OIDC provider multi node ST VALIDATE FAILED after ST VALIDATE SUCESS

[Jérôme Steve]

Hello,

Before all thanks for your works.
We are using CAS overlay in Multi node architecture (Docker container) behind a load balancer and a proxy with a memcahced service registery.

All work fine but when we used it like an OIDC provider, i'm getting a Validation Ticket Failed after called two time :
https://********/cas/oauth2.0/callbackAuthorize?client_id=*******&redirect_uri=https%3A%2F%2F*****************%2Fopenid_connect_login&response_type=code&client_name=***********&ticket=ST-7-ePqBOIW6mBH0rhSBR2o5LAkD1oA-246dcb0736d7
This it's ONLY in multi node Architecture (2 or 3). When i have only one node all work fine and the server cas don't try to validate the ST ticket than one more time.

For yours information if i up the value of cas.ticket.st.numberOfUses to x the nodes validate the ST ticket x times (after call cas/callbackAuthorize x times) and failed to validate it at he end.


Log from node 1 :

2020-01-03 10:53:49,695 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access Granted,service=https://***********************/ca...,principal=SimplePrincipal(id=124055, attributes={code=[124055], adresse=[*************************], idProfilSelectionne=[*******], telephone=[], etat=[ACTIF], nom=[******], prenom=[******], email=[***********************]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Jan 03 10:53:49 CET 2020
CLIENT IP ADDRESS: ************
SERVER IP ADDRESS: ************
=============================================================

>
2020-01-03 10:53:49,717 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Fri Jan 03 10:53:49 CET 2020,source=DefaultCasDelegatingWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Jan 03 10:53:49 CET 2020
CLIENT IP ADDRESS: ************
SERVER IP ADDRESS: ************
=============================================================

>
2020-01-03 10:53:49,738 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access Granted,service=https://*************************...,requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Jan 03 10:53:49 CET 2020
CLIENT IP ADDRESS: ************
SERVER IP ADDRESS: ************
=============================================================

>
2020-01-03 10:53:49,770 INFO [org.apereo.cas.DefaultCentralAuthenticationService] - <Granted service ticket [ST-7-ePqBOIW6mBH0rhSBR2o5LAkD1oA-246dcb0736d7] for service [https://********************************/openid_connect_login] and principal [124055]>
2020-01-03 10:53:49,771 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: 124055
WHAT: ST-7-ePqBOIW6mBH0rhSBR2o5LAkD1oA-246dcb0736d7 for https://***********************/cas/oauth2.0/callbackAuthorize?client_id=demoClientOIDC&redirect_uri=https%3A%2F%2Fdeve...
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Jan 03 10:53:49 CET 2020
CLIENT IP ADDRESS: ************
SERVER IP ADDRESS: ************
=============================================================

>
2020-01-03 10:53:52,859 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access Granted,service=https://*************************...,principal=SimplePrincipal(id=124055, attributes={phone_number=[], address=[*************************], selected_profil=[*******], email=[***********************]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Jan 03 10:53:52 CET 2020
CLIENT IP ADDRESS: ************
SERVER IP ADDRESS: ************
=============================================================

>
2020-01-03 10:53:52,869 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: 124055
WHAT: ST-7-ePqBOIW6mBH0rhSBR2o5LAkD1oA-246dcb0736d7 for https://***********************/cas/oauth2.0/callbackAuthorize?client_id=demoClientOIDC&redirect_uri=https%3A%2F%2Fdeve...
ACTION: SERVICE_TICKET_VALIDATE_SUCCESS
APPLICATION: CAS
WHEN: Fri Jan 03 10:53:52 CET 2020
CLIENT IP ADDRESS: ************
SERVER IP ADDRESS: ************
=============================================================

>



Log from node 2 :

2020-01-03 10:53:57,220 WARN [org.apereo.cas.DefaultCentralAuthenticationService] - <Service ticket [ST-7-ePqBOIW6mBH0rhSBR2o5LAkD1oA-246dcb0736d7] does not exist.>
2020-01-03 10:53:57,221 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-7-ePqBOIW6mBH0rhSBR2o5LAkD1oA-246dcb0736d7 for https://************************/cas/oauth2.0/callbackAuthorize?client_id=demoClientOIDC&redirect_uri=https%3A%2F%2F***...
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Fri Jan 03 10:53:57 CET 2020
CLIENT IP ADDRESS: ************
SERVER IP ADDRESS: *************
=============================================================

