On 2010-11-08, at 2:47 PM, [email protected] wrote: > Ray, > > Apparently the original issue got lost. Can you open a jira issue for this? > We're already looking at serialization issues in 3.5 but we should see which > ones we can resolve in 3.4.4.
I have added this issue to Jira. > The issue of proxy tgt/tgt timeout is unrelated to serialization issues. I'll > comment on that later when I'm on a real keyboard. I know this is not related to serialization, and that is why I asked if this was an oversight or a design decision. If the latter, I think it was the wrong decision. Unless I am missing something, it means we can't use proxy tickets since there is no way for the application that has the PGT to keep the parent TGT alive. > Cheers > Scott > > Sent from my Verizon Wireless BlackBerry > > -----Original Message----- > From: Ray Davison <[email protected]> > Date: Mon, 08 Nov 2010 14:05:15 > To: <[email protected]> > Reply-To: [email protected] > Subject: [cas-dev] ProxyGrantingTicket expiration policy/difficulties > > Back on March 20, 2010 and April 22, 2010, Mihir Patel pointed out a problem > with ProxyGrantingTickets not being invalidated properly when the granting > TGT was expired. He then showed a solution that modified the isExpired method > in AbstractTicket. > > After many years of using CAS at Simon Fraser University, we finally had a > project that will make heavy use of Proxy tickets, and almost immediately ran > into similar, but more extensive, problems with PGTs. > > Part of the problem is similar to what Mihir found, but we ran into it from > the other side. We had the PGT expiring even though the PGT and granting TGT > were being kept alive. This problem was exactly the same as Mihir's, in that > the serialization of the PGT in the Cache (MemCache in our case) broke the > link with the granting TGT. > > We found another problem as well, and I am not sure if it was a design > decision to have it work like it does, or an oversight. The problem is that > if the PGT is being actively used, but the granting TGT is not then the TGT > will eventually time out and render the PGT invalid. The application that has > the PGT has no way of keeping the TGT alive. It seems to me that when a PGT > is used to generate a PT, this should be registered as a use of the granting > TGT as well. > > Because I didn't want to modify anything in the cas-server-core jar file, I > "fixed" the problem in our MemCacheTicketRegistry.java module (which we had > modified slightly anyway). I modified getTicket and updateTicket as you can > see below. I don't pretend that this is the "right" way to fix the problems, > but this is working for us. I think that the "right" solution is to not put > the granting ticket in a ticket, but to put the granting ticket ID there > instead. That way you would have to go back to the cache anytime you needed > the granting ticket (that would solve Mihir's problem, and half of our > problem). The other thing is to decide if changing the lastTimeUsed for a > ticket should imply a similar change for any granting ticket(s). > > public Ticket getTicket(final String ticketId) { > final Ticket t = (Ticket) this.client.get(ticketId); > if (t == null) { > return null; > } > /* > * Because the ticket was reconstituted when it was retrieved > from > * the cache, so was the tickets parent, so the parent won't > match > * the cached version of the parent. To fix that, we retrieve > the > * parent now and replace the reconstituted version with that. > */ > AbstractTicket thisTicket = (AbstractTicket) t; > TicketGrantingTicketImpl grantingTicket = > (TicketGrantingTicketImpl) thisTicket.getGrantingTicket(); > while (grantingTicket != null) { > TicketGrantingTicketImpl gtFromCache = > (TicketGrantingTicketImpl) this.client.get(grantingTicket.getId()); > if (gtFromCache == null) return null; > try { > Field ticketGrantingTicketField = > AbstractTicket.class.getDeclaredField("ticketGrantingTicket"); > ticketGrantingTicketField.setAccessible(true); > ticketGrantingTicketField.set(thisTicket > ,gtFromCache); > } catch (Exception e) { > log.error("Unable to set ticketGrantingTicket > field."); > } > > thisTicket = gtFromCache; > grantingTicket = (TicketGrantingTicketImpl) > gtFromCache.getGrantingTicket(); > } > > return getProxiedTicketInstance(t); > } > > protected void updateTicket(final Ticket ticket) { > if (ticket instanceof AbstractTicket) { > long timeOut = > ((AbstractTicket)ticket).getLastTimeUsed(); > TicketGrantingTicketImpl grantingTicket = > (TicketGrantingTicketImpl) ticket.getGrantingTicket(); > while (grantingTicket != null) { > try { > Field lastTimeUsedField = > AbstractTicket.class.getDeclaredField("lastTimeUsed"); > lastTimeUsedField.setAccessible(true); > > lastTimeUsedField.setLong(grantingTicket, timeOut); > > handleSynchronousRequest(this.client.replace(grantingTicket.getId(), > this.tgtTimeout, grantingTicket)); > } catch (Exception e) { > log.error("Unable to set lastTimeUsed > field."); > } > grantingTicket = (TicketGrantingTicketImpl) > grantingTicket.getGrantingTicket(); > } > } > if (ticket instanceof TicketGrantingTicket) { > > handleSynchronousRequest(this.client.replace(ticket.getId(), this.tgtTimeout, > ticket)); > } > > if (ticket instanceof ServiceTicket) { > > handleSynchronousRequest(this.client.replace(ticket.getId(), this.stTimeout, > ticket)); > } > } -- Ray Davison University Computing Services Simon Fraser University -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
