Memcached Ticket Registry
Memcached integration is enabled by including the following dependency in the WAR overlay:
1
2
3
4
5
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-memcached-ticket-registry</artifactId>
<version>${cas.version}</version>
</dependency>
1
implementation "org.apereo.cas:cas-server-support-memcached-ticket-registry:${project.'cas.version'}"
1
2
3
4
5
6
7
8
9
dependencyManagement {
imports {
mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
}
}
dependencies {
implementation "org.apereo.cas:cas-server-support-memcached-ticket-registry"
}
1
2
3
4
5
6
7
8
9
10
dependencies {
/*
The following platform references should be included automatically and are listed here for reference only.
implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
*/
implementation "org.apereo.cas:cas-server-support-memcached-ticket-registry"
}
This registry stores tickets in one or more memcached instances. Memcached stores data in exactly one node among many in a distributed cache, thus avoiding the requirement to replicate or otherwise share data between nodes. A deterministic function is used to locate the node, N’, on which to store key K:
1
N' = f(h(K), N1, N2, N3, ... Nm)
where h(K) is the hash of key K, N1 … Nm is the set of cache nodes, and N’ ∈ N … Nm.
The function is deterministic in that it consistently produces the same result for a given key and set of cache nodes. Note that a change in the set of available cache nodes may produce a different target node on which to store the key.
The actual memcached implementation may be supported via one of the following options, expected to be defined in the overlay.
Not all ticket registry operations are supported by the memcached ticket registry implementation. In particular, operations that execute bulk queries such as deleting and fetching all tickets in a single request may be unsupported, as memcached itself is rather unable to process and support that type of query.
Spymemcached
Enable support via the spymemcached library. This is a simple, asynchronous, single-threaded memcached client that should be the default choice for the majority of deployments.
Support is enabled by including the following dependency in the WAR overlay:
1
2
3
4
5
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-memcached-spy</artifactId>
<version>${cas.version}</version>
</dependency>
1
implementation "org.apereo.cas:cas-server-support-memcached-spy:${project.'cas.version'}"
1
2
3
4
5
6
7
8
9
dependencyManagement {
imports {
mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
}
}
dependencies {
implementation "org.apereo.cas:cas-server-support-memcached-spy"
}
1
2
3
4
5
6
7
8
9
10
dependencies {
/*
The following platform references should be included automatically and are listed here for reference only.
implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
*/
implementation "org.apereo.cas:cas-server-support-memcached-spy"
}
AWS ElastiCache
You may also use AWS ElastiCache which is a web service that makes it easy to set up, manage, and scale a distributed in-memory data store or cache environment in the cloud. It provides a high-performance, scalable, and cost-effective caching solution, while removing the complexity associated with deploying and managing a distributed cache environment.
For clusters running the Memcached engine, ElastiCache supports Auto Discovery—the ability for client programs to automatically identify all of the nodes in a cache cluster, and to initiate and maintain connections to all of these nodes. With Auto Discovery, CAS does not need to manually connect to individual cache nodes; instead, CAS connects to one Memcached node and retrieves the list of nodes. From that list, CAS is aware of the rest of the nodes in the cluster and can connect to any of them. You do not need to hard code the individual cache node endpoints in the configuration
All of the cache nodes in the cluster maintain a list of metadata about all of the other nodes. This metadata is updated whenever nodes are added or removed from the cluster.
Support is enabled by including the following dependency in the WAR overlay:
1
2
3
4
5
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-memcached-aws-elasticache</artifactId>
<version>${cas.version}</version>
</dependency>
1
implementation "org.apereo.cas:cas-server-support-memcached-aws-elasticache:${project.'cas.version'}"
1
2
3
4
5
6
7
8
9
dependencyManagement {
imports {
mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
}
}
dependencies {
implementation "org.apereo.cas:cas-server-support-memcached-aws-elasticache"
}
1
2
3
4
5
6
7
8
9
10
dependencies {
/*
The following platform references should be included automatically and are listed here for reference only.
implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
*/
implementation "org.apereo.cas:cas-server-support-memcached-aws-elasticache"
}
Configuration Considerations
There are three core configuration concerns with memcached:
- Hash Algorithm
- Node locator strategy
- Object serialization mechanism
Hash Algorithm
The hash algorithm is used to transform a key value into a memcached storage key that uniquely identifies the
corresponding value. The choice of hashing algorithm has implications for failover behavior that is important
for HA deployments. The FNV1_64_HASH algorithm is recommended since it offers a nice balance of speed and low
collision rate; see the javadocs
for alternatives.
