Sorry, there's a bit of a history to the problem that involved several
other ticket registries.

On CAS 3.5 we where using PostgreSQL, but when I upgraded to CAS 5.x I
switched to Hazelcast.  Which work okay except that after three days
pinciple ID's start to become null after successful authentication.  WE
thought it might be something with Hazelcast so we tried Dynamo which was
an instant bust as it complained about an empty string.  We then tried
Redis with AWS but the Setex command was being given a -1 for the ticket
expiration time.  So we tried MongoDB, which wasn't writing tickets.
PostgreSQL was the fall back, though my manager prefered I find something
more performant since the JPA driver can be a bit slow (not to mention the
need to 4+ tiggers on the ticketgrantingticket table and another 2-3 on the
serviceticke table).

But now that I found that the ticket expiration time was the culprit, I
should be able to go forward with MongoDB or Redis.  Though the expiration
time problem does sound like a bug to me, but I'm not sure where to report
that.

--Mike K.

On Fri, Feb 9, 2018 at 1:03 PM, Uxío Prego <upr...@madiva.com> wrote:

> I’m a little lost now.
>
> Are you sure you need to waste that much energy investigating so many
> ticket registry alternatives? Shouldn’t you be trying to just assess the
> feasibility of using that data base with which you feel more comfortable?
>
> To be more clear, let’s say it works better using MongoDB than PostgreSQL.
> If you already have a large body of PostgreSQL exposure, which you have
> demonstrated, even if MongoDB performs better there are chances your total
> cost of ownership will be smaller by using PostgreSQL.
>
> I’m sorry again I can’t help you, but with these energy and eagerness you
> seem to have I’m sure you aren’t going to have a lot of trouble with CAS
> once you focus in your problem. Or is it that your thing is to assess which
> one performs better? And if so, why not just ask that?
>
> Regards,
>
> On 9 Feb 2018, at 20:55, michael kromarek <mkroma...@gmail.com> wrote:
>
> So it turns out I already had the driver turned to debug, so no new
> information there.  But I did up the verbosity level of MongoDB log to 5
> and noticed that a write attempt for the TGT ticket wasn't even made
> (subsequent fetches where made though).
>
> I decided to try pulling down the latest maven overlay and move my
> settings over one by one to see what would cause the problem, and culprit
> turned out to be
>
> cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=28800
>
>
> If I comment that out, it writes the ticket no problem.  If I set it, it
> fails creating the ticket and new writes it to or even attempts to write it
> to Mongo.  I think this is an error in the ExpirationPolicy class as I have
> also tried Redis and noticed it was writing the expiration time as -1.  -1
> is not acceptable to Redis so it won't make the record.  I also tried
> DynamoDB and noticed it was complaining about an empty string being written
> (which for whatever reason Dynamo does not like empty strings at all).  I'm
> thinking PostgreSQL didn't have a problem because the expiration policy is
> stored as a large object and it probably doesn't care what it is.
>
> --Mike K.
>
> On Wed, Feb 7, 2018 at 5:51 AM, michael kromarek <mkroma...@gmail.com>
> wrote:
>
>> I'll give that a shot and let you know what I find.
>>