>
2020-01-03 10:53:57,246 ERROR [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]] - <Servlet.service() for servlet [dispatcherServlet] in context with path [/cas] threw exception [Request processing failed; nested exception is RootCasException(super=org.apereo.cas.ticket.InvalidTicketException, code=INVALID_TICKET, args=[])] with root cause>
org.apereo.cas.ticket.InvalidTicketException: null
 at org.apereo.cas.DefaultCentralAuthenticationService.validateServiceTicket(DefaultCentralAuthenticationService.java:255) ~[cas-server-core-6.1.2.jar!/:6.1.2]
 at org.apereo.cas.DefaultCentralAuthenticationService$$FastClassBySpringCGLIB$$b02e48f2.invoke(<generated>) ~[cas-server-core-6.1.2.jar!/:6.1.2]
 at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:769) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:747) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:88) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.apereo.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:135) ~[inspektr-audit-1.8.6.GA.jar!/:1.8.6.GA]
 at jdk.internal.reflect.GeneratedMethodAccessor162.invoke(Unknown Source) ~[?:?]
 at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
 at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
 at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:644) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:633) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:70) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:175) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:747) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.transaction.interceptor.TransactionInterceptor$$Lambda$1082.000000005CF3F5B0.proceedWithInvocation(Unknown Source) ~[?:?]
 at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:353) ~[spring-tx-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:99) ~[spring-tx-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:747) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:93) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:747) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:689) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.apereo.cas.DefaultCentralAuthenticationService$$EnhancerBySpringCGLIB$$74df0efb.validateServiceTicket(<generated>) ~[cas-server-core-6.1.2.jar!/:6.1.2]
 at org.apereo.cas.support.oauth.profile.CasServerApiBasedTicketValidator.validate(CasServerApiBasedTicketValidator.java:26) ~[cas-server-support-oauth-core-api-6.1.2.jar!/:6.1.2]
 at org.pac4j.cas.credentials.authenticator.CasAuthenticator.validate(CasAuthenticator.java:72) ~[pac4j-cas-4.0.0-RC1.jar!/:?]
 at org.pac4j.cas.credentials.authenticator.CasAuthenticator.validate(CasAuthenticator.java:31) ~[pac4j-cas-4.0.0-RC1.jar!/:?]
 at org.pac4j.core.client.BaseClient.lambda$retrieveCredentials$0(BaseClient.java:65) ~[pac4j-core-4.0.0-RC1.jar!/:?]
 at org.pac4j.core.client.BaseClient$$Lambda$1368.000000006CEA5EC0.accept(Unknown Source) ~[?:?]
 at java.util.Optional.ifPresent(Optional.java:183) ~[?:?]
 at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:62) ~[pac4j-core-4.0.0-RC1.jar!/:?]
 at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:137) ~[pac4j-core-4.0.0-RC1.jar!/:?]
 at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:94) ~[pac4j-core-4.0.0-RC1.jar!/:?]
 at org.apereo.cas.support.oauth.web.endpoints.OAuth20CallbackAuthorizeEndpointController.handleRequest(OAuth20CallbackAuthorizeEndpointController.java:48) ~[cas-server-support-oauth-core-api-6.1.2.jar!/:6.1.2]
 at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
 at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
 at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
 at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
 at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:279) ~[spring-core-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499) ~[spring-cloud-context-2.2.0.RC1.jar!/:2.2.0.RC1]
 at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:747) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:689) ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.apereo.cas.support.oauth.web.endpoints.OAuth20CallbackAuthorizeEndpointController$$EnhancerBySpringCGLIB$$d78312e8.handleRequest(<generated>) ~[cas-server-support-oauth-core-api-6.1.2.jar!/:6.1.2]
 at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
 at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
 at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
 at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
 at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190) ~[spring-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138) ~[spring-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:106) ~[spring-webmvc-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:888) ~[spring-webmvc-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:793) ~[spring-webmvc-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040) ~[spring-webmvc-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943) ~[spring-webmvc-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) ~[spring-webmvc-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898) ~[spring-webmvc-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) ~[javax.servlet-api-4.0.1.jar!/:4.0.1]
 at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) ~[spring-webmvc-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) ~[javax.servlet-api-4.0.1.jar!/:4.0.1]
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apereo.cas.web.support.AuthenticationCredentialsThreadLocalBinderClearingFilter.doFilter(AuthenticationCredentialsThreadLocalBinderClearingFilter.java:28) ~[cas-server-core-web-api-6.1.2.jar!/:6.1.2]
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apereo.cas.web.support.filters.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:411) ~[cas-server-core-web-api-6.1.2.jar!/:6.1.2]
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apereo.cas.web.support.filters.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:215) ~[cas-server-core-web-api-6.1.2.jar!/:6.1.2]
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apereo.cas.web.support.filters.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:67) ~[cas-server-core-web-api-6.1.2.jar!/:6.1.2]
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:157) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) ~[spring-security-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) ~[spring-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) ~[spring-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108) ~[spring-boot-actuator-2.2.0.RELEASE.jar!/:2.2.0.RELEASE]
 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apereo.cas.logging.web.ThreadContextMDCServletFilter.doFilter(ThreadContextMDCServletFilter.java:99) ~[cas-server-core-logging-6.1.2.jar!/:6.1.2]
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:66) ~[inspektr-common-1.8.6.GA.jar!/:1.8.6.GA]
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:747) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) ~[tomcat-catalina-9.0.27.jar!/:9.0.27]
 at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) ~[tomcat-embed-core-9.0.27.jar!/:9.0.27]
 at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) ~[tomcat-embed-core-9.0.27.jar!/:9.0.27]
 at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861) ~[tomcat-embed-core-9.0.27.jar!/:9.0.27]
 at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1579) ~[tomcat-embed-core-9.0.27.jar!/:9.0.27]
 at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.27.jar!/:9.0.27]
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
 at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.27.jar!/:9.0.27]
 at java.lang.Thread.run(Thread.java:831) [?:?]
2020-01-03 10:53:57.504 INFO net.spy.memcached.MemcachedConnection: Setting retryQueueSize to -1
2020-01-03 10:53:57.505 INFO net.spy.memcached.MemcachedConnection: Added {QA sa=************************/************:11211, #Rops=0, #Wops=0, #iq=0, topRop=null, topWop=null, toWrite=0, interested=0} to connect queue