Node Locator
The node locator serves as the deterministic node selection function for the memcached client provided by the underlying spymemcached library. There are two choices:
The array modulus mechanism is the default and suitable for cases when the number of nodes in the memcached pool is expected to be consistent. The algorithm computes an index into the array of memcached nodes:
1
hash(key) % length(nodes)
Obviously the selected index is a function of the number of memcached nodes, so variance in number of nodes produces variance in the node selected to store the key, which is undesirable.
The consistent strategy generally provides a target node that does not vary with the number of nodes. This strategy should be used in cases where the memcached pool may grow or shrink dynamically, including due to frequent node failure.
Object Serialization
Memcached stores bytes of data, so CAS tickets must be serialized to a byte array prior to storage. CAS ships with
a custom serialization component KryoTranscoder based on the Kryo serialization
framework. This component is recommended over the default Java serialization mechanism since it produces much more
compact data, which benefits both storage requirements and throughput.
Configuration
The following settings and properties are available from the CAS configuration catalog:
cas.ticket.registry.memcached.crypto.encryption.key=
The encryption key. The encryption key by default and unless specified otherwise must be randomly-generated string whose length is defined by the encryption key size setting.
|
cas.ticket.registry.memcached.crypto.signing.key=
The signing key is a JWT whose length is defined by the signing key size setting.
|
cas.ticket.registry.memcached.servers=localhost:11211
Comma-separated list of memcached servers.
|
cas.ticket.registry.memcached.crypto.alg=AES
The signing/encryption algorithm to use.
|
cas.ticket.registry.memcached.crypto.enabled=true
Whether crypto operations are enabled.
|
cas.ticket.registry.memcached.crypto.encryption.key-size=16
Encryption key size.
|
cas.ticket.registry.memcached.crypto.signing.key-size=512
The signing key size.
|
cas.ticket.registry.memcached.daemon=true
Set the daemon state of the IO thread (defaults to true).
|
cas.ticket.registry.memcached.failure-mode=Redistribute
Failure mode. Acceptable values are
|
cas.ticket.registry.memcached.hash-algorithm=FNV1_64_HASH
Hash algorithm. Acceptable values are
|
cas.ticket.registry.memcached.kryo-auto-reset=false
If true,
|
cas.ticket.registry.memcached.kryo-objects-by-reference=false
If true, each appearance of an object in the graph after the first is stored as an integer ordinal. When set to true,
|
cas.ticket.registry.memcached.kryo-registration-required=true
If true, an exception is thrown when an unregistered class is encountered. If false, when an unregistered class is encountered, its fully qualified class name will be serialized and the default serializer for the class used to serialize the object. Subsequent appearances of the class within the same object graph are serialized as an int id. Registered classes are serialized as an int id, avoiding the overhead of serializing the class name, but have the drawback of needing to know the classes to be serialized up front. SeeComponentSerializationPlan for help here.
|
cas.ticket.registry.memcached.locator-type=ARRAY_MOD
Locator mode. Acceptable values are
|
cas.ticket.registry.memcached.max-idle=8
Set the value for the maxTotal configuration attribute for pools created with this configuration instance.
|
cas.ticket.registry.memcached.max-reconnect-delay=-1
Set the maximum reconnect delay.
|
cas.ticket.registry.memcached.max-total=20
Sets the cap on the number of objects that can be allocated by the pool (checked out to clients, or idle awaiting checkout) at a given time. Use a negative value for no limit.
|
cas.ticket.registry.memcached.min-idle=0
Get the value for the minIdle configuration attribute for pools created with this configuration instance.
|
cas.ticket.registry.memcached.op-timeout=-1
Set the default operation timeout in milliseconds.
|
cas.ticket.registry.memcached.protocol=TEXT
Protocol. Acceptable values are
|
cas.ticket.registry.memcached.should-optimize=false
Set to false if the default operation optimization is not desirable.
