Hi Leonid,
The AuthenticationManager implementations shipping with CAS treat an
exception thrown by any of their configured AuthenticationHandlers as a
failure of the user login, and interrogate these handlers serially.
They do not have the feature of interrogating configured handlers in
serial, nor do they have the feature of succeeding the authentication
when one or more handlers fail with an exception but one succeeds.
One approach is to provide a higher availability LDAP for CAS to talk to
-- that is, implement the load balancing and failover over your LDAP
behind a single LDAP interface abstraction for CAS to access, moving
this error handling problem out of CAS and into the institutional LDAP
service. Not saying you're going to find this option attractive, just
saying it's an option.
Another approach would be to develop a more sophisticated,
error-handling, parallelized AuthenticationManager. Sounds like
something that ought to be developed.
However. The existing AuthenticationManager implementations *do* treat
an AuthenticationHandler returning false differently from an
AuthenticationHandler throwing an exception, in that an exception fails
the whole authentication attempt, whereas returning false instructs the
AuthenticationManager to try another. This doesn't address trying the
handlers in parallel, but it does address trying another
AuthenticationHandler when one fails. You might therefore produce a
modified AuthenticationHandler that catches its exceptions and returns
false rather than percolating them up (or perhaps a wrapper
AuthenticationHandler implementation that does this, or a fancy Aspect,
or whatever...) Plugging such a
false-returning-rather-than-exception-throwing AuthenticationHandler
into the existing AuthenticationManagerImpl would result in failover
across the handlers. You might even implement a timeout behavior in the
wrapper, such that it invokes the wrapped handler in a separate thread
and expeditiously returns false at a timeout so that the
AuthenticationManager will move on and try another handler before the
user completely loses patience.
Andrew
On 08/31/2011 08:26 AM, Leonid Batizhevsky wrote:
Hello, please say what to do if one of my LDAPs is down? Cas didn't work
correctly with this case.
--
View this message in context:
http://jasig.275507.n4.nabble.com/CAS-Multiple-BindLdapAuthenticationHandler-tp2133071p3780829.html
Sent from the CAS Users mailing list archive at Nabble.com.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
