Cookies Problem in Clustered Environment

[Artur Stöcklin]

Hi Community

We are facing the following problem with TGC cookies in clustered environment.

1. We have 2 active /active CAS nodes installed on Apache Tomcat 8.0. The tickets are synchronized through EhCache

2. Each tomcat is behind a Apache Webserver which does the proxy.

3. Both webserver are behind a load balancer.

When the user logs in and gets a valid TGC from node 1 then in a next request the LoadBalancer sends him to node 2 the second CAS node throws a 

java.lang.IllegalStateException: Invalid cookie. Required remote address does not match "IP adress of node one"

 at org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue_aroundBody2(DefaultCasCookieValueManager.java:110)

        at org.jasig.cas.web.support.DefaultCasCookieValueManager$AjcClosure3.run(DefaultCasCookieValueManager.java:1)

        at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)

        at org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)

        at org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:89)

        at org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue_aroundBody2(CookieRetrievingCookieGenerator.java:109)

        at org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3.run_aroundBody0(CookieRetrievingCookieGenerator.java:1)

        at org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3$AjcClosure1.run(CookieRetrievingCookieGenerator.java:1)

        at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)

        at org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)

        at org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3.run(CookieRetrievingCookieGenerator.java:1)

        at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)

        at org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)

        at org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:107)

        at org.jasig.cas.web.flow.InitialFlowSetupAction.doExecute(InitialFlowSetupAction.java:91)

        at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)

        at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)

        at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)

        at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)

        at org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)

        at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)

        at org.springframework.webflow.engine.ActionList.execute(ActionList.java:154)

        at org.springframework.webflow.engine.Flow.start(Flow.java:526)

        at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)

        at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223)

        at org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)

        at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:238)

        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)

        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)

        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:966)

        at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:857)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)

        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:296)

        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)

        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)

        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:217)

We can see in the log file of node 1 that the TGC is created with the IP adress of the node itself:

2016-01-20 17:30:23,837 [http-nio-8443-exec-7] DEBUG [org.jasig.cas.web.support.DefaultCasCookieValueManager] Encoding cookie value [TGT-**********************************************UVLxcrqe...@192.168.

220.168@Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0]

we have tried to solve that with the configuration of vhost on the apache webserver itself. The ProxyPreserveHost On attribute did not help.

Any suggestions? This problem should actually not occur in High Availabilty environments, should it?

Thank you

Regards

Artur

[Kevin Foote]

> On Jan 20, 2016, at 8:46 AM, Artur Stöcklin <source...@gmail.com> wrote:
>
> We can see in the log file of node 1 that the TGC is created with the IP adress of the node itself:
> 2016-01-20 17:30:23,837 [http-nio-8443-exec-7] DEBUG [org.jasig.cas.web.support.DefaultCasCookieValueManager] Encoding cookie value [TGT-**********************************************UVLxcrqe...@192.168.
> 220.168@Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0]
>
> we have tried to solve that with the configuration of vhost on the apache webserver itself. The ProxyPreserveHost On attribute did not help.

I’m guessing here, you probably need to set the X-Forwarded-For header from your ADC and deal with that at your HTTPD / Servlet layer.

--------
thanks
kevin.foote

[Tom Andersson]

Hi!

Were you able to resolve this issue? I am having a similar problem, where I have a clustered reverse proxy in front of CAS. It seems that the TGC can only be verified when the request is coming from the same proxy IP than the request by which the cookie was generated. What might be the most meaningful way to resolve this issue?

2016-04-05 06:55:19,244 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Invalid cookie. Required remote addres

s does not match 157.200.40.117

java.lang.IllegalStateException: Invalid cookie. Required remote address does not match 157.200.40.117

        at org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:110)

        at org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:116)

Thanks you for any suggestions!

Tom

[Tom Andersson]

Just to fill up on this, I'm guessing that using the X-Forwarded-For -header instead of HttpServletRequest.getRemoteAddr() would work, but I would not like to go forking the CAS code.. is that the only way if 'session stickiness' on the proxy level is out of the question? 

BR,

Tom

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/631d6a07-77f5-49d4-b819-02e0eb0e65b0%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[Tom Andersson]

Just in case anyone else is experiencing this issue, I got this resolved by using RemoteIpValve on Tomcat end:

https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html

Tom

[Priyambada Madala]

Hi Tom, 

I am facing similar problem . Would you mind sharing the exact changes in server.xml of tomcat . 

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

[Tom Andersson]

Hi,

We seem to have the following in server.xml:

<Engine name="Catalina" defaultHost="localhost">

    ...

    <Host name="localhost"  appBase="webapps"

          unpackWARs="true" autoDeploy="true">

        ...

        <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies=".*" />

    </Host>

</Engine>