cas configuration and ehcache manager

Posted on October 10, 2012 at 3:47am

Hi,

I'm configuring CAS on Jasper server pro (following the document Authentication Cookbook 4.0), but an exception is raised during the instanciation of the bean "ticketCacheManager", which says:

 

Caused by: net.sf.ehcache.CacheException: Another unnamed CacheManager already exists in the same VM. Please provide unique names for each CacheManager in the config or do one of following:
183470 1. Use one of the CacheManager.create() static factory methods to reuse same CacheManager with same name or create one if necessary
183471 2. Shutdown the earlier cacheManager before creating new one with same name.

 

Here the modification made to the 'applicationContext-security.xml' file (patch):

--- apache-tomcat/webapps/jasperserver-pro/WEB-INF/applicationContext-security.xml 2012-09-28 11:15:47.000000000 +0200
+++ apache-tomcat/webapps/jasperserver-pro/WEB-INF/applicationContext-security.xml 2012-09-28 11:16:41.000000000 +0200
@@ -12,12 +12,58 @@
         <property name="providers">
             <list>
                 <!-- not on by default <ref local="ldapAuthenticationProvider"/>  -->
-                <ref bean="${bean.daoAuthenticationProvider}"/>
+                <!-- CAS -->
+                <ref local="casAuthenticationProvider"/>
+                <!-- /CAS -->
                 <ref bean="anonymousAuthenticationProvider"/>
                 <!--ref local="jaasAuthenticationProvider"/-->
             </list>
         </property>
     </bean>
+
+    <!-- CAS -->
+    <bean id="casAuthenticationProvider"
+        class="org.springframework.security.providers.cas.CasAuthenticationProvider">
+        <property name="userDetailsService"><ref local="casUserAuthorityService"/></property>
+        <property name="serviceProperties"><ref local="authenticationServiceProperties"/>
+        </property>
+        <property name="ticketValidator">
+            <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
+                <constructor-arg index="0" value="https://cas.example.net/cas" /></bean></property>
+        <property name="statelessTicketCache">
+            <bean class="org.springframework.security.providers.cas.cache.EhCacheBasedTicketCache">
+                <property name="cache"><ref local="ticketCache"/></property></bean></property>
+        <property name="key"><value>lam_or_lame</value></property>
+    </bean>
+
+    <bean id="authenticationServiceProperties"
+        class="org.springframework.security.ui.cas.ServiceProperties">
+        <property name="service">
+            <value>https://jasper.example.net/jasperserver-pro/j_spring_cas_security_check<...
+        <property name="sendRenew"><value>false</value></property>
+    </bean>
+
+    <bean id="ticketCacheManager"
+        class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
+        <property name="configLocation"><value>classpath:/ehcache-failsafe.xml</value></property>
+    </bean>
+
+    <bean id="ticketCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
+        <property name="cacheManager"><ref local="ticketCacheManager"/></property>
+        <property name="cacheName"><value>casTicketCache</value></property>
+    </bean>
+
+    <bean id="casUserAuthorityService"
+        class="com.jaspersoft.jasperserver.api.metadata.user.service.impl.UserDetailsServiceImpl">
+        <property name="adminUsers"><list>
+                <value>my_admin_user</value></list></property>
+        <property name="defaultAdminRoles"><list>
+                <value>ROLE_USER</value>
+                <value>ROLE_ADMINISTRATOR</value></list></property>
+        <property name="defaultInternalRoles"><list>
+                <value>ROLE_USER</value></list></property>
+    </bean>
+    <!-- /CAS -->
 
     <bean id="anonymousAuthenticationProvider" class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
         <property name="key"><value>foobar</value></property>
 
 
It seems that EhCache 2.5 used by Jasper does not allow anymore different caches with the same name. How can I fix this? I'm a rookie about Java technology, any help is welcome!
JasperReports® Server
sebastien.alix's picture
sebastien.alix
1
Joined: Oct 10 2012 - 3:24am
Last seen: 10 years 7 months ago

2 Answers:

Posted on October 18, 2012 at 4:20pm

Hello Sebastien,

Try making the following changes.  First, disable or remove the following bean:

+    <bean id="ticketCacheManager"

+        class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">

+        <property name="configLocation"><value>classpath:/ehcache-failsafe.xml</value></property>
+    </bean>

 

Then change the ticketCache bean to reference cacheManager instead of ticketCacheManager like this:

 

+    <bean id="ticketCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
+        <property name="cacheManager"><ref local="cacheManager"/></property>
+        <property name="cacheName"><value>casTicketCache</value></property>
+    </bean>

 

If you are using a commercial version, edit applicationContext-multitenancy-web.xml and comment out the bean "adhocUpgradeListener" if you run into a null pointer error related to hibernate after the above changes.

