Grepping through what I have, I can confirm that the tickets are being
removed, as I do have log statements like the following:
catalina.out.2.gz:2016-07-08 22:19:31,948 INFO
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <1 expired tickets
found and removed.>
catalina.out.2.gz:2016-07-08 22:21:32,004 INFO
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <2 expired tickets
found and removed.>
I'm using the default in memory registry, the default
tgt.maxTimeToLiveInSeconds + tgt.timeToKillInSeconds.
st.timeToKillInSeconds=60.
Other pretty bare bones defaults:
<alias name="serviceThemeResolver" alias="themeResolver" />
<alias name="jsonServiceRegistryDao" alias="serviceRegistryDao" />
<alias name="defaultTicketRegistry" alias="ticketRegistry" />
<alias name="ticketGrantingTicketExpirationPolicy"
alias="grantingTicketExpirationPolicy" />
<alias name="multiTimeUseOrTimeoutExpirationPolicy"
alias="serviceTicketExpirationPolicy" />
<alias name="anyAuthenticationPolicy" alias="authenticationPolicy" />
<alias name="acceptAnyAuthenticationPolicyFactory"
alias="authenticationPolicyFactory" />
Would you recommend perhaps a different ticket registry at this point
perhaps? I don't think I'm hitting the maximum amount of tickets that the
default ticket registry can hold by any means, since the maximum amount of
tickets I'm seeing expire is 20. Mostly it's between 0-2 tickets that are
expired, so I very much doubt the tickets being the memory bottleneck.
---
Before I posted the above, I dug a little and noticed a strange ~200
tickets being cleaned up a bit before the issue (an uptick in cleanup
tickets). Perhaps moving to a more robust ticket registry (not just in
memory) might actually help to mitigate then.
Are service tickets also being cleaned up with the same default ticket
registry? What tickets should show up in that 'expired' count? TGT only, or
TGT + STs?
For testing, I logged in to a test instance where the tgt expirey was set
to 10 seconds. 10 times: 15 expired tickets. I logged in 20 times. 29
expired tickets.
What other items are included in the expired count?
On Wednesday, July 20, 2016 at 2:31:37 AM UTC-7, Misagh Moayyed wrote:
>
> Does your log show that tickets are cleaned up successfully? Is your
> expiration policy set up to allow the cleaner to expire and clean tickets
> successfully?
>
> Without logs, it’s just a guessing game. My bet is, somehow you’ve run out
> of memory.
>
> --
> Misagh
>
> From: Jeffrey Wong <[email protected]> <javascript:>
> Reply: Jeffrey Wong <[email protected]> <javascript:>
> Date: July 19, 2016 at 3:10:05 PM
> To: CAS Community <[email protected]> <javascript:>
> Subject: [cas-user] After a month, no tickets created in 4.2.2?
>
> After about a month of working perfectly on 4.2.2 deployed to tomcat7,
> running under java8, randomly the in-memory ticketing system would not
> create any more tickets. Restarting the tomcat instance fixed it, but I'm
> wondering why CAS would randomly break on me after working so well! Using a
> LDAP (AD) backed user base with a mysql backed attribute DB. We have pretty
> minimal traffic, so I'm not sure why I am seeing issues after such a small
> amount of time.
>
> Despite having an <AsyncRoot level="error">, no errors have been thrown at
> the time of issue.
>
> Unfortunately, I've only had the org.springframework.jdbc logger set to
> debug, and all others at info, so I have very minimal logging around the
> issue.
>
> I'm noticing both the ldap auth AND the jdbc handlers returning without
> issues (no errors). ...But no tickets?
>
> Here's a sample of the logs:
>
> 2016-07-19 16:28:16,399 INFO
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
> <LdapAuthenticationHandler successfully authenticated user1>
> 2016-07-19 16:28:16,400 DEBUG [org.springframework.jdbc.core.JdbcTemplate] -
> <Executing prepared SQL query>
> 2016-07-19 16:28:16,400 DEBUG [org.springframework.jdbc.core.JdbcTemplate] -
> <Executing prepared SQL statement[SELECT
> ID,username,FirstName,LastName,Email FROM User WHERE UserName = ?]>
> 2016-07-19 16:28:16,400 DEBUG
> [org.springframework.jdbc.datasource.DataSourceUtils] - <Fetching JDBC
> Connection from DataSource>
> 2016-07-19 16:28:16,401 DEBUG
> [org.springframework.jdbc.datasource.DataSourceUtils] - <Returning JDBC
> Connection to DataSource>
> 2016-07-19 16:28:19,015 INFO
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
> <LdapAuthenticationHandler successfully authenticated user2>
> 2016-07-19 16:28:19,015 DEBUG [org.springframework.jdbc.core.JdbcTemplate] -
> <Executing prepared SQL query>
> 2016-07-19 16:28:19,015 DEBUG [org.springframework.jdbc.core.JdbcTemplate] -
> <Executing prepared SQL statement[SELECT
> ID,username,FirstName,LastName,Email FROM User WHERE UserName = ?]>
> 2016-07-19 16:28:19,015 DEBUG
> [org.springframework.jdbc.datasource.DataSourceUtils] - <Fetching JDBC
> Connection from DataSource>
> 2016-07-19 16:28:19,017 DEBUG
> [org.springframework.jdbc.datasource.DataSourceUtils] - <Returning JDBC
> Connection to DataSource>
>
> Immediately before this, I've seen tickets that are created (an audit log
> is posted that a ticket granting ticket has been created and validated, and
> all is good). There are no exceptions thrown between when the tickets were
> able to be created and when there was this bottleneck.
>
> On the front end, after the logs say 'success' without a ticket created,
> they are redirected to the main cas login page. Reproducing this is also
> difficult as it will stop intermittently, without warning.
>
> What are the best ways to debug or resolve these sorts of issues? What
> could be causing this issue?
>
> Thanks in advance,
> Jeff
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected] <javascript:>.
> To post to this group, send email to [email protected] <javascript:>.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/23b96c4d-0997-4da1-9051-7ddf1560e8bb%40apereo.org
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/23b96c4d-0997-4da1-9051-7ddf1560e8bb%40apereo.org?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>
>
--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c879c072-5844-48af-8d62-ce868f6c738e%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
