Thanks for the update. Splitting the proxy cache separate from the TGT/ST cache sounds like a plausible change. I'd encourage you to file a JIRA against 4.1 release or later as the change ideally would require a logical separation of PGTs and PTs from their counterparts and that's a rather big change to the codebase.
For the time being, and if you do actually require to replicate PGTs separately and synchronously separate from TGTs, you'd have to do a bit of coding to only recognize a PGT by its id and put it into a separate cache instance. -Misagh ----- Original Message ----- From: "n99" <[email protected]> To: [email protected] Cc: [email protected], [email protected], [email protected] Sent: Monday, October 28, 2013 8:07:17 AM Subject: Re: [cas-user] cas 3.5.1 PGT replication using ehcache replication Hi please see below On Thursday, 24 October 2013 18:27:20 UTC+1, Misagh Moayyed wrote: Sounds like what you're describing isn't so much about clearpass than it is about how proxy tickets are treated in CAS. yes, but specifically how TGTs are treated in a CAS that has been configured to replicate using the provided ehcache module available from version 3.5 onwards <blockquote> Just to be clear, when you mention "slowly", you are actually referring to synchronicity and not performance measures of the replication, correct? </blockquote> yes <blockquote> Wouldn't you be able to replicate TGTs synchronously? </blockquote> I would think so and I will test this. I've already tried severely dropping the replicationInterval in the ticketRMIAsynchronousCacheReplicator and this helps. <blockquote> PGTs and PTs are vicarious in the CAS codebase and aren't yet first class citizens. If you do require to distinguish between them, you probably would have to rely on ticket IDs for now. </blockquote> I think the main issue is that in a clustered CAS setup, using the recommended ehcache maven overlay configured module, that the caching config supplied doesn't support installers who then want to use CAS Proxying as they will find the provided ehcache config will replicate their TGTs too slowly and cause errors when trying to get PTs Cheers <blockquote> -Misagh From: "n99" < [email protected] > To: [email protected] Sent: Wednesday, October 23, 2013 3:37:21 AM Subject: [cas-user] cas 3.5.1 PGT replication using ehcache replication Hi We are using cas-server-extension-clearpass (using cas proxy tickets) and cas-server-integration-ehcache modules together in cas 3.5.1. Looking at the ticketRegistry.xml file it says <bean id="ticketGrantingTicketsCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean" > <description> Ticket Granting Tickets (TGT) are valid for the lifetime of the SSO Session. They become invalid either by expiration policy (default 2 hours idle, 8 hours max) or by explicit user sign off via /cas/login. The TGT cache can be replicated slowly because TGT are only manipulated via web user started operations (mostly grant service ticket) and thus benefit of web session affinity. </description> <property name="cacheName" value="org.jasig.cas.ticket.TicketGrantingTicket" /> <property name="cacheEventListeners"> <ref local="ticketRMIAsynchronousCacheReplicator"/> </property> ................ Use of TGTs does seem to be tied to web user started operations in a browser where you are stuck to one node and so maybe can be replicated slowly. However if you are using PGTs to obtain a PT it seems PGTs go into the same cache as TGTs and are replicated slowly as well? However getting a PT using a PGT can be done in code and so you can't rely on hitting the same node which means you can fall foul of the slower replication of PGTs if: You get the PGT from node 1 Form a request in code using this PGT that goes to node 2 to obtain your PT. Are the use of both cas-server-extension-clearpass (using cas proxy tickets) and cas-server-integration-ehcache modules together not supported of do I simply need to tune my ticketRMIAsynchronousCacheReplicator? The code in cas-server-3.5.1/cas-server-integration-ehcache/src/main/java/org/jasig/cas/ticket/registry/EhCacheTicketRegistry.java says public void addTicket(final Ticket ticket) { final Element element = new Element(ticket.getId(), ticket); if (ticket instanceof ServiceTicket) { log.debug("Adding service ticket {} to the cache", ticket.getId(), this.serviceTicketsCache.getName()); this.serviceTicketsCache.put(element); } else if (ticket instanceof TicketGrantingTicket) { log.debug("Adding ticket granting ticket {} to the cache {}", ticket.getId(), this.ticketGrantingTicketsCache.getName()); this.ticketGrantingTicketsCache.put(element); } else { throw new IllegalArgumentException("Invalid ticket type " + ticket); } } So doesn't seem to distinguish between TGTs and PGTs Any advice or recommendation to open a JIRA appreciated Thanks -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user </blockquote> -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