>> Thank you.
>>
>> On Wed, Feb 7, 2018 at 5:31 AM, David Curry <david.cu...@newschool.edu>
>> wrote:
>>
>>> Ah - you just reminded me, and I should have mentioned this last time.
>>> Try adding this to your log4j2.xml:
>>>
>>> <AsyncLogger name="org.mongodb.driver" level="debug" />
>>>
>>>
>>> That's the actual Java driver.
>>>
>>> --Dave
>>>
>>>
>>> --
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> INFORMATION TECHNOLOGY
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
>>> +1 212 229-5300 x4728 <(212)%20229-5300> • david.cu...@newschool.edu
>>> [image: The New School]
>>>
>>> On Wed, Feb 7, 2018 at 8:25 AM, michael kromarek <mkroma...@gmail.com>
>>> wrote:
>>>
>>>> Hi Dave,
>>>>
>>>> I actually tried those settings first (I was following your guide, but
>>>> only having a single server instead of a cluster for mongo).
>>>> Unfortunately, it fails in the same way with those settings too.  I might
>>>> be able to eek out a little  more information if I set
>>>>
>>>> org.apereo.cas.ticket.registry.MongoDbTicketRegistry
>>>>
>>>> to debug in the logger, though I  already have org.apero.cas and
>>>> com.mongo set to debug.
>>>>
>>>> --Mike K
>>>>
>>>> On Wed, Feb 7, 2018 at 5:15 AM, David Curry <david.cu...@newschool.edu>
>>>>  wrote:
>>>>
>>>>> Mike,
>>>>>
>>>>> The only thing that strikes me as odd in your settings is this one:
>>>>>
>>>>> cas.ticket.registry.mongo.collectionName=cas-ticket-registry
>>>>>
>>>>>
>>>>> The Mongo ticket registry uses multiple collections:
>>>>>
>>>>> proxyGrantingTicketsCollection
>>>>> proxyTicketsCollection
>>>>> samlArtifactsCache
>>>>> samlAttributeQueryCache
>>>>> serviceTicketsCollection
>>>>> ticketGrantingTicketsCollection
>>>>>
>>>>>
>>>>> So while I'm not sure if that setting is having any impact on your
>>>>> configuration at all, I suspect that if it _is_ having an impact, it's a
>>>>> negative one. Although, I don't see anything in the logs to suggest that 
>>>>> it
>>>>> is -- the server seems to be using the "right" collection:
>>>>>
>>>>> 2018-02-07 00:46:30,159 DEBUG 
>>>>> [org.apereo.cas.ticket.registry.MongoDbTicketRegistry]
>>>>> - <Locating collection name [ticketGrantingTicketsCollection] for
>>>>> ticket definition [org.apereo.cas.ticket.Default
>>>>> TicketDefinition@28556a8b[implementationClass=class
>>>>> org.apereo.cas.ticket.TicketGrantingTicketImpl,prefix=TGT]]>
>>>>> 2018-02-07 00:46:30,159 DEBUG 
>>>>> [org.apereo.cas.ticket.registry.MongoDbTicketRegistry]
>>>>> - <Located MongoDb collection instance [ticketGrantingTicketsCollecti
>>>>> on]>
>>>>> 2018-02-07 00:46:30,160 DEBUG [org.mongodb.driver.protocol.command] -
>>>>> <Sending command {find : BsonString{value='ticketGranti
>>>>> ngTicketsCollection'}} to database casdb on connection
>>>>> [connectionId{localValue:6, serverValue:68}] to server localhost:27017>
>>>>> 2018-02-07 00:46:30,161 DEBUG [org.mongodb.driver.protocol.command] -
>>>>> <Command execution completed>
>>>>>
>>>>> For what it's worth, mine is working on 5.2.2 using these settings
>>>>> (essentially the same as yours except I have a replica set):
>>>>>
>>>>> #
>>>>> # Components of the MongoDB connection string broken out for ease of
>>>>> editing.
>>>>> # See https://docs.mongodb.com/manual/reference/connection-string/
>>>>> #
>>>>> mongo.db:                               casdb
>>>>> mongo.rs:                               rs0
