Redis-based CAS Cluster

Single Sign-On (SSO) is a basic requirement for complex application systems. Yale CAS is a common open source solution. CAS Certification Center, based on its special functions, will naturally become the core of the entire application system. All application system authentication work will be requested to CAS for completion. Therefore, the CAS server is the key node of the entire application. If CAS fails, all systems will be paralyzed. At the same time, CAS must have sufficient load capacity to respond to all authentication requests. Using Server Load balancer and cluster technology, CAs can not only overcome single point of failure (spof), but also distribute authentication requests to multiple CAS servers, effectively reducing the request pressure on a single CAS server. The following will be based on cas
3.4.5 to discuss CAS clusters.

The working principle of CAS is mainly implemented based on the ticket (ticket) (refer to the basic principles of CAS ). CAS tickets are stored in the ticketregistry. Therefore, to implement CAS cluster, multiple CAS must share all the ticket and use the unified ticketregistry. In the default CAS implementation, ticketregistry is implemented in the memory. Different CAS servers have their own separate ticketregistry. Therefore, distributed clusters are not supported. However, CAS provides a distributed ticketregistry-supported interface org. JASIG. Cas. Ticket. Registry. abstractdistributedticketregistry. We can implement this interface to share multiple CAS servers with ticketregistry to implement CAS clusters.

In addition, compared with the new CAS version, springwebflow is used as the authentication process, while webflow uses session to store process-related information. Therefore, to implement CAS clusters, we need to share sessions of different servers.

We use the memory database redis to implement ticketregistry, so that multiple CAS servers share the same ticketregistry. In the same way, we store sessions in redis to share sessions. The following describes how to use redis to implement ticketregistry. We use Java to call the Jedis interface to operate redis. The Code is as follows:

 