Sorry for my English and thanks in advance for your help.

Jérôme.

[Ray Bon]

Jérôme,

The failure on the node 2 is because the client application submitted the ST a second time (in your case 5s later).

The ST was validated on node 1.

I have not used OIDC. There may be some further communication that happens after the ST is validated (this happens with proxy tickets). Check access logs for all applications involved.

Ray

event

=

success

,

timestamp

=

Fri

Jan

03

10

:

53

:

49

 CET 

2020

,

source

=

DefaultCasDelegatingWebflowEventResolver

-

<

Audit

 trail record 

BEGIN

=============================================================

WHO

:

 audit

:

unknown

WHAT

:

[

result

=

Service

Access

Granted

,

service

=

https

:

//*************************...,requiredAttributes={}]

-

<

Audit

 trail record 

BEGIN

=============================================================

WHO

:

 audit

:

unknown

WHAT

:

[

result

=

Service

Access

Granted

,

service

=

https

:

//*************************...,principal=SimplePrincipal(id=124055, attributes={phone_number=[], address=[*************************], selected_profil=[*******], email=[***********************]}),requiredAttributes={}]

-

<

Audit

 trail record 

BEGIN

=============================================================

WHO

:

124055

WHAT

:

 ST

-

7

-

ePqBOIW6mBH0rhSBR2o5LAkD1oA

-

246dcb0736d7

for

Log from node 2 :

-

<

Audit

 trail record 

BEGIN

=============================================================

WHO

:

 audit

:

unknown

WHAT

:

 ST

-

7

-

ePqBOIW6mBH0rhSBR2o5LAkD1oA

-

246dcb0736d7

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Jérôme Steve]

Hi ray,

Thanks for your reply. so you think the problem come from my OIDC client app ? or maybe from my load balancer and/or my proxy ?

Becaus if i update cas servers configurtion to

cas.ticket.st.numberOfUses=10

The ST is validate 10 times and after is FAILED (of course is the normal flow) But why he try to validate it many times !?

