Date: Fri, 29 Mar 2024 15:01:32 +0000 (UTC) Message-ID: <1722965253.11.1711724492815@5b68c772f5c6> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_10_1824159837.1711724492815" ------=_Part_10_1824159837.1711724492815 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The IdP Memcached StorageService provides an easy way to connect= your Shibboleth IdP to a memcached server, in order to create a stateful c= luster. It is intended to be a lightweight alternative to using the Terraco= tta software.
This extension was announced and is discussed at the shibboleth-users ma= iling list (see IdP Memcached StorageService implementation and Infinispan Based Storage Se= rvice).
The extension is hosted (along with other IdP tools) at the DFN-AAI website.
Current version:
You may download the extension (along with documentation a=
nd setup instructions) from this direct link:
https://www.aai.dfn.de/fileadmin/tools/unimr-me=
mcached-idp2.4-rev272.tar.gz (341 KB - Revision 272)
Old versions:
https://www.aai.dfn.de/fileadmin/tools/unimr-memcached.tar.gz (329 KB=
- Revision 151)
h=
ttps://www.aai.dfn.de/fileadmin/tools/unimr-memcached-idp2.4-rev218.tar.gz<=
/a> (330 KB - Revision 218)
An in-depth presentation of the extension (only German,=
though) was held on the 9. DFN-AAI forum in Berlin (Germany) on 19-Oct-201=
1. It can be found at this link:
http://www.dfn.de/fileadmin/3Beratung/Betriebstagungen/bt=
55/forum-aai-haim.pdf (811 KB)
This extension has been successfully tested with Shibboleth IdP 2.3 up t= o 2.4.
Some extensions like the x509 login handler and the
PLEASE NOTE: If using the default UsernamePassword logi= n handler (as supplied with the Shibboleth IdP), you must not preserve the = LDAP principals returned by the vt-ldap JAAS login module, as they contain = non-serializable data. In other words, just add the following line to your = JAAS configuration (login.config):
setLdap= Principal=3D"false"
(Alternatively, you may write a custom login handler which does not reta= in the Set loginSubject.getPrincipals() but rather creates a new java.util.= HashSet<Principal>() to be stored within the Subject, containing only= the authenticated username.)
Some service providers have been reported e.g. to send SAML AuthnRequest= messages with very long but random message IDs (which may then end up as k= eys within the IdP's replay cache). However, the memcached protocol only al= lows for keys up to 250 bytes length. In order to handle longer keys, the m= emcached StorageService will take the key name and calculate the SHA512 has= h instead (without collision checking, though). You may turn on INFO loggin= g for the unimr.shib2.UniMrMemcachedStorageService to have oversized keys l= ogged.
1. Make sure your IdP nodes run behind a load balancer which sticks to t= he cookie "_idp_authn_lc_key" (for at least a few minutes, if you only want= the login to work) or "JSESSIONID" (if you want session stickiness for Shi= bboleth sessions as well; it will not be sufficient to stick only to the "_= idp_session" cookie). If you cannot stick to a cookie, try to stick to the = user's IP address (for at least a few minutes), this should work as well.= p>
2. Set up a memcached daemon (or two) and remember the hostname and port=
. Remember that memcached throws old entries away if it runs out of memory,=
so
give it at least a few hundred megabytes of RAM.
3. Compile the source and create a jar file (unimr-memcached.jar) from i= t (this may require additional jars from your Shibboleth IdP), or simply us= e the precompiled jar file (if available).
4. Then copy this jar to the lib subdirectory from your Shibboleth IdP's= setup directory. Also copy the file lib/spymemcached-2.7.jar to that direc= tory.
