Hello,
I have a question about an error I'm seeing when using EhCache clustering
support for the Java CAS Client that I'm hoping someone can provide advice
on.
The Java CAS Client is version 3.2.1, the EhCache support library is
version 3.2.1, and the EhCache Core library is 2.2.0. To ensure full
disclosure of my troubleshooting efforts, I did replace EhCache Core 2.2.0
with 2.7.5 but it did not fix our problems, so I reverted to 2.2.0.
EhCache is running asynchronously. Log4j 1.2.17 and SLF4J 1.6.6 are being
used to log EhCache transactions, and our CAS-ified application is using
java.util.logging. All of the above is running on Tomcat 6, and all CAS
Client support libraries for Tomcat 6 are in place. The web application
servers that are clustered are reverse-proxied via a Cisco ACE.
The symptom of the problem I've been seeing is that, at times, the
CAS-ified web application is not able to retrieve a proxy granting ticket
from storage. Because it's unable to retrieve the PGT, the web app fails
to retrieve a proxy ticket for ClearPass.
The specific error output is:
Aug 28, 2013 10:52:31 AM
org.jasig.cas.client.authentication.AttributePrincipalImpl getProxyTicketFor
FINE: No ProxyGrantingTicket was supplied, so no Proxy Ticket can be
retrieved.
The code responsible for triggering a proxy ticket retrieval failure is:
HttpSession session = request.getSession();
Assertion assertion = (Assertion)
session.getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION);
AttributePrincipal casPrincipal = assertion.getPrincipal();
proxyTicket = casPrincipal.getProxyTicketFor(clearPassUrl);
After making the request with the proxy ticket, the code then parses the
content of the ClearPass endpoint on our CAS server(s) and retrieves the
content of the clearPassSuccess XML tag. The web application then goes on
its way with the password plus user credentials and replays them.
This error only occurs when clustering is actively used. When one of the
clustered servers is shut off, the web app performs as intended and never
fails to retrieve a proxy ticket, since the response from CAS is returned
to that server only. When clustering is active, the proxy granting ticket
retrieval seems to work most of the time, regardless of which server
receives the ticket in response. In both failure and success scenarios
with clustering active, the EhCache implementation is successfully putting
tickets to its respective cluster peer.
My remedies have focused on retrying proxy granting ticket retrieval and
timing retrieval in hopes that it was EhCache not replicating fast enough.
I've put the web app thread to sleep for various times, but that has no
effect on the issue. I also attempted to retry proxy ticket retrieval by
looping n times until proxy ticket retrieval is possible (i.e. while
(proxyTicket == null && attempt <= n) { ... }). The proxy ticket is never
retrieved because the proxy granting ticket is never available, so the loop
fails eventually after hitting n attempts. I don't see the proxy granting
ticket being consumed at the other web app server.
Has anyone else dealt with this situation? Thanks for any input.
--Ken
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
