CAS server to client - Attribute release issue in clustered environment

96 views
Skip to first unread message

Morning Star

unread,
Jul 18, 2021, 1:33:20 PM7/18/21
to CAS Community
Hi Team,

CAS Server : 6.3.3 
CAS Client : 3.6.2

We are facing a peculiar issue in production. This issue is specific to clustered environment. While communicating from one server to other server,  CAS releases wrong "UID".

We have 3 servers in PROD. CASPROD1, CASPROD2, CASPROD3
Scenario 1:
When user logs in, CAS server releases attribute UID in CASPROD1 after successful authentication. While communicating to CAS client, CAS releases the same UID attribute if request reaches the same server instance CASPROD1. This is working fine.

Scenario 2:
When user logs in, CAS server releases attribute UID in CASPROD1 after successful authentication. While communicating to CAS client, if second server handle the request, CAS releases the different UID(which is already available in CASPROD2 server.

LDAP properties:
cas.authn.ldap[0].order=0
cas.authn.ldap[0].ldapUrl=https://xxxx
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=
cas.authn.ldap[0].searchFilter=email={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].bindDn=xxxxxx
cas.authn.ldap[0].bindCredential=xxxx

cas.authn.ldap[0].principalAttributeId=ui
cas.authn.ldap[0].principalAttributePassword=
cas.authn.ldap[0].principalAttributeList=userStatus,tryCount,uid,CN,email
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=10
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=600
cas.authn.ldap[0].failFast=false
cas.authn.ldap[0].idleTime=5000
cas.authn.ldap[0].prunePeriod=5000
cas.authn.ldap[0].blockWaitTime=5000

Hazelcast properties
cas.ticket.registry.hazelcast.page-size=500
#cas.ticket.registry.hazelcast.cluster.size=3
cas.ticket.registry.hazelcast.cluster.members=10.34.xxx.58,10.34.xxx.57,10.34.xxx.59
cas.ticket.registry.hazelcast.cluster.instance-name=10.34.xxx.57(have given this correctly for all server instances)
cas.ticket.registry.hazelcast.cluster.port=5701
cas.ticket.registry.hazelcast.enable-compression=false
cas.ticket.registry.hazelcast.enable-management-center-scripting=true
cas.ticket.registry.hazelcast.crypto.enabled=true
cas.ticket.registry.hazelcast.cluster.asyncBackupCount=1
cas.ticket.registry.hazelcast.cluster.backupCount=0
cas.ticket.registry.hazelcast.crypto.signing.key=7cQ-XUjlbIWahxBUD8IVVW6j7erYyuAmXn7m4O4CpdNpPaxNf1P5ka1JPa-V_T2UryZYtRPOzy1rhjIGQ7kQug
cas.ticket.registry.hazelcast.crypto.signing.keySize=512
cas.ticket.registry.hazelcast.crypto.encryption.key=Sx1MbKtfrP-36ysDRkNXWA
cas.ticket.registry.hazelcast.crypto.encryption.keySize=16
cas.ticket.registry.hazelcast.crypto.alg=AES

CAS server Logs:
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication  Creating LDAP principal for [TX...@test.com] based on [uid=8886927f-ea0f-4129-8097-b72e52a58591,ou=secure,dc=Consumer,dc=insurance,dc=com] and attributes [[uid, cn, email, userStatus, tryCount]]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication  Retrieved principal id attribute [TX...@test.com]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication  LDAP principal identifier created is [TX...@test.com]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication  The following attributes are requested to be retrieved and mapped: [[]]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication  Found principal attribute: [org.ldaptive.LdapAttribute@-384702864::name=uid, values=[8886927f-ea0f-4129-8097-b72e52a58591], binary=false]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication  Principal attribute [org.ldaptive.LdapAttribute@-384702864::name=uid, values=[8886927f-ea0f-4129-8097-b72e52a58591], binary=false] is virtually remapped/renamed to [uid]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication  Found principal attribute: [org.ldaptive.LdapAttribute@-1753954665::name=userStatus, values=[ACTIVE], binary=false]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication  Principal attribute [org.ldaptive.LdapAttribute@-1753954665::name=userStatus, values=[ACTIVE], binary=false] is virtually remapped/renamed to [userStatus]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication  Found principal attribute: [org.ldaptive.LdapAttribute@-1505406878::name=tryCount, values=[0:1626509309221], binary=false]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication  Principal attribute [org.ldaptive.LdapAttribute@-1505406878::name=tryCount, values=[0:1626509309221], binary=false] is virtually remapped/renamed to [tryCount]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication  Found principal attribute: [org.ldaptive.LdapAttribute@-397428133::name=cn, values=[8886927f-ea0f-4129-8097-b72e52a58591], binary=false]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication  Principal attribute [org.ldaptive.LdapAttribute@-397428133::name=cn, values=[8886927f-ea0f-4129-8097-b72e52a58591], binary=false] is virtually remapped/renamed to [CN]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication  Found principal attribute: [org.ldaptive.LdapAttribute@-930300140::name=email, values=[TX...@test.com], binary=false]
2021-07-17 01:33:30 [INFO] com.mig.sso.authentication.MigLdapHandlerAuthentication  Principal attribute [org.ldaptive.LdapAttribute@-930300140::name=email, values=[TX...@test.com], binary=false] is virtually remapped/renamed to [email]
2021-07-17 01:33:30 [INFO] com.mig.sso.authentication.MigLdapHandlerAuthentication  Created LDAP principal for id [TX...@test.com] and [5] attributes