5. In your webapp/WEB-INF/web.xml , add the following lines below all th= e other filters:
<= !-- Store the modified session object in the memcached storage service --&g= t; <filter> <filter-name>UniMrMemcachedServletFilter</filter-name> <filter-class>unimr.shib2.UniMrMemcachedServletFilter</fil= ter-class> </filter> <filter-mapping> <filter-name>UniMrMemcachedServletFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
6. In your conf/internal.xml , replace the bean "shibboleth.StorageServi= ce" with the following bean:
<= bean id=3D"shibboleth.StorageService" class=3D"unimr.shib2.UniMrMemcachedStorageService" depends-on=3D"shibboleth.LogbackLogging"> <constructor-arg value=3D"idp-memcached.example.org:11211" /> <constructor-arg value=3D"sha512" /> </bean>
The hostname:port of your memcached server is passed as a constructor ar=
gument and must be edited to fit your memcached setup. You may even use a s=
pace-separated list of servers here in order to spread the data over multip=
le instances of memcached (using a hash function). If one memcached server =
fails, its data is lost, but any affected session may still be alive within=
the local store of the IdP node which the user used to authenticate.
(This is why it is a good idea to have your load balancer stick to the "JS=
ESSIONID" cookie.)
(A failover implementation with one active and several passive servers is =
not planned anymore, but you may have a look for "repcached" which is a mem=
cached port which includes replication.)
As a second constructor argument, you may select a hashing algorithm whi=
ch will be used for keys exceeding the memcached limit of 250 bytes:
a) "sha1" will calculate the 40 hex chars long SHA1 hash,
b) "sha512" (default) will calculate the 128 hex chars long SHA512 hash,
c) "sha1mixed" or "sha512mixed" will calculate the respective hash, but ins=
tead of replacing the whole key, only the end will be overwritten (so you g=
et a semi-readable key for debugging purposes).
Implementation note: Regardless of the hashing algorithm you choose, there =
is no check for hash collisions. Each key will still be prepended by the St=
orageService's partition name (like "session", "transientId" or "replay"), =
and the regular keys generated by the IdP for session or transientId object=
s are much shorter than the memcached limit. Thus there is only a very smal=
l chance for the replay cache objects (their keys are based on the SAML mes=
sage ID sent by the service provider which may in some rare cases be of unr=
easonable length) to get overwritten by a hash collision.
Please note: The "shibboleth.StorageServiceSweeper" in your file conf/in= ternal.xml just stays in place, as it is needed to remove expired entries f= rom UniMrMemcachedStorageService's local object cache.
7. Reinstall your Shibboleth IdP by calling the appropriate install.sh f= ile.
8. Restart tomcat and everything should be fine.
To enable INFO, DEBUG or TRACE logging only for the new StorageService a= nd servlet filter, add the following entries to your logging.xml configurat= ion file:
<logg= er name=3D"unimr.shib2" level=3D"DEBUG" />
Finally, restart tomcat.
21-Jul-2011: Revision 151 - First release.
03-Nov-2011: Revision 179 - Second release (never published officially).=
- Updated readme.
- Removed quick-fix for Shibboleth security advisory
http://shibboleth.internet2.edu/secadv/secadv_20110718.txt
(the quick-fix code was never reached AND did not fix the problem).<=
br>
- Log events are now logged correctly under the respective class names
(unimr.shib2.UniMrMemcachedServletFilter and
unimr.shib2.UniMrMemcachedStorageService).
- Reworked the code (removed copy-paste areas and put the code into
methods, improved log output).
Thanks to Petra Berg from Humboldt University of Berlin, Germany.
16-May-2013: Revision 218 - Third release.
- Fixed an issue with IdP 2.4's new SLO functionality
(the SLO removes the session from the StorageService which lead to
a null-pointer exception in the UniMrMemcachedServletFilter when
retrieving the session, displaying only the default Shibboleth
error page).
04-Feb-2015: Current release.
- Added SHA1 / SHA512 hashing for oversized keys (exceeding the 250
bytes memcached limit).
The IdP Memcached StorageService is released under the Apache License, V= ersion 2.0.
See http://www.apache.org/licenses/LICENSE-2.0<= /p>
Manuel Haim, haim@hrz.uni-marburg.de