Observations:
1) I've noticed that JpaTicketRegistry#deleteTicket(String ticketId) deletes
child service tickets when ticketId corresponds to a TGT, but that the same
method in BerkeleyDbTicketRegistry, JBossCacheTicketRegistry, and
MemCacheTicketRegistry do not.
2) JBossCacheTicketRegistry#needsCallback() and
MemCacheTicketRegistry#needsCallback() both return true, but
BerkeleyDbTicketRegistry#needsCallback() returns false.
3) CentralAuthenticationServiceImpl#validateServiceTicket(String ticketId,
Service service) retrieves the granting ticket in order to extract the
authenticated principal like so:
serviceTicket.getGrantingTicket().getChainedAuthentications()....
So, a couple of problems result, I think:
A) For those using JBossCacheTicketRegistry or MemCacheTicketRegistry, it looks
like a NullPointerException is possible in
CentralAuthenticationServiceImpl#validateServiceTicket(...) if a user logs out
before a service validates a corresponding service ticket, because
AbstractDistributedTicketRegistry$TicketDelagator#getGrantingTicket() will
return null.
B) For those using BerkeleyDbTicketRegistry, it looks like a service ticket
could validate even after the TGT is deleted.
No big deal, probably.
I'm scrutinizing this race condition because I'm working on
RiakTicketRegistry#deleteTicket(String ticketId), trying to improve my
implementation of deleteTicket()--specifically the quite expensive task of
deleting unused child service tickets, which requires a map-reduce query.
(Originally, I did needsCallback()-->false, for some reason.) My first approach
was to expose a new method, TicketGrantingTicketImpl#getServiceTicketIds(), so
I can iterate and delete ones that still exist without querying the registry.
Now I notice it'd be much simpler to return true from needsCallback() and just
leave service tickets orphaned. Our TGT's and ST's are stored in Riak buckets
which auto-expire objects anyway.
-Nate
--
You are currently subscribed to cas-dev@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
