FW: Ask cas behind haproxy problem : CASTGC cookie lost (Security C)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

FW: Ask cas behind haproxy problem : CASTGC cookie lost (Security C)

Samuel_Liang

**  Security  C **
**  Security  C **
**  Security  C **
Dear all :


Problem Description :
I adapted our system to CAS. On simple environment(standalone), this CASTGC cookie always ok at my browser client.
But, when I migrated system to complex environment(haproxy+cluster). my browser always could not found this CASTGC cookie.
So, I open HAProxy debug mode and review output log. This CASTGC cookie had arrived to HAProxy, but can't to my browser.
For this problem, I don't know how to solve it. Could you help me, thanks!

1.Below image present our SSO Architecture.


2.Below is our configure of HAProxy :
cookie JSESSIONID prefix
cookie CASTGC indirect preserve secure
capture cookie CASTGC len 63

3.Below is our HAProxy's partial debug log :
73/0/1/182/256 302 656 - CASTGC=TGT-98-ADcUE6hsd5zyppApgu76EkEfscDupu9OGFazAMAy9bZPKXGnC --NP 0/0/0/0/0 0/0 "POST /TdaJSFWeb/login?service=http://tdatwo.kh.asegroup.com/TdaJSFWeb/welcome.ase HTTP/1.1"
73/0/1/182/256 302 656 - CASTGC=TGT-98-ADcUE6hsd5zyppApgu76EkEfscDupu9OGFazAMAy9bZPKXGnC --NP 0/0/0/0/0 0/0 "POST /TdaJSFWeb/login?service=http://tdatwo.kh.asegroup.com/TdaJSFWeb/welcome.ase HTTP/1.1"
74/0/0/19/93 302 199 - - --NN 0/0/0/0/0 0/0 "GET /TdaJSFWeb/welcome.ase?ticket=ST-98-w67V0Y3G6Z2yEQwPk0zt-khtrdsso01.kh.asegroup.com HTTP/1.1"

Samuel Liang
Advanced Semiconductor Engineering Group
Tel : 886-7-3636641 # 84508 .Fax : 886-7-3636663
Email Address : [hidden email]
2014/08/06


----- ASE Confidentiality Notice -----
The preceding message (including any attachments) contains proprietary information that may be confidential, privileged, or constitute non-public information. It is to be read and used solely by the intended recipient(s) or conveyed only to the designated recipient(s). If you are not an intended recipient of this message, please notify the author or sender immediately either by replying to this message or by telephone at 886-7-3617131 and delete this message (including any attachments hereto) immediately from your system. You should not read ,retain, disseminate, distribute, copy or use this message in whole or in part for any purpose, not disclose all or any part of its content to any other person.
----- ASE Confidentiality Notice -----
-- 
You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/jasig-discuss

 

Reply | Threaded
Open this post in threaded view
|

Re: FW: Ask cas behind haproxy problem : CASTGC cookie lost (Security C)

Jim Helwig-2
Samuel,
This is a (rarely used) general discussion list. The best place to find answers to your questions is to engage one of the options for CAS support:
http://www.apereo.org/cas/community
and
http://www.apereo.org/cas/support

In particular, you can join the CAS Community Discussion List where you can ask your question in more detail.
http://www.apereo.org/cas/mailing-lists
Note that you must join the list to post questions.

You could also contact a Solution Provider
http://www.apereo.org/cas/support/solutions-providers

Jim Helwig


On 8/6/14, 3:52 AM, [hidden email] wrote:

**  Security  C **
**  Security  C **
**  Security  C **
Dear all :


Problem Description :
I adapted our system to CAS. On simple environment(standalone), this CASTGC cookie always ok at my browser client.
But, when I migrated system to complex environment(haproxy+cluster). my browser always could not found this CASTGC cookie.
So, I open HAProxy debug mode and review output log. This CASTGC cookie had arrived to HAProxy, but can't to my browser.
For this problem, I don't know how to solve it. Could you help me, thanks!

1.Below image present our SSO Architecture.


2.Below is our configure of HAProxy :
cookie JSESSIONID prefix
cookie CASTGC indirect preserve secure
capture cookie CASTGC len 63

3.Below is our HAProxy's partial debug log :
73/0/1/182/256 302 656 - CASTGC=TGT-98-ADcUE6hsd5zyppApgu76EkEfscDupu9OGFazAMAy9bZPKXGnC --NP 0/0/0/0/0 0/0 "POST /TdaJSFWeb/login?service=http://tdatwo.kh.asegroup.com/TdaJSFWeb/welcome.aseHTTP/1.1"
73/0/1/182/256 302 656 - CASTGC=TGT-98-ADcUE6hsd5zyppApgu76EkEfscDupu9OGFazAMAy9bZPKXGnC --NP 0/0/0/0/0 0/0 "POST /TdaJSFWeb/login?service=http://tdatwo.kh.asegroup.com/TdaJSFWeb/welcome.aseHTTP/1.1"
74/0/0/19/93 302 199 - - --NN 0/0/0/0/0 0/0 "GET /TdaJSFWeb/welcome.ase?ticket=ST-98-w67V0Y3G6Z2yEQwPk0zt-khtrdsso01.kh.asegroup.comHTTP/1.1"

Samuel Liang
Advanced Semiconductor Engineering Group
Tel : 886-7-3636641 # 84508 .Fax : 886-7-3636663
Email Address : [hidden email]
2014/08/06


----- ASE Confidentiality Notice -----
The preceding message (including any attachments) contains proprietary information that may be confidential, privileged, or constitute non-public information. It is to be read and used solely by the intended recipient(s) or conveyed only to the designated recipient(s). If you are not an intended recipient of this message, please notify the author or sender immediately either by replying to this message or by telephone at 886-7-3617131 and delete this message (including any attachments hereto) immediately from your system. You should not read ,retain, disseminate, distribute, copy or use this message in whole or in part for any purpose, not disclose all or any part of its content to any other person.
----- ASE Confidentiality Notice -----
-- 

You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/jasig-discuss

 


-- 
You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/jasig-discuss