And also with one node all work fine :

1. Url https://***********************/cas/oauth2.0/callbackAuthorize Validate the ST
2. And client is redirect to https://***********************/cas/oauth2.0/autorize
3. User give autorize to his scope and , he is redirect to the client app.

But in multi node i have a lopps on step 1.  I don't no why.
I will check my access log if i can't towmorro.

Thanks,
Jérôme.

[Ray Bon]

Jérôme,

How are tickets being stored?

All CAS nodes need access to the tickets. In multi node architecture, request 1 goes to node 1, request 2 goes to node 2, etc (round robin load balancer). At the load balancer, log in is request 1, but ticket validation is request 2 (comes from client application).

I assumed that the logs you presented were from a single log in attempt. Is that the case? Or did you set up multiple nodes between the logs from node 1 and node 2?

Ray

//*************************...

,requiredAttributes={}]

ACTION

:

 SERVICE_ACCESS_ENFORCEMENT_

TRIGGERED

APPLICATION

:

 CAS

WHEN

:

Fri

Jan

03

10

:

53

:

49

 CET 

2020

CLIENT IP ADDRESS

:

************

SERVER IP ADDRESS

:

************

==============================

==============================

=

>

WHO

:

 audit

:

unknown

WHAT

:

[

result

=

Service

Access

Granted

,

service

=

https

:

//*************************...

,principal=SimplePrincipal(id=

124055, attributes={phone_number=[], address=[*********************

WHO

:

124055

WHAT

:

 ST

-

7

-

ePqBOIW6mBH0rhSBR2o5LAkD1oA

-

246dcb0736d7

for

 https

:

//***********************/cas/

oauth2.0/callbackAuthorize?

client_id=demoClientOIDC&

redirect_uri=https%3A%2F%

2Fdeve...

ACTION

:

 SERVICE_TICKET_VALIDATE_

SUCCESS

APPLICATION

:

 CAS

WHEN

:

Fri

Jan

03

10

:

53

:

52

 CET 

2020

CLIENT IP ADDRESS

:

************

SERVER IP ADDRESS

:

************

==============================

==============================

=

>

Log from node 2 :

proceedWithInvocation(Unknown Source) ~[?:?]

 at org.springframework.

transaction.interceptor.

TransactionAspectSupport.

invokeWithinTransaction(

TransactionAspectSupport.java:

353) ~[spring-tx-5.2.0.RELEASE.jar!

/:5.2.0.RELEASE]

 at org.springframework.

transaction.interceptor.

TransactionInterceptor.invoke(

TransactionInterceptor.java:

99) ~[spring-tx-5.2.0.RELEASE.jar!

/:5.2.0.RELEASE]

 at org.springframework.aop.

framework.

ReflectiveMethodInvocation.

proceed(

ReflectiveMethodInvocation.

java:186) ~[spring-aop-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.aop.

framework.CglibAopProxy$

CglibMethodInvocation.proceed(

CglibAopProxy.java:747) ~[spring-aop-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.aop.

interceptor.

ExposeInvocationInterceptor.

invoke(

ExposeInvocationInterceptor.

java:93) ~[spring-aop-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.aop.

framework.

ReflectiveMethodInvocation.

proceed(

ReflectiveMethodInvocation.

java:186) ~[spring-aop-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.aop.

framework.CglibAopProxy$

CglibMethodInvocation.proceed(

CglibAopProxy.java:747) ~[spring-aop-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.aop.

framework.CglibAopProxy$

DynamicAdvisedInterceptor.

intercept(CglibAopProxy.java:

689) ~[spring-aop-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.apereo.cas.

DefaultCentralAuthenticationSe

rvice$$EnhancerBySpringCGLIB$$

74df0efb.

validateServiceTicket(<

generated>) ~[cas-server-core-6.1.2.jar!/:

6.1.2]

 at org.apereo.cas.support.oauth.

profile.

CasServerApiBasedTicketValidat

or.validate(

CasServerApiBasedTicketValidat

or.java:26) ~[cas-server-support-oauth-

core-api-6.1.2.jar!/:6.1.2]

 at org.pac4j.cas.credentials.

authenticator.

CasAuthenticator.validate(

CasAuthenticator.java:72) ~[pac4j-cas-4.0.0-RC1.jar!/:?]

 at org.pac4j.cas.credentials.

authenticator.