-Kris

 

kcollins's picture
kcollins
12379
Joined: Aug 30 2011 - 12:22pm
Last seen: 2 years 10 months ago
Hello Kris, First, thanks for your help. I applied the changes, and when I access the Jasper Report web page there is a new exception raised that I don't understand (not before, so I assume that the 'cacheManager' ref is found, because a wrong ref raises an exception as soon as the service start). Here a pastebin to this one: http://pastebin.com/xWJMbKVG (despite the '4.5.1' which appears in the installation path, it is actually a 4.7 which is installed). Regards,
sebastien.alix - 10 years 7 months ago
My apologies, there is an extra step if you are running the pro version. I've added this to my answer. You just need to comment out the 'adhocUpgradeListener' bean in applicationContext-multitenancy-web.xml. This should fix the problem.
kcollins - 10 years 7 months ago
Thank you Kris! It works like a charm with this last step. Have I missed a point in the documentation (an old one maybe)? Have a good day.
sebastien.alix - 10 years 7 months ago
show 1 more...
No, this is actually a 'defect' in 4.7/4.7.1. The engineers are still working on it, but its caused by an upgrade to ehcache as you suspected. At this point it looks like it will be mostly a documentation fix. The last bit you had to change (adhocUpgradeListener) is a separate issue caused by some bean dependencies. The adhocUpgradeListener attempts to upgrade any ad hoc reports to the new format. If you've already upgraded then this process should have already been done and you do not need this bean. Of course if you have a fresh install, it wouldn't matter anyway. Glad I could help!
kcollins - 10 years 7 months ago
add comment
Posted on October 22, 2012 at 8:43am

Hello,

I don't know if it is related to this (in the case it doesn't, I will create a new question), Jasper Reports is unable to authenticate my user account once the CAS makes the redirection. The user exists in Jasper Reports, and has the same ID used by the CAS.

There is the following output in logs:


22 oct. 2012 18:02:33 org.apache.catalina.core.ApplicationContext log
 INFO:
 *****************************************************
* Owasp.CsrfGuard Properties
*
* Logger: com.jaspersoft.jasperserver.api.security.JSCsrfLogger
* NewTokenLandingPage: /jasperserver-pro/login.html
* PRNG: SHA1PRNG
* SessionKey: JASPER_CSRF_SESSION_KEY
* TokenLength: 96
* TokenName: JASPER_CSRF_TOKEN
* Ajax: true
* Rotate: true
* TokenPerPage: true
* Action: org.owasp.csrfguard.action.Rotate
* Action: org.owasp.csrfguard.action.Redirect
*   Parameter: Page = /jasperserver-pro/login.html
* Action: org.owasp.csrfguard.action.Log
*   Parameter: Message = potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_messa    ge%)
*****************************************************

sebastien.alix's picture
sebastien.alix
1
Joined: Oct 10 2012 - 3:24am
Last seen: 10 years 7 months ago
Are you able to actually get into the JapserReports Server UI? You say its 'unable to authenticate my user', but what happens? You say the user exists in Jasper Reports, which sounds like you are logged into the UI as admin and looking at the users. The log snippet you posted is an INFO message from the csrf security. I'm not sure if its related, but either way I don't really think it tells you anything. Are you getting any errors in the jasperserver.log file?
kcollins - 10 years 7 months ago
Hello Kris, Sorry, I was unclear. In fact, I do my tests with two JasperReports servers: one standard (which works), and another one wich is patched to support CAS, and I start one at a time. Both use the same database. So, I created a user with the workable JasperReport server, then I started the CASsified one to test the new account. Except the mentioned error, I have no output. This error is raised once I am authenticated on the CAS, and that this last one redirects on the JasperReport web UI. Its like the JasperReport server didn't understand a request made by the CAS server?
sebastien.alix - 10 years 7 months ago
add comment
Feedback
randomness