2021-07-17 01:33:31 [INFO] org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager  Audit trail record BEGIN
=============================================================
WHAT: ST-1-l59MuWtx-WFlDsTQi42nww2riqQ-braxlcpa211 for https://qa5-ex.insurance.com/home/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Sat Jul 17 01:33:31 PDT 2021
CLIENT IP ADDRESS: 10.34.ss.30
SERVER IP ADDRESS: 10.34.xxx.53
=============================================================


2021-07-17 01:33:31 [INFO] org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager  Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access Granted,service=https://qa5-cp.mercuryinsurance.com/c...,principal=SimplePrincipal(id=TX...@test.com, attributes={CN=[8886927f-ea0f-4129-8097-b72e52a58591], uid=[8886927f-ea0f-4129-8097-b72e52a58591]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Sat Jul 17 01:33:31 PDT 2021
CLIENT IP ADDRESS: 10.34.xx.6
SERVER IP ADDRESS: 10.34.xxx.53
=============================================================


2021-07-17 01:35:26 [INFO] org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager  Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access Granted,service=https://brextt051.int.mgc.com:11111...,principal=SimplePrincipal(id=TX...@test.com, attributes={uid=[6666927f-ea0f-4129-8097-b72e52a58591], userStatus=[ACTIVE], tryCount=[0:1626509309221], CN=[6666927f-ea0f-4129-8097-b72e52a58591], email=[TX...@test.com]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Sat Jul 17 01:35:26 PDT 2021
CLIENT IP ADDRESS: 10.34.xx.30
SERVER IP ADDRESS: 10.34.xxx.55
=============================================================


Will be really grateful if someone help me with the fix.

Regards,
Anusuya.

Ray Bon

unread,
Jul 19, 2021, 12:59:06 PM7/19/21
to cas-...@apereo.org
Anusuya,

Hazelcast instance-name would be the same for all hosts in the cluster, say 'casProd'. I do not think that is related to your issue.

What does your service define as a unique identifier (you use email as the lookup)?


Ray


On Sun, 2021-07-18 at 10:33 -0700, Morning Star wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Morning Star

unread,
Jul 20, 2021, 1:16:42 AM7/20/21
to CAS Community, Ray Bon
Hi Ray,

Thanks for your resposne.
Yes. we use email as unique identifer:

Please find my service definition below:
{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(https?|imaps?):\/\/(([A-Za-z0-9_-]+.)*insurance.com\/.*)",
  "name" : "web",
  "description" : "Allows HTTP(S) and IMAP(S) protocols", 
  "id" : 10000001,
  "evaluationOrder" : 1,
  "usernameAttribute" : "email",
  "attributeReleasePolicy": {
    "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
    "allowedAttributes" : [ "java.util.ArrayList", [ "CN", "email", "uid" ] ]
   },
   "logoutType" : "BACK_CHANNEL"
}

Ray Bon

unread,
Jul 21, 2021, 12:27:55 PM7/21/21
to anusu...@gmail.com, cas-...@apereo.org
Anusuya,

Try these loggers to see if cas is changing the attribute or if that is what is returned to cas from the attribute source.

        <!-- DEBUG Found principal attributes [...] for [username]
                   Attribute policy [???] allows release of [...] for [username]
                   Final collection of attributes allowed are: [...] -->
        <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/>
        <!-- DEBUG Created seed map='{username=[loginname]}' for uid='loginname' -->
        <!-- DEBUG Query value will be indeterminate due to multiple attributes and no username indicator. 
        <AsyncLogger name="org.apereo.services.persondir.support.ldap.LdaptivePersonAttributeDao" level="debug" includeLocation="true"/>

Ray
Reply all
Reply to author
Forward
0 new messages