MemCached StoragesService Compatibility

Manuel Haim haim at hrz.uni-marburg.de
Wed Jan 11 14:13:43 GMT 2012 

Hi Esmeralda,

thank you for sending your logs. Now, I will see what I can do.

Did x509 authentication work for you before, i.e. without the Memcached
StorageService?

I am still confused there is no error message within your logs, but the
log lines seem to tell me the x509 authentication itself is working
correctly. The client certificate is read, and its principal is put into
the Subject (which will later be read by the attribute resolver).

Then I see some output from the Memcached StorageService. The only line
which seems to be suspicious to me is

10:39:40.769 - DEBUG
[edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:94] -
storageService.contains: session!CN=ESMERALDA ...

as it should be followed by a line like "contained global" or "contained
nowhere", but it is not.

Could you send me some more lines, maybe a complete login attempt? I
need to see the point where the IdP fails, so I may have a guess where
things start to get wrong... it would also be helpful if you enabled
TRACE mode in logging.xml, just replace "INFO" with "TRACE" in this line:

<logger name="edu.internet2.middleware.shibboleth" level="TRACE" />


> Do we have to update or change something on the configuration of x509
> login handler similar to what we have done on login.config

No. Looking at the X509LoginServlet.java sourcecode and your logs, only
a javax.security.auth.x500.X500Principal (which is serializable) is
added to the Subject. This should not be a problem.


> Another issue  that I notice, when I run tomcat shutdown.sh some java
> process ( I think clients of mechached //usr/local/jdk1.6.0_29/bin/java
> -Djava.util.logging.config.file=/usr/local/apache-tomcat-6.0.33/conf/logging.properties
> -Djava.util.logging.manager=org.apache.juli.ClassLoade ) do not die.

That is true, the Memcached connection is not closed automatically.
However, when you shutdown tomcat, all ressources are freed, and this
one is reported as a "possible memory leak". It would be one, if you
only restarted the IdP webapp and not the whole servlet container (i.e.
tomcat). According to the Shibboleth team, the IdP is not intended to be
restarted itself, but you should always restart the servlet container.

In our current development, we added the following code to the
UniMrMemcachedStorageService constructor to circumvent this problem (not
yet sure if this already works):

Runtime.getRuntime().addShutdownHook(new Thread(new Runnable() {
  public void run() {
    client.shutdown(); // shutdown the memcached client
  }
}));


-Manuel

More information about the users mailing list