On 8/5/2013 1:43 PM, Aaron Bennett wrote:
Did you get any decent response from this?
Not yet; but I did send the initial query late on a Friday, so I'm hoping maybe a few will trickle in over the course of the week :).
compose a similar email when I saw yours. I'm hoping I can just use an mmcache ticket registry and let a hardware Load Balancer take care of the session stuff, but the documentation is a little outdated and inconsistent.
Yes; it's a touch disappointing that a security product doesn't have a little bit better documentation on setting it up securely ;), but open source documentation is only as good as the people that contribute to it, so I suppose if I get a reasonably secure replication mechanism set up I should add it to the wiki...
Right now I'm prototyping ehcache based ticket replication, initially with the manual peer discovery and no transport security just to make sure it works and see what the traffic pattern is like. Once I get it working I'm probably going to try and tunnel it through ssh port forwarding to encrypt the transport layer. It would be nice if the replication partners could actually authenticate/authorize each other directly, but if I can get them to listen on/connect to loopback and pass all the traffic through the ssh tunnel that will probably be good enough.
Once I get that working, I'm probably also going to try and cluster the underlying tomcat sessions. While a load balancer with sticky session support can work around not replicating that data, if you drop a server all of the people with sessions on that one will have to re-authenticate on the other one. Depending on your requirements that might be fine, but I'd rather avoid it.
-- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | [email protected] California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
