Shulou(Shulou.com)06/02 Report--

Using memcached to realize CAS single sign-on cluster deployment

Reference information: https://github.com/magro/memcached-session-manager/wiki/SetupAndConfiguration https://code.google.com/archive/p/memcached-session-manager/wikis/SetupAndConfiguration.wiki

Load balancing:

Change the statefulness of the interface request to stateless. It is a problem that we need to solve when we realize load balancing. Take the session status of the application interface as an example, the general solution is to split the session data and the application, and the session data is stored in the same data source. The data source is the place where the data is saved, and the MySQL database we often use is a data source. Usually for higher performance, the data source generally uses in-memory database (memcached, redis). Whenever users visit the application cluster, the request is randomly assigned to any node, and the node accesses the same data source to obtain session information, which ensures that the session status obtained by multiple nodes is consistent. Software version: application name port version host IPNginx80881.0.1192.168.7.2CAS-TomcatA80897.0.35192.168.7.3n1:libevent2.1.8192.168.7.3n1:memcached223221.5.12192.168.7.3n1:magent120001.5.12192.168.7.3CAS-TomcatB80897.0.35192.168.7.4n2:libevent2.1.8192.168.7.4n2:memcached223221.5.12192.168.7.4n2:magent120001.5.12192.168.7.4

Application Architecture Diagram:

Realization idea

The implementation of CAS (Central Authentication Service) single sign-on relies on the ST check of spring-webflow and TGT, in which spring-webflow uses session data and TGT uses in-memory data for ST verification. The separation of the data and applications of these two functions is the key to the realization of CAS clustering. TGT uses the java class: TicketRegistry for ST checking.

Spring-webflow: based on Spring MVC, it implements the "flow" of the application, which is used to guide the business logic to follow a fixed process. The corresponding data is saved to the session of server. TicketRegistry:CAS tickets are stored in TicketRegistry, while TicketRegistry is stored in memory. CAS provides a distributed interface to support TicketRegistry: org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry for extension. By implementing this interface, data such as TGT is put into the in-memory database. There are only three main steps: 1. Install memcached and configure magent Agent 2.session shared configuration 3.TicketRegistry memory data split configuration 1: install memcached and configure magent Agent 192.168.7.3 and 192.168.7.4 both memcached and magent should be installed. The installation steps are only 192.168.7.3 for example. Brief introduction

When installing memcached, you need to install the dependent library-libevent. Libevent is a powerful cross-platform event notification library. In memcached, libevent is used to handle network events (connection requests, read and write) or to implement timers. Using libevent requires the inclusion of the header file event.h, and you need to use the option-levent when linking to GCC. Download address

Libevent: https://libevent.org/

Memcached: http://memcached.org/downloads

The download link of Baidu network disk is provided at the end of this article. Install libevent and memcached

Create a new folder, put libevent and memcached in it, and extract it, and the result is shown below.

The libevent installation command is as follows: # install libevent- using the root account. The # tar-zxvf libevent-2.1.8-stable.tar.gz# cd libevent-2.1.8-stable#./configure-prefix=/usr & & make & & make install#chmod-R 755 / usr/include # chmod command authorizes other users to use libevent, and non-root users can also use libevent. Github address of libevent: https://github.com/libevent/libevent

Screenshot of the execution result:

The memcached installation command is as follows: # root users install memcached# tar-zxvf memcached-1.5.12.tar.gz# cd memcached-1.5.12#. / configure-with-libevent=/usr-- prefix=/usr/local/memcached & & make & & make install#chmod-R 755 / usr/local/memcached/ # chmod command authorizes other users to use memcached, and non-root users can also use memcached.

Screenshot of the execution result:

The startup command can be launched using a non-root user: # / usr/local/memcached/bin/memcached-d-m 256-p 22322-c 1024 / tmp/memcached.pid has no log output, and ps-ef | the process appears after grep memcached is successful. If you want to view the log details of memcached, you can append the-vv > > / tmp/memcached.log 2 > & 1 parameter. There are three log levels, with v the lowest, vv medium, and vvv the most detailed. Startup parameter description: the-d option is to start a daemon. -m is the amount of memory allocated to Memcache for use, in MB, the default 64MB. -p is the port on which Memcache's TCP listens, preferably above 1024. The-c option is the maximum number of concurrent connections running, and the default is 1024. -P is the pid file that is set to save Memcache. Check the running status of memcached:

First connect to memcache with a command such as telnet 127.0.0.1 22322, and then type stats directly to get the current memcache status. Exit using "ctrl+]", and then type quit to exit. Reference for parameter interpretation: https://blog.csdn.net/andy_dou/article/details/84811715 stop command: # kill-9 pidmagent installation:

1. Execute the following command to modify the file # mkdir magent#mv magent-0.5.tar.gz magent/#cd magent/# tar-zxvf magent-0.5.tar.gz # / sbin/ldconfig# sed-I "s#CFLAGS =-Wall-O2-g#CFLAGS =-lrt-Wall-O2-g" Makefile# sed-I "s#LIBS =-levent#LIBS =-levent-lm#g" Makefile

two。 Modify the ketama.h file: add the following three lines of code to the first line

# ifndef SSIZE_MAX

# define SSIZE_MAX 32767

# endif

3. Execute compilation command

# make

After successful compilation, the magent startup script is generated in this directory.

