Interesting. Is this something you can reproduce? On Tuesday, March 14, 2023 at 9:49:38 PM UTC+4 richard.frovarp wrote:
> I'm on CAS 6.6.6. I had a SAML 2 service that was trying to pull > metadata from a remote URL. This request timed out (discovered a > firewall in the way). That ended up causing all of my other SAML 2 > services to time out as well. The CAS protocol services were just fine. > In my logs I see: > > 2023-03-14 11:02:05,949 ERROR [org.apereo.cas.util.HttpUtils] - <Connect > to hostname failed: connect timed out > DefaultHttpClientConnectionOperator.java:connect:151 > PoolingHttpClientConnectionManager.java:connect:376 > MainClientExec.java:establishRoute:393 > > > 2023-03-14 11:02:05,949 ERROR > [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.UrlResourceMetadataResolver] > > > - <NullPointerException > UrlResourceMetadataResolver.java:resolve:107 > SamlRegisteredServiceMetadataResolverCacheLoader.java:lambda$load$1:66 > Unchecked.java:lambda$function$21:878 > > > Since it timed out, there is no status line to get a status code for. > That caused the NPE. I see this error a few times, so I don't know if > CAS was doing a retry, or my browser was trying it. > > I also see a different set of errors for the same service: > > 2023-03-14 10:44:23,080 ERROR > [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] > > > - <No metadata resolvers could be configured for service Grouper Devel > with metadata location path > SamlRegisteredServiceMetadataResolverCacheLoader.java:load:72 > SamlRegisteredServiceMetadataResolverCacheLoader.java:load:31 > LocalLoadingCache.java:lambda$newMappingFunction$3:197 > > > 2023-03-14 10:44:23,080 WARN > [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] > > > - <No metadata could be found for [entityId]> > 2023-03-14 10:44:23,080 WARN > [org.apereo.cas.util.function.FunctionUtils] - <Cannot find metadata > linked to entityId > > AbstractSamlIdPProfileHandlerController.java:verifySamlAuthenticationRequest:497 > > AbstractSamlIdPProfileHandlerController.java:initiateAuthenticationRequest:315 > > AbstractSamlIdPProfileHandlerController.java:lambda$handleSsoPostProfileRequest$4:652 > > > 2023-03-14 10:44:23,080 ERROR [org.apereo.cas.web.support.WebUtils] - > <Cannot find metadata linked to entityId > > AbstractSamlIdPProfileHandlerController.java:verifySamlAuthenticationRequest:497 > > AbstractSamlIdPProfileHandlerController.java:initiateAuthenticationRequest:315 > > AbstractSamlIdPProfileHandlerController.java:lambda$handleSsoPostProfileRequest$4:652 > > While this was happening, my other SAML 2 services also timed out. > Guessing it has to do with the resolver being synchronized? A timeout > takes a while to happen, so that would hold up the other services that > were good anyway. The fix was to restart CAS. I don't know if the other > services were failing as this was continuing to try and timeout, or if > the NPE broke things enough. This happened on prod, so we hit the > restart pretty quickly. It was on a service that I used and I caused it, > so we detected it pretty quickly. > > It now can pull the metadata, so things are fine. However, I'm not super > thrilled with the idea of one service metadata refresh timing out > killing the rest of my SAML 2 services. I could come up with my own > caching method into git external to CAS, but as of right now, I'd prefer > if CAS was doing it. > > Richard > > -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/fe092d69-51f1-46ce-a04f-b192e2db214en%40apereo.org.
