On Mon, Aug 20, 2012 at 5:12 PM, Nathan Wilken <[email protected]> wrote:
> Observations: > 1) I've noticed that JpaTicketRegistry#deleteTicket(String ticketId) > deletes child service tickets when ticketId corresponds to a TGT, but that > the same method in BerkeleyDbTicketRegistry, JBossCacheTicketRegistry, and > MemCacheTicketRegistry do not. > > 2) JBossCacheTicketRegistry#needsCallback() and > MemCacheTicketRegistry#needsCallback() both return true, but > BerkeleyDbTicketRegistry#needsCallback() returns false. > > 3) CentralAuthenticationServiceImpl#validateServiceTicket(String > ticketId, Service service) retrieves the granting ticket in order to > extract the authenticated principal like so: > serviceTicket.getGrantingTicket().getChainedAuthentications().... > > So, a couple of problems result, I think: > > A) For those using JBossCacheTicketRegistry or MemCacheTicketRegistry, > it looks like a NullPointerException is possible in > CentralAuthenticationServiceImpl#validateServiceTicket(...) if a user logs > out before a service validates a corresponding service ticket, because > AbstractDistributedTicketRegistry$TicketDelagator#getGrantingTicket() will > return null. > > This would definitely be bad. If you could open a JIRA issue for this, that would be great! > B) For those using BerkeleyDbTicketRegistry, it looks like a service > ticket could validate even after the TGT is deleted. > > BerkeleyDB is no longer in the CAS distribution so this is now a non-issue :-) Cheers, Scott > No big deal, probably. > > I'm scrutinizing this race condition because I'm working on > RiakTicketRegistry#deleteTicket(String ticketId), trying to improve my > implementation of deleteTicket()--specifically the quite expensive task of > deleting unused child service tickets, which requires a map-reduce query. > (Originally, I did needsCallback()-->false, for some reason.) My first > approach was to expose a new method, > TicketGrantingTicketImpl#getServiceTicketIds(), so I can iterate and delete > ones that still exist without querying the registry. Now I notice it'd be > much simpler to return true from needsCallback() and just leave service > tickets orphaned. Our TGT's and ST's are stored in Riak buckets which > auto-expire objects anyway. > > > -Nate > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
