Memcached Ticket Registry

Memcached integration is enabled by including the following dependency in the WAR overlay:

implementation "org.apereo.cas:cas-server-support-memcached-ticket-registry,cas-server-support-memcached-core:${project.'cas.version'}"
<dependency>
  <groupId>org.apereo.cas</groupId>
  <artifactId>cas-server-support-memcached-ticket-registry,cas-server-support-memcached-core</artifactId>
  <version>${cas.version}</version>
</dependency>
dependencyManagement {
  imports {
    mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
  }
}

dependencies {  
  implementation "org.apereo.cas:cas-server-support-memcached-ticket-registry,cas-server-support-memcached-core"
}

This registry stores tickets in one or more memcached instances. Memcached stores data in exactly one node among many in a distributed cache, thus avoiding the requirement to replicate or otherwise share data between nodes. A deterministic function is used to locate the node, N’, on which to store key K:

1
N' = f(h(K), N1, N2, N3, ... Nm)

where h(K) is the hash of key K, N1 … Nm is the set of cache nodes, and N’N … Nm.

The function is deterministic in that it consistently produces the same result for a given key and set of cache nodes. Note that a change in the set of available cache nodes may produce a different target node on which to store the key.

The actual memcached implementation may be supported via one of the following options, expected to be defined in the overlay.

Spymemcached

Enable support via the spymemcached library. This is a simple, asynchronous, single-threaded memcached client that should be the default choice for the majority of deployments.

Support is enabled by including the following dependency in the WAR overlay:

implementation "org.apereo.cas:cas-server-support-memcached-spy:${project.'cas.version'}"
<dependency>
  <groupId>org.apereo.cas</groupId>
  <artifactId>cas-server-support-memcached-spy</artifactId>
  <version>${cas.version}</version>
</dependency>
dependencyManagement {
  imports {
    mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
  }
}

dependencies {  
  implementation "org.apereo.cas:cas-server-support-memcached-spy"
}

AWS ElastiCache

You may also use AWS ElastiCache which is a web service that makes it easy to set up, manage, and scale a distributed in-memory data store or cache environment in the cloud. It provides a high-performance, scalable, and cost-effective caching solution, while removing the complexity associated with deploying and managing a distributed cache environment.

For clusters running the Memcached engine, ElastiCache supports Auto Discovery—the ability for client programs to automatically identify all of the nodes in a cache cluster, and to initiate and maintain connections to all of these nodes. With Auto Discovery, CAS does not need to manually connect to individual cache nodes; instead, CAS connects to one Memcached node and retrieves the list of nodes. From that list, CAS is aware of the rest of the nodes in the cluster and can connect to any of them. You do not need to hard code the individual cache node endpoints in the configuration

All of the cache nodes in the cluster maintain a list of metadata about all of the other nodes. This metadata is updated whenever nodes are added or removed from the cluster.

Support is enabled by including the following dependency in the WAR overlay:

implementation "org.apereo.cas:cas-server-support-memcached-aws-elasticache:${project.'cas.version'}"
<dependency>
  <groupId>org.apereo.cas</groupId>
  <artifactId>cas-server-support-memcached-aws-elasticache</artifactId>
  <version>${cas.version}</version>
</dependency>
dependencyManagement {
  imports {
    mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
  }
}

dependencies {  
  implementation "org.apereo.cas:cas-server-support-memcached-aws-elasticache"
}

Configuration Considerations

There are three core configuration concerns with memcached:

  1. Hash Algorithm
  2. Node locator strategy
  3. Object serialization mechanism

Hash Algorithm

The hash algorithm is used to transform a key value into a memcached storage key that uniquely identifies the corresponding value. The choice of hashing algorithm has implications for failover behavior that is important for HA deployments. The FNV1_64_HASH algorithm is recommended since it offers a nice balance of speed and low collision rate; see the javadocs for alternatives.

Node Locator

The node locator serves as the deterministic node selection function for the memcached client provided by the underlying spymemcached library. There are two choices:

  1. ARRAY_MOD
  2. CONSISTENT

The array modulus mechanism is the default and suitable for cases when the number of nodes in the memcached pool is expected to be consistent. The algorithm computes an index into the array of memcached nodes:

1
hash(key) % length(nodes)

Obviously the selected index is a function of the number of memcached nodes, so variance in number of nodes produces variance in the node selected to store the key, which is undesirable.

The consistent strategy generally provides a target node that does not vary with the number of nodes. This strategy should be used in cases where the memcached pool may grow or shrink dynamically, including due to frequent node failure.

Object Serialization

Memcached stores bytes of data, so CAS tickets must be serialized to a byte array prior to storage. CAS ships with a custom serialization component KryoTranscoder based on the Kryo serialization framework. This component is recommended over the default Java serialization mechanism since it produces much more compact data, which benefits both storage requirements and throughput.

Configuration

The following settings and properties are available from the CAS configuration catalog:

The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting is not strictly necessary in the end-user CAS configuration, because a default value may be assigned or the feature in question may not be immediately intended for use. You may want to own the setting and update it assigned value, assuming the intended feature controlled by the setting is utilized.

  • cas.ticket.registry.memcached.servers=localhost:11211
  • Comma-separated list of memcached servers.

    The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value.

  • cas.ticket.registry.memcached.daemon=true
  • Set the daemon state of the IO thread (defaults to true).

  • cas.ticket.registry.memcached.failure-mode=Redistribute
  • Failure mode. Acceptable values are Redistribute,Retry,Cancel.

