A more sophisticated, error-handling, parallelized, timeout-capable
AuthenticationManager seems a good enough idea that I created a
request-for-enhancement JIRA entry to track it here:
https://issues.jasig.org/browse/CAS-1044
Leonid, if you end up developing a solution to this for your CAS
implementation, please share code.
Andrew
On 08/31/2011 08:36 AM, Andrew Petro wrote:
Hi Leonid,
The AuthenticationManager implementations shipping with CAS treat an
exception thrown by any of their configured AuthenticationHandlers as
a failure of the user login, and interrogate these handlers serially.
They do not have the feature of interrogating configured handlers in
serial, nor do they have the feature of succeeding the authentication
when one or more handlers fail with an exception but one succeeds.
One approach is to provide a higher availability LDAP for CAS to talk
to -- that is, implement the load balancing and failover over your
LDAP behind a single LDAP interface abstraction for CAS to access,
moving this error handling problem out of CAS and into the
institutional LDAP service. Not saying you're going to find this
option attractive, just saying it's an option.
Another approach would be to develop a more sophisticated,
error-handling, parallelized AuthenticationManager. Sounds like
something that ought to be developed.
However. The existing AuthenticationManager implementations *do*
treat an AuthenticationHandler returning false differently from an
AuthenticationHandler throwing an exception, in that an exception
fails the whole authentication attempt, whereas returning false
instructs the AuthenticationManager to try another. This doesn't
address trying the handlers in parallel, but it does address trying
another AuthenticationHandler when one fails. You might therefore
produce a modified AuthenticationHandler that catches its exceptions
and returns false rather than percolating them up (or perhaps a
wrapper AuthenticationHandler implementation that does this, or a
fancy Aspect, or whatever...) Plugging such a
false-returning-rather-than-exception-throwing AuthenticationHandler
into the existing AuthenticationManagerImpl would result in failover
across the handlers. You might even implement a timeout behavior in
the wrapper, such that it invokes the wrapped handler in a separate
thread and expeditiously returns false at a timeout so that the
AuthenticationManager will move on and try another handler before the
user completely loses patience.
Andrew
On 08/31/2011 08:26 AM, Leonid Batizhevsky wrote:
Hello, please say what to do if one of my LDAPs is down? Cas didn't work
correctly with this case.
--
View this message in context:
http://jasig.275507.n4.nabble.com/CAS-Multiple-BindLdapAuthenticationHandler-tp2133071p3780829.html
Sent from the CAS Users mailing list archive at Nabble.com.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
