6.4 cas deployment in a clustered (multi server) environment
599 views
Skip to first unread message
Fotis Memis
Nov 15, 2021, 10:50:42 AM11/15/21
to cas-...@apereo.org
Hello,
Has anyone tried to deploy 6.4 version of CAS in a clustered
environment? We are facing some problems in SAML services, regarding
session management, that do not happen in our 6.3.7 deployment.
Specifically we are seeing the following error:
Nov 15 16:28:01 example.com CAS[catalina-exec-21]: [ERROR] Forwarding to
error page from request [/idp/profile/SAML2/Callback] due to exception
[SAML request or context could not be determined from session store] -
org.springframework.boot.web.servlet.support.ErrorPageFilter
java.lang.IllegalArgumentException: SAML request or context could not be
determined from session store
at
org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.lambda$retrieveAuthenticationRequest$3(AbstractSamlIdPProfileHandlerController.java:639)
~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
at java.util.Optional.orElseThrow(Optional.java:408) ~[?:?]
at
org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.retrieveAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:639)
~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
at
org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController.handleProfileRequest(SSOSamlIdPProfileCallbackHandlerController.java:88)
~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
at
org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController.handleCallbackProfileRequestGet(SSOSamlIdPProfileCallbackHandlerController.java:60)
~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method) ~[?:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282)
~[spring-core-5.3.9.jar:5.3.9]
at
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:485)
~[spring-cloud-context-3.0.3.jar:3.0.3]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
~[spring-aop-5.3.9.jar:5.3.9]
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750)
~[spring-aop-5.3.9.jar:5.3.9]
at
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:692)
~[spring-aop-5.3.9.jar:5.3.9]
at
org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController$$EnhancerBySpringCGLIB$$bc6144ef.handleCallbackProfileRequestGet(<generated>)
~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method) ~[?:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:197)
~[spring-web-5.3.9.jar:5.3.9]
at
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:141)
~[spring-web-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:106)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1064)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
~[spring-webmvc-5.3.9.jar:5.3.9]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
~[tomcat9-servlet-api.jar:?]
at
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
~[spring-webmvc-5.3.9.jar:5.3.9]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
~[tomcat9-servlet-api.jar:?]
at
jdk.internal.reflect.GeneratedMethodAccessor414.invoke(Unknown Source)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at java.security.AccessController.doPrivileged(Native Method)
~[?:?]
at javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
~[?:?]
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at java.security.AccessController.doPrivileged(Native Method)
~[?:?]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
~[tomcat9-websocket-9.0.31.jar:9.0.31]
at
jdk.internal.reflect.GeneratedMethodAccessor244.invoke(Unknown Source)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at java.security.AccessController.doPrivileged(Native Method)
~[?:?]
at javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
~[?:?]
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at java.security.AccessController.doPrivileged(Native Method)
~[?:?]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
~[tomcat9-catalina-9.0.31.jar
PS: We deploy our cas.war files to 2 external tomcats, and use redis for
our ticket registry. Please note that, as mentioned above, our setup
works fine with version 6.3.7.
Kind regards,
Fotis
Has anyone tried to deploy 6.4 version of CAS in a clustered
environment? We are facing some problems in SAML services, regarding
session management, that do not happen in our 6.3.7 deployment.
Specifically we are seeing the following error:
Nov 15 16:28:01 example.com CAS[catalina-exec-21]: [ERROR] Forwarding to
error page from request [/idp/profile/SAML2/Callback] due to exception
[SAML request or context could not be determined from session store] -
org.springframework.boot.web.servlet.support.ErrorPageFilter
java.lang.IllegalArgumentException: SAML request or context could not be
determined from session store
at
org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.lambda$retrieveAuthenticationRequest$3(AbstractSamlIdPProfileHandlerController.java:639)
~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
at java.util.Optional.orElseThrow(Optional.java:408) ~[?:?]
