties > > cas.themeResolver.defaultThemeName=cas-theme-default > cas.viewResolver.basename=default_views > > #========================================== > # Database configuration > # database connection properties are in wm.properties > > # these are specific to MySQL > database.hibernate.dialect=org.hibernate.dialect.MySQLDialect > database.driverClass=com.mysql.jdbc.Driver > ticket.cleaner.database.platform=SQL92 > > #========================================== > # database pool info > > database.pool.minSize=2 > database.pool.maxSize=4 > database.pool.maxIdleTime=120 > database.pool.maxWait=10000 > database.pool.acquireIncrement=1 > database.pool.acquireRetryAttempts=3 > database.pool.acquireRetryDelay=100 > database.pool.idleConnectionTestPeriod=120 > database.pool.connectionHealthQuery=SELECT 1 > > #========================================== > # LDAP configuration > # ldap access information is in wm.properties > > #========================================== > # properties for pooled ldap connections > # values from [email protected] vt.edu > > ldap.pool.minIdle=3 > ldap.pool.maxIdle=5 > ldap.pool.maxSize=10 > > # Maximum time in ms to wait for connection to become available > # under pool exhausted condition. > ldap.pool.maxWait=10000 > > # == Evictor configuration == > > # Period in ms at which evictor process runs. > ldap.pool.evictionPeriod=30000 > > # Maximum time in ms at which connections can remain idle before > # they become liable to eviction. > ldap.pool.idleTime=1200000 > > # == Connection testing settings == > > # Set to true to enable connection liveliness testing on evictor > # process runs. Probably results in best performance. > ldap.pool.testWhileIdle=true > > # Set to true to enable connection liveliness testing before every > # request to borrow an object from the pool. > ldap.pool.testOnBorrow=false > > # seems like this would be a good one to limit, but, need to test 1st > #ldap.pool.maxTotal=-1 > # eof > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
