Hi please see below On Thursday, 24 October 2013 18:27:20 UTC+1, Misagh Moayyed wrote: > > Sounds like what you're describing isn't so much about clearpass than it > is about how proxy tickets are treated in CAS. >
yes, but specifically how TGTs are treated in a CAS that has been configured to replicate using the provided ehcache module available from version 3.5 onwards > Just to be clear, when you mention "slowly", you are actually referring to > synchronicity and not performance measures of the replication, correct? > yes > > Wouldn't you be able to replicate TGTs synchronously? > I would think so and I will test this. I've already tried severely dropping the replicationInterval in the ticketRMIAsynchronousCacheReplicator and this helps. > > PGTs and PTs are vicarious in the CAS codebase and aren't yet first class > citizens. If you do require to distinguish between them, you probably would > have to rely on ticket IDs for now. > I think the main issue is that in a clustered CAS setup, using the recommended ehcache maven overlay configured module, that the caching config supplied doesn't support installers who then want to use CAS Proxying as they will find the provided ehcache config will replicate their TGTs too slowly and cause errors when trying to get PTs Cheers > > -Misagh > ------------------------------ > *From: *"n99" <[email protected] <javascript:>> > *To: *[email protected] <javascript:> > *Sent: *Wednesday, October 23, 2013 3:37:21 AM > *Subject: *[cas-user] cas 3.5.1 PGT replication using ehcache replication > > Hi > > We are using cas-server-extension-clearpass (using cas proxy tickets) and > cas-server-integration-ehcache modules together in cas 3.5.1. > > Looking at the ticketRegistry.xml file it says > > <bean id="ticketGrantingTicketsCache" > class="org.springframework.cache.ehcache.EhCacheFactoryBean" > > <description> > Ticket Granting Tickets (TGT) are valid for the lifetime of > the SSO Session. They become invalid either > by expiration policy (default 2 hours idle, 8 hours max) or by > explicit user sign off via /cas/login. > The TGT cache can be replicated slowly because TGT are only > manipulated via web user started operations > (mostly grant service ticket) and thus benefit of web session > affinity. > </description> > > <property name="cacheName" > value="org.jasig.cas.ticket.TicketGrantingTicket" /> > > <property name="cacheEventListeners"> > <ref local="ticketRMIAsynchronousCacheReplicator"/> > </property> > > ................ > > > Use of TGTs does seem to be tied to web user started operations in a > browser where you are stuck to one node and so maybe can be replicated > slowly. > However if you are using PGTs to obtain a PT it seems PGTs go into the > same cache as TGTs and are replicated slowly as well? > > However getting a PT using a PGT can be done in code and so you can't rely > on hitting the same node which means you can fall foul of the slower > replication of PGTs if: > > You get the PGT from node 1 > Form a request in code using this PGT that goes to node 2 to obtain your > PT. > > Are the use of both cas-server-extension-clearpass (using cas proxy > tickets) and cas-server-integration-ehcache modules together not supported > of do I simply need to tune my ticketRMIAsynchronousCacheReplicator? > > The code in > cas-server-3.5.1/cas-server-integration-ehcache/src/main/java/org/jasig/cas/ticket/registry/EhCacheTicketRegistry.java > says > > > public void addTicket(final Ticket ticket) { > final Element element = new Element(ticket.getId(), ticket); > if (ticket instanceof ServiceTicket) { > log.debug("Adding service ticket {} to the cache", > ticket.getId(), this.serviceTicketsCache.getName()); > this.serviceTicketsCache.put(element); > } else if (ticket instanceof TicketGrantingTicket) { > log.debug("Adding ticket granting ticket {} to the cache {}", > ticket.getId(), this.ticketGrantingTicketsCache.getName()); > this.ticketGrantingTicketsCache.put(element); > } else { > throw new IllegalArgumentException("Invalid ticket type " + > ticket); > } > } > > So doesn't seem to distinguish between TGTs and PGTs > > Any advice or recommendation to open a JIRA appreciated > > Thanks > > -- > You are currently subscribed to [email protected] <javascript:> as: > [email protected] <javascript:> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] <javascript:> as: > [email protected] <javascript:> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
