On 8/5/2013 7:37 PM, Pierce, Eric wrote:
The tomcat session is only used during the initial authentication -
it's just there to keep track of where the user is in the webflow
during login. Once a user has authenticated and the TGT has been
sent, the tomcat session isn't needed.
If you lose a server, anyone who is in the process of logging in will
see the login screen again, but as long as the ticket registry is
replicated, anyone who has a CAS session will be fine.
Ah, I think I misunderstood the documentation and the various mailing
list messages I read then. I was under the impression that not
replicating tomcat session state would result in all users having to
re-authenticate if they hit a different server. And I was actually
seeing that behavior during testing, but it turns out that was because I
had a typo in my ehcache config and it was successfully replicating
service tickets but not TGT's 8-/.
Once I fixed that, I was able to failover between the two test servers
without having to re-authenticate once I had acquired a TGT.
So the window of failure caused by not replicating tomcat session state
is only as big as the amount of time between the user first loading the
form requesting authentication and then submitting it; given that, I
don't think it's worth the extra effort to replicate tomcat sessions
after all.
Thanks for the clarification…
--
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | hen...@csupomona.edu
California State Polytechnic University | Pomona CA 91768
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