at
org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.retrieveAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:639)
~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
at
org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController.handleProfileRequest(SSOSamlIdPProfileCallbackHandlerController.java:88)
~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
at
org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController.handleCallbackProfileRequestGet(SSOSamlIdPProfileCallbackHandlerController.java:60)
~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method) ~[?:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282)
~[spring-core-5.3.9.jar:5.3.9]
at
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:485)
~[spring-cloud-context-3.0.3.jar:3.0.3]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
~[spring-aop-5.3.9.jar:5.3.9]
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750)
~[spring-aop-5.3.9.jar:5.3.9]
at
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:692)
~[spring-aop-5.3.9.jar:5.3.9]
at
org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController$$EnhancerBySpringCGLIB$$bc6144ef.handleCallbackProfileRequestGet(<generated>)
~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method) ~[?:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:197)
~[spring-web-5.3.9.jar:5.3.9]
at
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:141)
~[spring-web-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:106)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1064)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
~[spring-webmvc-5.3.9.jar:5.3.9]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
~[tomcat9-servlet-api.jar:?]
at
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
~[spring-webmvc-5.3.9.jar:5.3.9]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
~[tomcat9-servlet-api.jar:?]
at
jdk.internal.reflect.GeneratedMethodAccessor414.invoke(Unknown Source)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at java.security.AccessController.doPrivileged(Native Method)
~[?:?]
at javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
~[?:?]
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at java.security.AccessController.doPrivileged(Native Method)
~[?:?]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
~[tomcat9-websocket-9.0.31.jar:9.0.31]
at
jdk.internal.reflect.GeneratedMethodAccessor244.invoke(Unknown Source)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at java.security.AccessController.doPrivileged(Native Method)
~[?:?]
at javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
~[?:?]
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at java.security.AccessController.doPrivileged(Native Method)
~[?:?]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
~[tomcat9-catalina-9.0.31.jar
PS: We deploy our cas.war files to 2 external tomcats, and use redis for
our ticket registry. Please note that, as mentioned above, our setup
works fine with version 6.3.7.
Kind regards,
Fotis
Jérôme LELEU
Nov 15, 2021, 10:57:33 AM11/15/21
to CAS Community
Hi,
Did you configure the clustering for the SAML server support?
cas.authn.saml-idp.core.session-storage-type=HTTP
Indicates whether saml requests, and other session data, collected as part of SAML flows and requests that are kept by the container http session, local storage, or should be replicated across the cluster. Available values are as follows:
HTTP: Saml requests, and other session data collected as part of SAML flows and requests are kept in the http servlet session that is local to the server.BROWSER_SESSION_STORAGE: Saml requests, and other session data collected as part of SAML flows and requests are kept in the client browser's session storage, signed and encrypted. SAML2 interactions require client-side read/write operations to restore the session from the browser.TICKET_REGISTRY: Saml requests, and other session data collected as part of SAML flows and requests are tracked as CAS tickets in the registry and replicated across the entire cluster as tickets.
Thanks.
Best regards,
Jérôme
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cf0a49b8-f335-b448-c7c0-37900e1bf3ef%40gunet.gr.
Fotis Memis
Nov 15, 2021, 12:53:38 PM11/15/21
to cas-...@apereo.org
Thank you for the quick answer!!
Adding
cas.authn.saml-idp.core.session-storage-type=TICKET_REGISTRY fixed
our problem!
Kind regards,
Fotis
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyPYn9tRUY0pz3qnsy4%3DVU8YaN%3D_AeJVb50a68KwuUR%3DA%40mail.gmail.com.
Frédéric Surleau
Feb 9, 2022, 8:50:48 AM2/9/22
to CAS Community, leleuj
Hi,
Same problem here but with hazelcast as ticket registry also on 2 servers.
cas.authn.saml-idp.core.session-storage-type=TICKET_REGISTRY works
for some clients but for others, Android APP using Chrome, we had to
use BROWSER_SESSION_STORAGE.
Regard,
Fred.
Reply all
Reply to author
Forward
0 new messages