CasAuthenticator.validate(

CasAuthenticator.java:31) ~[pac4j-cas-4.0.0-RC1.jar!/:?]

 at org.pac4j.core.client.

BaseClient.lambda$

retrieveCredentials$0(

BaseClient.java:65) ~[pac4j-core-4.0.0-RC1.jar!/:?

]

 at org.pac4j.core.client.

BaseClient$$Lambda$1368.

000000006CEA5EC0.accept(

Unknown Source) ~[?:?]

 at java.util.Optional.ifPresent(

java:43) ~[?:?]

 at java.lang.reflect.Method.

invoke(Method.java:566) ~[?:?]

 at org.springframework.util.

ReflectionUtils.invokeMethod(

ReflectionUtils.java:279) ~[spring-core-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.cloud.

context.scope.GenericScope$

LockedScopedProxyFactoryBean.

invoke(GenericScope.java:499) ~[spring-cloud-context-2.2.0.

RC1.jar!/:2.2.0.RC1]

 at org.springframework.aop.

framework.

ReflectiveMethodInvocation.

proceed(

ReflectiveMethodInvocation.

java:186) ~[spring-aop-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.aop.

framework.CglibAopProxy$

CglibMethodInvocation.proceed(

CglibAopProxy.java:747) ~[spring-aop-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.aop.

framework.CglibAopProxy$

DynamicAdvisedInterceptor.

intercept(CglibAopProxy.java:

689) ~[spring-aop-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.apereo.cas.support.oauth.

web.endpoints.

OAuth20CallbackAuthorizeEndpoi

ntController$$

EnhancerBySpringCGLIB$$

d78312e8.handleRequest(<

generated>) ~[cas-server-support-oauth-

core-api-6.1.2.jar!/:6.1.2]

 at jdk.internal.reflect.

NativeMethodAccessorImpl.

invoke0(Native Method) ~[?:?]

 at jdk.internal.reflect.

NativeMethodAccessorImpl.

invoke(

NativeMethodAccessorImpl.java:

62) ~[?:?]

 at jdk.internal.reflect.

DelegatingMethodAccessorImpl.

invoke(

DelegatingMethodAccessorImpl.

java:43) ~[?:?]

 at java.lang.reflect.Method.

invoke(Method.java:566) ~[?:?]

 at org.springframework.web.

method.support.

InvocableHandlerMethod.

doInvoke(

InvocableHandlerMethod.java:

190) ~[spring-web-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.web.

method.support.

InvocableHandlerMethod.

invokeForRequest(

InvocableHandlerMethod.java:

138) ~[spring-web-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.web.

servlet.mvc.method.annotation.

ServletInvocableHandlerMethod.

invokeAndHandle(

ServletInvocableHandlerMethod.

java:106) ~[spring-webmvc-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.web.

servlet.mvc.method.annotation.

RequestMappingHandlerAdapter.

invokeHandlerMethod(

RequestMappingHandlerAdapter.

java:888) ~[spring-webmvc-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.web.

servlet.mvc.method.annotation.

RequestMappingHandlerAdapter.

handleInternal(

RequestMappingHandlerAdapter.

java:793) ~[spring-webmvc-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.web.

servlet.mvc.method.

AbstractHandlerMethodAdapter.

handle(

AbstractHandlerMethodAdapter.

java:87) ~[spring-webmvc-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.web.

servlet.DispatcherServlet.

doDispatch(DispatcherServlet.

java:1040) ~[spring-webmvc-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.web.

servlet.DispatcherServlet.

doService(DispatcherServlet.

java:943) ~[spring-webmvc-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.web.

servlet.FrameworkServlet.

processRequest(

FrameworkServlet.java:1006) ~[spring-webmvc-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.web.

servlet.FrameworkServlet.

doGet(FrameworkServlet.java:

898) ~[spring-webmvc-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at javax.servlet.http.

HttpServlet.service(

HttpServlet.java:645) ~[javax.servlet-api-4.0.1.jar!

/:4.0.1]

 at org.springframework.web.

servlet.FrameworkServlet.

service(FrameworkServlet.java:

883) ~[spring-webmvc-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at javax.servlet.http.

HttpServlet.service(

HttpServlet.java:750) ~[javax.servlet-api-4.0.1.jar!