4. Execute the startup command

#. / magent-n 51200-l 192.168.7.3-p 12000-s 192.168.7.3 purl 22322-b 192.168.7.4 Vera 22322

On the 192.168.7.4 mainframe, it is:. / magent-n 51200-l 192.168.7.4-p 12000-s 192.168.7.4 purl 22322-b 192.168.7.3 Vera 22322. Let the two memcached be active and standby to each other.

Description of startup parameters:

-n maximum number of connections

-l the IP address of the agent, that is, the access IP of magent.

The port address of the-p agent, that is, the access port of magent.

The master node of the-s agent, which can use multiple-s parameters to proxy multiple master nodes.

The backup node of the-b agent, which can use multiple-b parameters to proxy multiple backup nodes.

You can use the. / magent-help command to query the specific parameters.

5. Test magent Agent

Use "telnet 192.168.7.3 12000" to connect to the magent agent, perform the insert data operation of "set test 00 2", and exit the 12000 connection. Connect "telnet 192.168.7.3 22322" again and execute the "get test" command to see if you can output data; connect "telnet 192.168.7.4 22322" and execute the "get test" command to see if the results are consistent. Consistency means success.

As shown in the figure:

Second: the configuration of session sharing session sharing is realized entirely by tomcat, and there is no need to modify the web application. This article ignores the relevant configuration of the Nginx implementation load. Upload jar packages required for session sharing

Put the following jar package under the lib of tomcat. This article uses kryo serialization to achieve session serialization, different serialization implementation, but the reference jar package is different, the method is consistent. It is said that kryo is more efficient.

The related jar packages are as follows: asm-5.0.3.jar kryo-3.0.3.jar kryo-serializers-0.37.jar memcached-session-manager-1.9.5.jar memcached-session-manager-tc7-1.9.5.jar minlog-1.3.0.jar msm-kryo-serializer-1.9.5.jar objenesis-2.1.jar reflectasm-1.10.1.jar spymemcached-2.12.0.jar

Modify the configuration file of tomcat

For the context.xml file in the conf directory of tomcat, clear the default context.xml file, and then copy the following code to context.xml. Where memcachedNodes is the memcached address, multiple memcached users need to be separated by ",".

WEB-INF/web.xml modifies tomcat's conf/server.xml file

Modify the Engine tag in server.xml and add the jvmRoute= "tomcat1" attribute to its tag to distinguish multiple tomcat applications

Verify Session sharing

Use the following code to generate test.jsp and put jsp into the project in tomcat's webapps where you can access it.

SessionID:

SessionIP:

SessionPort:

* * visit two tomcat separately. As long as the suffix ending of session is similar to "- n1.tomcat1", it is successful, and sessionid is inconsistent and correct. The figure below is as follows

Third, write TicketRegistry memory data to memcached1. Add the path to the jar package tomcat in the tomcat container of cas: / webapps/cas_sso/WEB-INF/lib/ asm-5.0.3.jar cas-server-integration-memcached-3.5.1.jar kryo-3.0.3.jar minlog-1.3.0.jar reflectasm-1.10.1.jar spymemcached-2.12.0.jar2. Modify the path of the ticketRegistry.xml file in Tomact: / webapps/cas_sso/WEB-INF/spring-configuration/ticketRegistry.xml backup ticketRegistry.xml, and create a new ticketRegistry.xml file The contents are as follows: Parameter description: address of memcached Multiple are separated by commas. : TGT timeout (seconds): ST timeout (seconds)

3. Restart application testing

Use Nginx as the load and proxy two CAS servers.

1. After accessing Nginx through the browser, log in to see which CAS node is accessed, and stop the node.

two。 Visit Nginx through the browser again to see if you need to log in. Normally, you don't need to login. Identifies the success of session sharing after success.

3. Cas client access through the browser, if there is no jump to a single point, the TGT data is saved to the memcached share successfully.

Follow-up: security of memcached

When using memcached applications, you only need to be able to connect to the host port to use it, which is a very insecure operation if you put it on the Internet. When using memcached, do not use the default port, change to a port above 1024. There are generally three solutions for this security, but each has its own limitations and can be chosen according to its own business.

1. Dual network card: the application service selects the network card of the external network, and memcached uses the network card of the internal network.

two。 Set up a firewall: use the host's iptables for whitelist release to prevent untrusted access requests.

3.memcached enables SASL authentication. This feature is supported after version 1.4.3.

Attachment information

Link: https://pan.baidu.com/s/1aihl_abcNguh9QVNSAWwNA extraction code: 7r1r

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.