[HTML]
View plaincopy

1. Import java. Io. bytearrayinputstream;
2. Import java. Io. bytearrayoutputstream;
3. Import java. Io. objectinputstream;
4. Import java. Io. objectoutputstream;
5. Import java. util. collection;
7. Import org. JASIG. Cas. Ticket. ticket;
8. Import org. JASIG. Cas. Ticket. ticketgrantingticket;
9. Import org. JASIG. Cas. Ticket. Registry. abstractdistributedticketregistry;
12. Import redis. Clients. Jedis. Jedis;
13. Import redis. Clients. Jedis. jedispool;
14. Import redis. Clients. Jedis. jedispoolconfig;
17. /*
18. * Ticketregistry using redis, to solve CAS cluster.
19. *
20. * @ Author ZL
21. *
22. */
24. Public class redisticketregistry extends actdistributedticketregistry {
27. Private Static int redisdatabasenum;
28. Private Static string hosts;
29. Private Static int port;
30. Private Static int st_time; // st maximum idle time
31. Private Static int tgt_time; // maximum idle time of TGT
33. Private Static jedispool cachepool;
35. Static {
37. Redisdatabasenum = propertiesconfigutil. getpropertyint ("redis_database_num ");
38. Hosts = propertiesconfigutil. getproperty ("hosts ");
39. Port = propertiesconfigutil. getpropertyint ("Port ");
40. St_time = propertiesconfigutil. getpropertyint ("st_time ");
41. Tgt_time = propertiesconfigutil. getpropertyint ("tgt_time ");
42. Cachepool = new jedispool (New jedispoolconfig (), hosts, Port );
44. }
46. Public void addticket (Ticket ){
48. Jedis = cachepool. getresource ();
49. Jedis. Select (redisdatabasenum );
51. Int seconds = 0;
53. String key = ticket. GETID ();
55. If (ticket instanceof ticketgrantingticket ){
56. // Key = (ticketgrantingticket) Ticket). getauthentication (). getprincipal (). GETID ();
57. Seconds = tgt_time/1000;
58. } Else {
59. Second = st_time/1000;
60. }
63. Bytearrayoutputstream Bos = new bytearrayoutputstream ();
64. Objectoutputstream OOS = NULL;
65. Try {
66. Oos = new objectoutputstream (BOS );
67. Oos. writeobject (ticket );
69. } Catch (exception e ){
70. Log. Error ("adding ticket to redis error .");
71. } Finally {
72. Try {
73. If (null! = OOS) OOS. Close ();
74. } Catch (exception e ){
75. Log. Error ("Oos closing error when adding ticket to redis .");
76. }
77. }
78. Jedis. Set (key. getbytes (), Bos. tobytearray ());
79. Jedis. expire (key. getbytes (), seconds );
81. Cachepool. returnresource (Jedis );
83. }
85. Public ticket getticket (final string ticketid ){
86. Return getproxiedticketinstance (getrawticket (ticketid ));
87. }
90. Private ticket getrawticket (final string ticketid ){
92. If (null = ticketid) return NULL;
94. Jedis = cachepool. getresource ();
95. Jedis. Select (redisdatabasenum );
97. Ticket = NULL;
99. Bytearrayinputstream BAIS = new bytearrayinputstream (Jedis. Get (ticketid. getbytes ()));
100. Objectinputstream OIS = NULL;
102. Try {
103. Ois = new objectinputstream (BAIS );
104. Ticket = (ticket) Ois. readobject ();
105. } Catch (exception e ){
106. Log. Error ("getting ticket to redis error .");
107. } Finally {
108. Try {
109. If (null! = OIS) Ois. Close ();
110. } Catch (exception e ){
111. Log. Error ("OIS closing error when getting ticket to redis .");
112. }
113. }
115. Cachepool. returnresource (Jedis );
117. Return ticket;
118. }
122. Public Boolean deleteticket (final string ticketid ){
124. If (ticketid = NULL ){
125. Return false;
126. }
129. Jedis = cachepool. getresource ();
130. Jedis. Select (redisdatabasenum );
132. Jedis. Del (ticketid. getbytes ());
134. Cachepool. returnresource (Jedis );
136. Return true;
137. }
139. Public Collection <ticket> gettickets (){
141. Throw new unsupportedoperationexception ("gettickets not supported .");
143. }
145. Protected Boolean needscallback (){
146. Return false;
147. }
149. Protected void updateticket (final Ticket ){
150. Addticket (ticket );
151. }
153. }

In the ticketregistry. xml configuration file, we specify the ticketregistry implementation class as the preceding implementation. Modify the following class values.

[HTML]
View plaincopy

1. <! -- Ticket registry -->
2. <Bean id = "ticketregistry" class = "org. JASIG. Cas. util. redisticketregistry"/>
4. <! -- <Bean id = "ticketregistry" class = "org. JASIG. Cas. Ticket. Registry. defaultticketregistry"/>
5. -->

Because the expire function of redis is used, comment out the following code:

[HTML]
View plaincopy

1. <! -- Ticket registry cleaner -->
2. Lt ;! -- <Bean id = "ticketregistrycleaner" class = "org. JASIG. Cas. Ticket. Registry. Support. defaultticketregistrycleaner"
3. P: ticketregistry-ref = "ticketregistry"/>
5. <Bean id = "jobdetailticketregistrycleaner" class = "org. springframework. Scheduling. Quartz. methodinvokingjobdetailfactorybean"
6. P: targetobject-ref = "ticketregistrycleaner"
7. P: targetmethod = "clean"/>
9. <Bean id = "triggerjobdetailticketregistrycleaner" class = "org. springframework. Scheduling. Quartz. simpletriggerbean"
10. P: jobdetail-ref = "jobdetailticketregistrycleaner"
11. P: startdelay= "20000"
12. P: repeatinterval = "5000000" type = "codeph" text = "/codeph"/> -->

With the preceding Implementation of ticketregistry, multiple CAS servers can share the same ticketregistry. For how to share sessions, we can directly integrate them using the ready-made third-party tool tomcat-redis-session-manager. Configure Server Load balancer for front-end web servers (such as nginx) and forward the authentication request distribution to the following CAS servers to achieve load balancing and fault tolerance.