/:4.0.1]

 at org.apache.catalina.core.

ApplicationFilterChain.

internalDoFilter(

ApplicationFilterChain.java:

filters.

RequestParameterPolicyEnforcem

entFilter.doFilter(

RequestParameterPolicyEnforcem

entFilter.java:411) ~[cas-server-core-web-api-6.1.

2.jar!/:6.1.2]

 at org.apache.catalina.core.

ApplicationFilterChain.

internalDoFilter(

ApplicationFilterChain.java:

193) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.apache.catalina.core.

ApplicationFilterChain.

doFilter(

ApplicationFilterChain.java:

166) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.apereo.cas.web.support.

filters.

ResponseHeadersEnforcementFilt

er.doFilter(

ResponseHeadersEnforcementFilt

er.java:215) ~[cas-server-core-web-api-6.1.

2.jar!/:6.1.2]

 at org.apache.catalina.core.

ApplicationFilterChain.

internalDoFilter(

ApplicationFilterChain.java:

193) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.apache.catalina.core.

ApplicationFilterChain.

doFilter(

ApplicationFilterChain.java:

166) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.apereo.cas.web.support.

filters.

AddResponseHeadersFilter.

doFilter(

AddResponseHeadersFilter.java:

67) ~[cas-server-core-web-api-6.1.

2.jar!/:6.1.2]

 at org.apache.catalina.core.

ApplicationFilterChain.

internalDoFilter(

ApplicationFilterChain.java:

193) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.apache.catalina.core.

ApplicationFilterChain.

doFilter(

ApplicationFilterChain.java:

166) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.springframework.security.

web.FilterChainProxy$

VirtualFilterChain.doFilter(

FilterChainProxy.java:320) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.access.intercept.

FilterSecurityInterceptor.

invoke(

FilterSecurityInterceptor.

java:126) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.access.intercept.

FilterSecurityInterceptor.

doFilter(

FilterSecurityInterceptor.

java:90) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.FilterChainProxy$

VirtualFilterChain.doFilter(

FilterChainProxy.java:334) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.access.

ExceptionTranslationFilter.

doFilter(

ExceptionTranslationFilter.

java:118) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.FilterChainProxy$

VirtualFilterChain.doFilter(

FilterChainProxy.java:334) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.session.

SessionManagementFilter.

doFilter(

SessionManagementFilter.java:

137) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.FilterChainProxy$

VirtualFilterChain.doFilter(

FilterChainProxy.java:334) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.authentication.

AnonymousAuthenticationFilter.

doFilter(

AnonymousAuthenticationFilter.

java:111) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.FilterChainProxy$

VirtualFilterChain.doFilter(

FilterChainProxy.java:334) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.servletapi.

SecurityContextHolderAwareRequ

estFilter.doFilter(

SecurityContextHolderAwareRequ

estFilter.java:158) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.FilterChainProxy$

VirtualFilterChain.doFilter(

FilterChainProxy.java:334) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.savedrequest.

RequestCacheAwareFilter.

doFilter(

RequestCacheAwareFilter.java:

63) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.FilterChainProxy$

VirtualFilterChain.doFilter(

FilterChainProxy.java:334) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.context.

SecurityContextPersistenceFilt

er.doFilter(

SecurityContextPersistenceFilt

er.java:105) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.FilterChainProxy$

VirtualFilterChain.doFilter(

FilterChainProxy.java:334) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.context.request.async.

WebAsyncManagerIntegrationFilt

er.doFilterInternal(

WebAsyncManagerIntegrationFilt

er.java:56) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.web.

filter.OncePerRequestFilter.

doFilter(OncePerRequestFilter.

java:119) ~[spring-web-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.FilterChainProxy$

VirtualFilterChain.doFilter(

FilterChainProxy.java:334) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.access.channel.

ChannelProcessingFilter.

doFilter(

ChannelProcessingFilter.java:

157) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.FilterChainProxy$

VirtualFilterChain.doFilter(

FilterChainProxy.java:334) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.FilterChainProxy.

doFilterInternal(

FilterChainProxy.java:215) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.security.

web.FilterChainProxy.doFilter(

FilterChainProxy.java:178) ~[spring-security-web-5.2.0.