  • cas.ticket.registry.memcached.hash-algorithm=FNV1_64_HASH
  • Hash algorithm. Acceptable values are NATIVE_HASH,CRC_HASH,FNV1_64_HASH,FNV1A_64_HASH,FNV1_32_HASH,FNV1A_32_HASH,KETAMA_HASH.

  • cas.ticket.registry.memcached.kryo-auto-reset=false
  • If true, reset is called automatically after an entire object graph has been read or written. If false, reset must be called manually, which allows unregistered class names, references, and other information to span multiple object graphs.

  • cas.ticket.registry.memcached.kryo-objects-by-reference=false
  • If true, each appearance of an object in the graph after the first is stored as an integer ordinal. When set to true, MapReferenceResolver is used. This enables references to the same object and cyclic graphs to be serialized, but typically adds overhead of one byte per object.

  • cas.ticket.registry.memcached.kryo-registration-required=true
  • If true, an exception is thrown when an unregistered class is encountered.

    If false, when an unregistered class is encountered, its fully qualified class name will be serialized and the default serializer for the class used to serialize the object. Subsequent appearances of the class within the same object graph are serialized as an int id. Registered classes are serialized as an int id, avoiding the overhead of serializing the class name, but have the drawback of needing to know the classes to be serialized up front. See ComponentSerializationPlan for help here.

  • cas.ticket.registry.memcached.locator-type=ARRAY_MOD
  • Locator mode. Acceptable values are ARRAY_MOD, CONSISTENT, VBUCKET.

  • cas.ticket.registry.memcached.max-idle=8
  • Set the value for the maxTotal configuration attribute for pools created with this configuration instance.

  • cas.ticket.registry.memcached.max-reconnect-delay=-1
  • Set the maximum reconnect delay.

  • cas.ticket.registry.memcached.max-total=20
  • Sets the cap on the number of objects that can be allocated by the pool (checked out to clients, or idle awaiting checkout) at a given time. Use a negative value for no limit.

  • cas.ticket.registry.memcached.min-idle=0
  • Get the value for the minIdle configuration attribute for pools created with this configuration instance.

  • cas.ticket.registry.memcached.op-timeout=-1
  • Set the default operation timeout in milliseconds.

  • cas.ticket.registry.memcached.should-optimize=false
  • Set to false if the default operation optimization is not desirable.

  • cas.ticket.registry.memcached.shutdown-timeout-seconds=-1
  • The number of seconds to wait for connections to finish before shutting down the client.

  • cas.ticket.registry.memcached.timeout-exception-threshold=2
  • Set the maximum timeout exception threshold.

  • cas.ticket.registry.memcached.transcoder=KRYO
  • Indicate the transcoder type. Accepted values are KRYO, SERIAL, WHALIN, WHALINV1. The default is KRYO.

  • cas.ticket.registry.memcached.transcoder-compression-threshold=16384
  • For transcoders other than kryo, determines the compression threshold. Does not apply to kryo.

  • cas.ticket.registry.memcached.use-nagle-algorithm=false
  • Set to true if you'd like to enable the Nagle algorithm.


    Configuration Metadata

    The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations. Over time and with community contributions, the accuracy and volume of the documentation should improve over time.

    Be Selective

    This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.

    YAGNI

    Note that for nearly ALL use cases, declaring and configuring properties listed below is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.

    Naming Convention

    Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those that might be presented to the system via an external library or framework such as Spring Boot, etc. When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value.S ettings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the way you intend.

    Validation

    Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be recognized or validated by the configuration schema. The validation process is on by default and can be skipped on startup using a special system property SKIP_CONFIG_VALIDATION that should be set to true. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.

    Indexed Settings

    CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be incremented by the adopter to allow for distinct multiple configuration blocks.

    Time Unit of Measure

    All CAS settings that deal with time units, unless noted otherwise, should support the duration syntax for full clarity on unit of measure: PT20S, PT15M, PT10H, PT6D, P2DT3H4M.

    High Availability Considerations

    Memcached does not provide for replication by design, but the client is tolerant to node failures with failureMode="Redistribute". In this mode a write failure will cause the client to flag the node as failed and remove it from the set of available nodes. It subsequently recomputes the node location function with the reduced node set to find a new node on which to store the key. If the node location function selects the same node, which is likely for the CONSISTENT strategy, a backup node will be computed. The value is written to and read from the failover node until the primary node recovers. The client will periodically check the failed node for liveliness and restore it to the node pool as soon as it recovers. When the primary node is resurrected, if it contains a value for a particular key, it would supersede the value known to the failover node. The most common effect on CAS behavior in this circumstance would occur when ticket-granting tickets have duplicate values, which could affect single sign-out and prevent access to services. In particular, services accessed and forced authentications that occur while the failover service is active would be lost when the failed node recovers. In most cases this behavior is tolerable, but it can be avoided by restarting the memcached service on the failed node prior to rejoining the cache pool.

    A read failure in Redistribute mode causes the node to be removed from the set of available nodes, a failover node is computed, and a value is read from that node. In most cases this results in a key not found situation. The effect on CAS behavior depends on the type of ticket requested:

    • Service ticket - Service access would be denied for the requested ticket, but permitted for subsequent attempts since a new ticket would be generated and validated.
    • Ticket-granting ticket - The SSO session would be terminated and re-authentication would be required.

    Read failures are thus entirely innocuous for environments where re-authentication is acceptable.