|
cas.ticket.registry.memcached.shutdown-timeout-seconds=-1
The number of seconds to wait for connections to finish before shutting down the client.
|
cas.ticket.registry.memcached.timeout-exception-threshold=2
Set the maximum timeout exception threshold.
|
cas.ticket.registry.memcached.transcoder=KRYO
Indicate the transcoder type. Available values are as follows:
|
cas.ticket.registry.memcached.transcoder-compression-threshold=16384
For transcoders other than kryo, determines the compression threshold. Does not apply to kryo.
|
cas.ticket.registry.memcached.use-nagle-algorithm=false
Set to true if you'd like to enable the Nagle algorithm.
|
cas.ticket.registry.memcached.crypto.encryption.key=
The encryption key. The encryption key by default and unless specified otherwise must be randomly-generated string whose length is defined by the encryption key size setting.
|
cas.ticket.registry.memcached.crypto.signing.key=
The signing key is a JWT whose length is defined by the signing key size setting.
|
cas.ticket.registry.memcached.crypto.alg=AES
The signing/encryption algorithm to use.
|
cas.ticket.registry.memcached.crypto.enabled=true
Whether crypto operations are enabled.
|
cas.ticket.registry.memcached.crypto.encryption.key-size=16
Encryption key size.
|
cas.ticket.registry.memcached.crypto.signing.key-size=512
The signing key size.
|
This CAS feature is able to accept signing and encryption crypto keys. In most scenarios if keys are not provided, CAS will auto-generate them. The following instructions apply if you wish to manually and beforehand create the signing and encryption keys.
Note that if you are asked to create a JWK of a certain size for the key, you are to use the following set of commands to generate the token:
1
2
wget https://raw.githubusercontent.com/apereo/cas/master/etc/jwk-gen.jar
java -jar jwk-gen.jar -t oct -s [size]
The outcome would be similar to:
1
2
3
4
5
{
"kty": "oct",
"kid": "...",
"k": "..."
}
The generated value for k needs to be assigned to the relevant CAS settings. Note that keys generated via
the above algorithm are processed by CAS using the Advanced Encryption Standard (AES) algorithm which is a
specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology.
Configuration Metadata
The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.
Be Selective
This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.
YAGNI
Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.
Naming Convention
Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all
forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where
this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those
that might be presented to the system via an external library or framework such as Spring Boot, etc.
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions) MUST remain in camelCase mode.
Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided
to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with
the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition
or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the
way you intend.
Validation
Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be
recognized or validated by the configuration schema. The validation process is on by default and can be skipped on startup using a special system
property SKIP_CONFIG_VALIDATION that should be set to true. Additional validation processes are also handled
via Configuration Metadata and property migrations applied automatically on
startup by Spring Boot and family.
Indexed Settings
CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be
incremented by the adopter to allow for distinct multiple configuration blocks.
High Availability Considerations
Memcached does not provide for replication by design, but the client is tolerant to node failures with
failureMode="Redistribute". In this mode a write failure will cause the client to flag the node as failed
and remove it from the set of available nodes. It subsequently recomputes the node location function with the reduced
node set to find a new node on which to store the key. If the node location function selects the same node,
which is likely for the CONSISTENT strategy, a backup node will be computed. The value is written to and read from
the failover node until the primary node recovers. The client will periodically check the failed node for liveliness
and restore it to the node pool as soon as it recovers. When the primary node is resurrected, if it contains a value
for a particular key, it would supersede the value known to the failover node. The most common effect on CAS behavior
in this circumstance would occur when ticket-granting tickets have duplicate values, which could affect single sign-out
and prevent access to services. In particular, services accessed and forced authentications that occur while the
failover service is active would be lost when the failed node recovers. In most cases this behavior is tolerable,
but it can be avoided by restarting the memcached service on the failed node prior to rejoining the cache pool.
A read failure in Redistribute mode causes the node to be removed from the set of available nodes, a failover node is computed, and a value is read from that node. In most cases this results in a key not found situation. The effect on CAS behavior depends on the type of ticket requested:
- Service ticket - Service access would be denied for the requested ticket, but permitted for subsequent attempts since a new ticket would be generated and validated.
- Ticket-granting ticket - The SSO session would be terminated and re-authentication would be required.
Read failures are thus entirely innocuous for environments where re-authentication is acceptable.