RELEASE.jar!/:5.2.0.RELEASE]

 at org.springframework.web.

filter.DelegatingFilterProxy.

invokeDelegate(

DelegatingFilterProxy.java:

358) ~[spring-web-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.web.

filter.DelegatingFilterProxy.

doFilter(

DelegatingFilterProxy.java:

271) ~[spring-web-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.apache.catalina.core.

ApplicationFilterChain.

internalDoFilter(

ApplicationFilterChain.java:

193) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.apache.catalina.core.

ApplicationFilterChain.

doFilter(

ApplicationFilterChain.java:

166) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.springframework.web.

filter.RequestContextFilter.

doFilterInternal(

RequestContextFilter.java:100) ~[spring-web-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.web.

filter.OncePerRequestFilter.

doFilter(OncePerRequestFilter.

java:119) ~[spring-web-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.apache.catalina.core.

ApplicationFilterChain.

internalDoFilter(

ApplicationFilterChain.java:

193) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.apache.catalina.core.

ApplicationFilterChain.

doFilter(

ApplicationFilterChain.java:

166) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.springframework.web.

filter.FormContentFilter.

doFilterInternal(

FormContentFilter.java:93) ~[spring-web-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.web.

filter.OncePerRequestFilter.

doFilter(OncePerRequestFilter.

java:119) ~[spring-web-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.apache.catalina.core.

ApplicationFilterChain.

internalDoFilter(

ApplicationFilterChain.java:

193) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.apache.catalina.core.

ApplicationFilterChain.

doFilter(

ApplicationFilterChain.java:

166) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.springframework.boot.

actuate.metrics.web.servlet.

WebMvcMetricsFilter.

doFilterInternal(

WebMvcMetricsFilter.java:108) ~[spring-boot-actuator-2.2.0.

RELEASE.jar!/:2.2.0.RELEASE]

 at org.springframework.web.

filter.OncePerRequestFilter.

doFilter(OncePerRequestFilter.

java:119) ~[spring-web-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.apache.catalina.core.

ApplicationFilterChain.

internalDoFilter(

ApplicationFilterChain.java:

193) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.apache.catalina.core.

ApplicationFilterChain.

doFilter(

ApplicationFilterChain.java:

166) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.apereo.cas.logging.web.

ThreadContextMDCServletFilter.

doFilter(

ThreadContextMDCServletFilter.

java:99) ~[cas-server-core-logging-6.1.

2.jar!/:6.1.2]

 at org.apache.catalina.core.

ApplicationFilterChain.

internalDoFilter(

ApplicationFilterChain.java:

193) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.apache.catalina.core.

ApplicationFilterChain.

doFilter(

ApplicationFilterChain.java:

166) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.springframework.web.

filter.

CharacterEncodingFilter.

doFilterInternal(

CharacterEncodingFilter.java:

201) ~[spring-web-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.springframework.web.

filter.OncePerRequestFilter.

doFilter(OncePerRequestFilter.

java:119) ~[spring-web-5.2.0.RELEASE.

jar!/:5.2.0.RELEASE]

 at org.apache.catalina.core.

ApplicationFilterChain.

internalDoFilter(

ApplicationFilterChain.java:

193) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.apache.catalina.core.

ApplicationFilterChain.

doFilter(

ApplicationFilterChain.java:

166) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.apereo.inspektr.common.

web.

ClientInfoThreadLocalFilter.

doFilter(

ClientInfoThreadLocalFilter.

java:66) ~[inspektr-common-1.8.6.GA.

jar!/:

1.8.6.GA

]

 at org.apache.catalina.core.

ApplicationFilterChain.

internalDoFilter(

ApplicationFilterChain.java:

193) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.apache.catalina.core.

ApplicationFilterChain.

doFilter(

ApplicationFilterChain.java:

166) ~[tomcat-catalina-9.0.27.jar!/

:9.0.27]

 at org.apache.catalina.core.

StandardWrapperValve.invoke(

[Jérôme Steve]

Hi Ray,

Thanks for your reply (and sorry for my latency ...)

So I'm stored Ticket in a memcahced ticket registery (All work fine).

My log come from TWO different node (Exactly 2 container in a same stack behind a load balancer).

I understand what you're saying about the round robin load blancer, but i don't think it's the problem.

