Concurrent session control with Spring Security + CAS SSO in multi nodes setup?

Question

Following is my application's deployment configuration. No clustering is configured for webapp1 & webapp2, neither for CAS1 & CAS2. I totally rely on session sticky to make sure the traffic from an end user is always served by the same server, however I do configure ticket replication among CAS1 and CAS2 to guarantee SSO to work:

VIP1 +-- webapp1 --+ VIP2 +- CAS1  
     |             |      |
     +-- webapp2 --+      +- CAS2

I see lots of articles/blogs describing how to implement concurrent session control with spring security, and following is the questions I have in mind.

1) I'd like to verify my understanding on the concurrent session control with spring security and CAS SSO, so let's pretend we don't have webapp2 and CAS2. Based on my understanding, both webapp's spring security and CAS have to be acknowledged for a user to successfully login into webapp. Webapp's spring security is acknowledged by adding authentication into its security context, whereas CAS is acknowledged by adding a TGC cookie.
If I apply concurrent session control (invalidate the previous one) to both webapp and CAS, and when UserA and UserB use same login the following should happen:
1.1) UserA is authenticated successfully so he receives a cookie from CAS and leave an authentication in webapp's spring security context.
1.2) Due to UserB uses the same login, it's the second time the login is authenticated, CAS will invalidate UserA.
1.2) When webapp's spring security is acknowledged that the login is authenticated and find out this is the second time same login being authenticated, so webapp's spring security invalidate UserA.
1.3) When UserA tries to access webapp, webapp's spring security redirects UserA to CAS.
1.4) CAS determines the cookie brought by UserA is invalid, so UserA is asked to enter login credential again.

So is this correct?

2) Say my understanding is correct, and let's put back webapp2 and CAS2 without clustering as I mentioned at the begining. If UserA is served by webapp1 and CAS1 whereas UserB is served by webapp2 and CAS2, I suppose the concurrent session control will not work in this case, and I need to implement custom SessionRegistryImpl, ConcurrentSessionControlStrategy, and ConcurrentSessionFilter, correct?

Thank you for your time.

Answer 1

I have only worked with Pre authentication CAS, where CAS adds a header with authentication info, which you then resolve against CAS/LDAP.

Your analysis looks correct, and by looking at the javaDoc and source, you are almost there.

• You need a custom SessionRegistry so you have a global location to keep track of the sessions (Hazelcast or Database).
• You need ConcurrentSessionControlStrategy which will check if the limit of concurrent sessions is reached.
• You will need ConcurrentSessionFilter , so a user with a expired session, will be logged out.

In addition you need to set RegisterSessionAuthenticationStrategy on AbstractAuthenticationProcessingFilter , since the default is NullAuthenticatedSessionStrategy , which means that the SessionRegistry will not be called when sessions are created.