thanks - will do. how would I recognise a PGT by its id? Cheers
On Monday, 28 October 2013 17:20:50 UTC, Misagh Moayyed wrote: > > Thanks for the update. Splitting the proxy cache separate from the TGT/ST > cache sounds like a plausible change. I'd encourage you to file a JIRA > against 4.1 release or later as the change ideally would require a logical > separation of PGTs and PTs from their counterparts and that's a rather big > change to the codebase. > > For the time being, and if you do actually require to replicate PGTs > separately and synchronously separate from TGTs, you'd have to do a bit of > coding to only recognize a PGT by its id and put it into a separate cache > instance. > > -Misagh > ------------------------------ > *From: *"n99" <[email protected] <javascript:>> > *To: *[email protected] <javascript:> > *Cc: *[email protected] <javascript:>, > [email protected]<javascript:>, > [email protected] <javascript:> > *Sent: *Monday, October 28, 2013 8:07:17 AM > *Subject: *Re: [cas-user] cas 3.5.1 PGT replication using ehcache > replication > > Hi > please see below > > On Thursday, 24 October 2013 18:27:20 UTC+1, Misagh Moayyed wrote: >> >> Sounds like what you're describing isn't so much about clearpass than it >> is about how proxy tickets are treated in CAS. >> > > yes, but specifically how TGTs are treated in a CAS that has been > configured to replicate using the provided ehcache module available from > version 3.5 onwards > > >> Just to be clear, when you mention "slowly", you are actually referring >> to synchronicity and not performance measures of the replication, correct? >> > yes > >> >> Wouldn't you be able to replicate TGTs synchronously? >> > I would think so and I will test this. I've already > tried severely dropping the replicationInterval in > the ticketRMIAsynchronousCacheReplicator and this helps. > >> >> PGTs and PTs are vicarious in the CAS codebase and aren't yet first class >> citizens. If you do require to distinguish between them, you probably would >> have to rely on ticket IDs for now. >> > > I think the main issue is that in a clustered CAS setup, using the > recommended ehcache maven overlay configured module, that the caching > config > supplied doesn't support installers who then want to use CAS Proxying as > they will find the provided ehcache config will replicate their TGTs too > slowly and cause errors when trying to get PTs > Cheers > >> >> -Misagh >> ------------------------------ >> *From: *"n99" <[email protected]> >> *To: *[email protected] >> *Sent: *Wednesday, October 23, 2013 3:37:21 AM >> *Subject: *[cas-user] cas 3.5.1 PGT replication using ehcache replication >> >> Hi >> >> We are using cas-server-extension-clearpass (using cas proxy tickets) and >> cas-server-integration-ehcache modules together in cas 3.5.1. >> >> Looking at the ticketRegistry.xml file it says >> >> <bean id="ticketGrantingTicketsCache" >> class="org.springframework.cache.ehcache.EhCacheFactoryBean" > >> <description> >> Ticket Granting Tickets (TGT) are valid for the lifetime of >> the SSO Session. They become invalid either >> by expiration policy (default 2 hours idle, 8 hours max) or >> by explicit user sign off via /cas/login. >> The TGT cache can be replicated slowly because TGT are only >> manipulated via web user started operations >> (mostly grant service ticket) and thus benefit of web session >> affinity. >> </description> >> >> <property name="cacheName" >> value="org.jasig.cas.ticket.TicketGrantingTicket" /> >> >> <property name="cacheEventListeners"> >> <ref local="ticketRMIAsynchronousCacheReplicator"/> >> </property> >> >> ................ >> >> >> Use of TGTs does seem to be tied to web user started operations in a >> browser where you are stuck to one node and so maybe can be replicated >> slowly. >> However if you are using PGTs to obtain a PT it seems PGTs go into the >> same cache as TGTs and are replicated slowly as well? >> >> However getting a PT using a PGT can be done in code and so you can't >> rely on hitting the same node which means you can fall foul of the slower >> replication of PGTs if: >> >> You get the PGT from node 1 >> Form a request in code using this PGT that goes to node 2 to obtain your >> PT. >> >> Are the use of both cas-server-extension-clearpass (using cas proxy >> tickets) and cas-server-integration-ehcache modules together not supported >> of do I simply need to tune my ticketRMIAsynchronousCacheReplicator? >> >> The code in >> cas-server-3.5.1/cas-server-integration-ehcache/src/main/java/org/jasig/cas/ticket/registry/EhCacheTicketRegistry.java >> says >> >> >> public void addTicket(final Ticket ticket) { >> final Element element = new Element(ticket.getId(), ticket); >> if (ticket instanceof ServiceTicket) { >> log.debug("Adding service ticket {} to the cache", >> ticket.getId(), this.serviceTicketsCache.getName()); >> this.serviceTicketsCache.put(element); >> } else if (ticket instanceof TicketGrantingTicket) { >> log.debug("Adding ticket granting ticket {} to the cache {}", >> ticket.getId(), this.ticketGrantingTicketsCache.getName()); >> this.ticketGrantingTicketsCache.put(element); >> } else { >> throw new IllegalArgumentException("Invalid ticket type " + >> ticket); >> } >> } >> >> So doesn't seem to distinguish between TGTs and PGTs >> >> Any advice or recommendation to open a JIRA appreciated >> >> Thanks >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] <javascript:> as: > [email protected] <javascript:> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
