Sounds like what you're describing isn't so much about clearpass than it is about how proxy tickets are treated in CAS. Just to be clear, when you mention "slowly", you are actually referring to synchronicity and not performance measures of the replication, correct?
Wouldn't you be able to replicate TGTs synchronously? PGTs and PTs are vicarious in the CAS codebase and aren't yet first class citizens. If you do require to distinguish between them, you probably would have to rely on ticket IDs for now. -Misagh ----- Original Message ----- From: "n99" <[email protected]> To: [email protected] Sent: Wednesday, October 23, 2013 3:37:21 AM Subject: [cas-user] cas 3.5.1 PGT replication using ehcache replication Hi We are using cas-server-extension-clearpass (using cas proxy tickets) and cas-server-integration-ehcache modules together in cas 3.5.1. Looking at the ticketRegistry.xml file it says <bean id="ticketGrantingTicketsCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean" > <description> Ticket Granting Tickets (TGT) are valid for the lifetime of the SSO Session. They become invalid either by expiration policy (default 2 hours idle, 8 hours max) or by explicit user sign off via /cas/login. The TGT cache can be replicated slowly because TGT are only manipulated via web user started operations (mostly grant service ticket) and thus benefit of web session affinity. </description> <property name="cacheName" value="org.jasig.cas.ticket.TicketGrantingTicket" /> <property name="cacheEventListeners"> <ref local="ticketRMIAsynchronousCacheReplicator"/> </property> ................ Use of TGTs does seem to be tied to web user started operations in a browser where you are stuck to one node and so maybe can be replicated slowly. However if you are using PGTs to obtain a PT it seems PGTs go into the same cache as TGTs and are replicated slowly as well? However getting a PT using a PGT can be done in code and so you can't rely on hitting the same node which means you can fall foul of the slower replication of PGTs if: You get the PGT from node 1 Form a request in code using this PGT that goes to node 2 to obtain your PT. Are the use of both cas-server-extension-clearpass (using cas proxy tickets) and cas-server-integration-ehcache modules together not supported of do I simply need to tune my ticketRMIAsynchronousCacheReplicator? The code in cas-server-3.5.1/cas-server-integration-ehcache/src/main/java/org/jasig/cas/ticket/registry/EhCacheTicketRegistry.java says public void addTicket(final Ticket ticket) { final Element element = new Element(ticket.getId(), ticket); if (ticket instanceof ServiceTicket) { log.debug("Adding service ticket {} to the cache", ticket.getId(), this.serviceTicketsCache.getName()); this.serviceTicketsCache.put(element); } else if (ticket instanceof TicketGrantingTicket) { log.debug("Adding ticket granting ticket {} to the cache {}", ticket.getId(), this.ticketGrantingTicketsCache.getName()); this.ticketGrantingTicketsCache.put(element); } else { throw new IllegalArgumentException("Invalid ticket type " + ticket); } } So doesn't seem to distinguish between TGTs and PGTs Any advice or recommendation to open a JIRA appreciated Thanks -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
