Marvin,

Thanks for the response!

I'm not saying force TGTs to be validated all the time as a policy that
everyone has to live with but merely provide deployers the ability to turn
that feature on.

As for the "Connection broken / time out" issues, it seems that whenever a
TGT is being deleted and LogoutRequests are being transmitted, there is no
exception handling such that the process continues whenever an exception
arises during logout.  Let me rephrase this:

If I visited 5 services and decided to logout of CAS and an exception arises
while transmitting LogoutRequest #3, then CAS will not attempt to handle
LogoutRequests #4 and #5.  Not only does the user get an stack trace / error
page, but they will also still be logged in to services #4 and #5.  This is
also an issue.

Thoughts?
Andy


On 3/5/09 2:43 PM, "Marvin Addison" <[email protected]> wrote:

>> Provide ability to indicate that CAS should validate CASTGC cookies upon
>> login without service
> 
> Validating the contents of CASTGC should only reasonably happen
> whenever a service ticket is requested.  Your workaround of sending a
> dummy service ticket sounds reasonable provided that the real problem
> you identified is resolved.
> 
>> Refactor TGT implementation (org.jasig.cas.ticketTicketGrantingTicketImpl)
>> to transmit logout requests only to services that have had successfully
>> validated service tickets
> 
> You've identified a real problem here and I agree with your
> recommended solution.  The current implementation seems like an
> invitation for a resource leak in addition to the problem case you
> cited where connections time out at logout time.  I encourage you to
> open a Jira issue for this.
> 
>> Additional: We have been seeing higher network utilization,
>> which has manifested in the ³Too many open files² exceptions
>> on the CAS server due to the HTTP connections being made and
>> ³Connection broken / timed out² while transmitting logout
>> requests.
> 
> You didn't specifically ask for a solution to the above problem, but I
> thought I would recommend one anyway.  Have you tried decreasing
> HttpClient#connectionTimeout to something less than the 5s default?  I
> would think that a setting of 1-2s would be an eternity on most
> university networks.
> 
> M

-- 
Andrew Feller, Analyst
LSU University Information Services
200 Frey Computing Services Center
Baton Rouge, LA 70803
Office: 225.578.3737
Fax: 225.578.6400


-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev

Reply via email to