So my problem it's when i'm in multi node architecture (2 or 3 no matters) the cas/oauth2.0/callbackAuthorize url loop on itself and after looping N time (N corresponding to properties

cas.ticket.st.numberOfUses=N) ST validation failed (That is normal is not my problem, it's the normal way).

My problem is why this loop ?
In the same environment, but in single node ( One container only in the same stack behind the same load balancer) i haven't this loop. the cas/oauth2.0/callbackAuthorize url redirect to /oidc/authorize?client_id= normaly.

I'm trying to debug that but it's not easy.

I hope i can make myself understood :) Thanks for your Help !

Jérôme.

[Ray Bon]

Jérôme,

I have not used memcached so I do not know its workings. A problem we had with ehcache (replicated cache) was that replication was too slow. The request for validation came in before the ticket was replicated to the other servers, so it was never found. We switched to hazelcast (not replicated) and all has been good.

It is possible to use cURL to help debug this. Increase the ST lifetime (say, a few minutes) so that you can perform some manual steps, https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#service-tickets-behavior

1. add a fake service to the registry for testing (you do not want the ST to be sent by the service)

2. access the service in your browser (or maybe from cURL), https://cashost.com/cas/login?service=https://possum.com/fake (browser returns 404)

3. copy ST from URL

4. check that the ST exists in all memcached stores

5. use cURL (maybe as POST) to submit ST for validation, https://cashost.com/cas/serviceValidate?service=https://possum.com/fake&ticket=ST-...

You will want to turn logging up (debug or trace) for CAS, and memcached. Also check access logs.

Ray

[Jérôme Steve]

Hi Ray,

After some investigation, I found the problem.

I Have to replicate the httpSession for Hight Avaibility (Multi node) when my cas server act like an OpenID Connect Provider ...

If you know how to do it,you are my guess :) (I have my own view on that but i'm curious to have an other view).

Thanks for your Help,
Jérôme.

[Ray Bon]

Jérôme,

If you are using tomcat, see https://tomcat.apache.org/tomcat-9.0-doc/cluster-howto.html

Ray

[Hal Deadman]

Jerome, did you find out what specifically CAS is storing in the http session for OIDC that needs to be replicated? I think I have seen the same issue in my deployment where OIDC wasn't working in an active/active CAS cluster but I haven't had a chance to track down the cause. 

- Hal

...

[Travis Schmidt]

I thought we got rid of the shared session requirement starting with CAS versions 6.1.x+?  What specific version are you running? 

Travis

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/86fd16c2-dc5b-422d-8c78-461a1bdf9743%40apereo.org.

[Hal Deadman]

I am running a fairly recent 6.2 snapshot build. I have only seen a problem with OIDC when using an active/active cluster rather than an active/standby cluster. CAS and SAML protocols didn't have a problem. I don't have session clustering configured but I may work on adding support for a Tomcat clustering that works in Kubernetes (https://cwiki.apache.org/confluence/display/TOMCAT/ClusteringCloud) - although that would just mask the dependency on session replication. I only suspect that this is caused by a dependency on session replication; I am using the Ehcache 3 ticket registry and the problem may be related to that.

...

[Jérôme Steve]

Hi all,

I confirm all work fine without replication session, with CAS protocol. The replication is needed only by OIDC and more specifically by Oauth2 protocol.

Hal, i can just tell you, the package Pac4j store some information in session. In my cas the Urls in cause (oidc/callbackAutorize and oidc/authorize).

I wiil try to put httpSession in a redis cluster and i come back to you.

Chears

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/31fe75c7-cb45-436a-9ee2-13410f8255f4%40apereo.org.

[Jérôme LELEU]

Hi,

If you enable the OAuth server support with multiple nodes, you must enable the session replication via the following property: cas.authn.oauth.replicateSessions=true.

In that case, the pac4j session will be stored via the DistributedJEESessionStore component (which uses a cookie).

Thanks.

Best regards,

Jérôme

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6Knbz6SHh0BHy8DSx2U8chpc_UmqY4epPFZbBTLd2%3DbUVxyw%40mail.gmail.com.

[Jérôme Steve]

Hi Jérôme,

Thanks for the tip. it works !

Jérôme.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lys9rHourSpyruadN9-Hi%3DJTyYHwb_e6YXW4m1uixjAPg%40mail.gmail.com.