I would say given that we now have more advanced authentication , and hence
session management options I think SessionDebugFilter probably needs to get
a little smarter, and be able to filter out situations like this.
It might make sense to not hardcode it in web.xml but instead wire it in
via spring. Given that its really more of a developer tool anyways i don't
see this as too much burden. That would make it more accessible to other
beans in the spring container for configuring it. For instance, perhaps we
need to add a set of url patterns to it that form the allowable set of urls
from a session can be created from.
Just some ideas.
On Sun, Sep 16, 2012 at 7:10 AM, Christian Mueller <[email protected]>wrote:
> During testing CAS authentication for OGC services I see a stack trace in
> the log because of creating an HTTP session not in the /geoserver/web/**
> path. So far so good.
>
> There are 2 possibilities for CAS ticket authentication for stateless
> requests like http://localhost:8080/geoserver/wms?request=getCapabilities
>
> 1) The client requests a service/proxy ticket from the CAS server for the
> service
> http://localhost:8080/geoserver/wms?request=getCapabilities
> and Geoserver validates the ticket using the CAS server. After validation,
> Geoserver knows the user name. The ticket can be validated only once. (This
> is the standard CAS configuration). In this scenario, TWO additional HTTP
> requests to the CAS server are necessary for EACH stateless Geoserver
> request. This is quite a performance penalty.
>
> 2) As an alternative, the GeoServer CAS configuration has the option to
> for creating an HTTP Session. In this scenario, only the first request has
> the performance penalty, subsequent requests can use the session cookie.
>
> Caching the CAS tickets is no option since it may happen that different
> users receive an identical ticket over the time.
>
> At the end of the day, the GeoServer admin has to decide between these two
> options. Looking at SessionDebugFilter.java and web.xml, I see no easy way
> to avoid the stack trace in such situations.
>
> Any ideas ?
> Christian
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://ad.doubleclick.net/clk;258768047;13503038;j?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Geoserver-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>
>
--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
