Ray, Apparently the original issue got lost. Can you open a jira issue for this? We're already looking at serialization issues in 3.5 but we should see which ones we can resolve in 3.4.4.
The issue of proxy tgt/tgt timeout is unrelated to serialization issues. I'll comment on that later when I'm on a real keyboard. Cheers Scott Sent from my Verizon Wireless BlackBerry -----Original Message----- From: Ray Davison <[email protected]> Date: Mon, 08 Nov 2010 14:05:15 To: <[email protected]> Reply-To: [email protected] Subject: [cas-dev] ProxyGrantingTicket expiration policy/difficulties Back on March 20, 2010 and April 22, 2010, Mihir Patel pointed out a problem with ProxyGrantingTickets not being invalidated properly when the granting TGT was expired. He then showed a solution that modified the isExpired method in AbstractTicket. After many years of using CAS at Simon Fraser University, we finally had a project that will make heavy use of Proxy tickets, and almost immediately ran into similar, but more extensive, problems with PGTs. Part of the problem is similar to what Mihir found, but we ran into it from the other side. We had the PGT expiring even though the PGT and granting TGT were being kept alive. This problem was exactly the same as Mihir's, in that the serialization of the PGT in the Cache (MemCache in our case) broke the link with the granting TGT. We found another problem as well, and I am not sure if it was a design decision to have it work like it does, or an oversight. The problem is that if the PGT is being actively used, but the granting TGT is not then the TGT will eventually time out and render the PGT invalid. The application that has the PGT has no way of keeping the TGT alive. It seems to me that when a PGT is used to generate a PT, this should be registered as a use of the granting TGT as well. Because I didn't want to modify anything in the cas-server-core jar file, I "fixed" the problem in our MemCacheTicketRegistry.java module (which we had modified slightly anyway). I modified getTicket and updateTicket as you can see below. I don't pretend that this is the "right" way to fix the problems, but this is working for us. I think that the "right" solution is to not put the granting ticket in a ticket, but to put the granting ticket ID there instead. That way you would have to go back to the cache anytime you needed the granting ticket (that would solve Mihir's problem, and half of our problem). The other thing is to decide if changing the lastTimeUsed for a ticket should imply a similar change for any granting ticket(s). public Ticket getTicket(final String ticketId) { final Ticket t = (Ticket) this.client.get(ticketId); if (t == null) { return null; } /* * Because the ticket was reconstituted when it was retrieved from * the cache, so was the tickets parent, so the parent won't match * the cached version of the parent. To fix that, we retrieve the * parent now and replace the reconstituted version with that. */ AbstractTicket thisTicket = (AbstractTicket) t; TicketGrantingTicketImpl grantingTicket = (TicketGrantingTicketImpl) thisTicket.getGrantingTicket(); while (grantingTicket != null) { TicketGrantingTicketImpl gtFromCache = (TicketGrantingTicketImpl) this.client.get(grantingTicket.getId()); if (gtFromCache == null) return null; try { Field ticketGrantingTicketField = AbstractTicket.class.getDeclaredField("ticketGrantingTicket"); ticketGrantingTicketField.setAccessible(true); ticketGrantingTicketField.set(thisTicket ,gtFromCache); } catch (Exception e) { log.error("Unable to set ticketGrantingTicket field."); } thisTicket = gtFromCache; grantingTicket = (TicketGrantingTicketImpl) gtFromCache.getGrantingTicket(); } return getProxiedTicketInstance(t); } protected void updateTicket(final Ticket ticket) { if (ticket instanceof AbstractTicket) { long timeOut = ((AbstractTicket)ticket).getLastTimeUsed(); TicketGrantingTicketImpl grantingTicket = (TicketGrantingTicketImpl) ticket.getGrantingTicket(); while (grantingTicket != null) { try { Field lastTimeUsedField = AbstractTicket.class.getDeclaredField("lastTimeUsed"); lastTimeUsedField.setAccessible(true); lastTimeUsedField.setLong(grantingTicket, timeOut); handleSynchronousRequest(this.client.replace(grantingTicket.getId(), this.tgtTimeout, grantingTicket)); } catch (Exception e) { log.error("Unable to set lastTimeUsed field."); } grantingTicket = (TicketGrantingTicketImpl) grantingTicket.getGrantingTicket(); } } if (ticket instanceof TicketGrantingTicket) { handleSynchronousRequest(this.client.replace(ticket.getId(), this.tgtTimeout, ticket)); } if (ticket instanceof ServiceTicket) { handleSynchronousRequest(this.client.replace(ticket.getId(), this.stTimeout, ticket)); } } -- Ray Davison University Computing Services Simon Fraser University -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
