I finished setting up an initial standalone CAS server, and am now
moving on to getting redundant servers set up behind a load balancer.
The first page of the documentation
(https://wiki.jasig.org/display/CASUM/Home) says:
----
Additionally, session state replication is unnecessary since tickets
stored in the registry contain the authenticated state of users, which
allows a CAS server node to fail without users losing their SSO session
state.
----
OTOH, the documentation on clustering
(https://wiki.jasig.org/display/CASUM/Clustering+CAS) says:
----
Since CAS stores the login information in the application session we
need to setup session replication between our Tomcat instances.
----
It looks like the main page of the documentation was never updated after
the transition to Spring Webflow 2.0+, which per the clustering page
lost the ability to store sessions on the client side?
So my understanding of the current state is that you must replicate both
tomcat sessions as well as use a replicated ticket registry to
accomplish clustering?
We are initially planning to deploy 2-3 instances in our local data
center, but eventually plan to deploy at least one at our remote DR
site. From an initial review of the available ticket registry
implementations, it looks like either the ehcache or memcache options
would best suit our needs (I don't really want to involve a database in
our CAS deployment). Is either of those better supported/more popular
than the other?
It looks like the default for both ticket registry replication and
tomcat session registration uses multicast with autodiscovery, without
any apparent encryption/authentication/authorization layer? I wouldn't
be on board with that just in my own data center :), for replication to
the remote DR site that's definitely a no go. The cluster page says
"Implementing clustering introduces CAS server security concerns", which
is understandable, but I can't find any documentation or discussion as
far as alleviating them? For those people doing clustering, what
approaches are you taking to make the replication secure?
Thanks for any feedback…
--
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | [email protected]
California State Polytechnic University | Pomona CA 91768
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