>>>>> mongo.opts:                             &ssl=true
>>>>> mongo.creds:                            mongocas:<redacted>
>>>>> mongo.hosts:                            casdev-srv01-lid.newschool.edu
>>>>> ,casdev-srv02-lid.newschool.edu,casdev-srv03-lid.newschool.edu
>>>>>
>>>>> #
>>>>> # The connection string, assembled
>>>>> #
>>>>> mongo.uri:                              mongodb://${mongo.creds}@${mon
>>>>> go.hosts}/${mongo.db}?replicaSet=${mongo.rs}${mongo.opts}
>>>>>
>>>>> #
>>>>> # Ticket registry
>>>>> #
>>>>> cas.ticket.registry.mongo.clientUri:    ${mongo.uri}
>>>>>
>>>>> #
>>>>> # Service registry
>>>>> #
>>>>> cas.serviceRegistry.mongo.clientUri:    ${mongo.uri}
>>>>> cas.serviceRegistry.mongo.collection:   casServiceRegistry
>>>>>
>>>>>
>>>>>
>>>>> --Dave
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> DAVID A. CURRY, CISSP
>>>>> *DIRECTOR OF INFORMATION SECURITY*
>>>>> INFORMATION TECHNOLOGY
>>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>>>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
>>>>> +1 212 229-5300 x4728 <(212)%20229-5300> • david.cu...@newschool.edu
>>>>> [image: The New School]
>>>>>
>>>>> On Wed, Feb 7, 2018 at 4:03 AM, Mike Kromarek <mkroma...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> I recently switched from the Postgresql JPA ticket registry to
>>>>>> MongoDB and am having a strange issue.  The authentication succeeds, but
>>>>>> then it fails to add the ticket to the mongo database, causing the 
>>>>>> process
>>>>>> to fail and return to the login screen.
>>>>>>
>>>>>> -- cas.properties --
>>>>>> cas.ticket.registry.mongo.host=localhost
>>>>>> cas.ticket.registry.mongo.userId=<redacted>
>>>>>> cas.ticket.registry.mongo.password=<redacted>
>>>>>> cas.ticket.registry.mongo.databaseName=casdb
>>>>>> cas.ticket.registry.mongo.collectionName=cas-ticket-registry
>>>>>> cas.ticket.registry.mongo.dropCollection=false
>>>>>> cas.ticket.registry.mongo.timeout=5000
>>>>>> cas.ticket.registry.mongo.writeConcern=NORMAL
>>>>>> cas.ticket.mongo.conns.lifetime=60000
>>>>>> cas.ticket.mongo.conns.perHost=10
>>>>>> cas.ticket.registry.mongo.idleTimeout=30000
>>>>>>
>>>>>>
>>>>>> CAS connects to the database with the specified user, makes all the
>>>>>> tables and seems like everything should be good.  Then it encodes the 
>>>>>> TGT,
>>>>>> but fails to add it.
>>>>>>
>>>>>>
>>>>>> 2018-02-07 00:46:30,024 DEBUG [org.apereo.cas.ticket.factory
>>>>>> .DefaultTicketGrantingTicketFactory] - <Encoded ticket-granting
>>>>>> ticket id [TGT-******************************************
>>>>>> 3wOfaglzGL-JNpegctV--qfA0S5-xCE-aws-stage-cas.highline.edu
>>>>>> <http://3wofaglzgl-jnpegctv--qfa0s5-xce-aws-stage-cas.highline.edu/>
>>>>>> ]>
>>>>>> 2018-02-07 00:46:30,025 DEBUG 
>>>>>> [org.apereo.cas.ticket.registry.MongoDbTicketRegistry]
>>>>>> - <Adding ticket [TGT-******************************************
>>>>>> 3wOfaglzGL-JNpegctV--qfA0S5-xCE-aws-stage-cas.highline.edu
>>>>>> <http://3wofaglzgl-jnpegctv--qfa0s5-xce-aws-stage-cas.highline.edu/>
>>>>>> ]>
>>>>>> 2018-02-07 00:46:30,118 ERROR 
>>>>>> [org.apereo.cas.ticket.registry.MongoDbTicketRegistry]
>>>>>> - <Failed adding [TGT-******************************************
>>>>>> 3wOfaglzGL-JNpegctV--qfA0S5-xCE-aws-stage-cas.highline.edu
>>>>>> <http://3wofaglzgl-jnpegctv--qfa0s5-xce-aws-stage-cas.highline.edu/>]:
>>>>>> [java.lang.NullPointerException]>
>>>>>> 2018-02-07 00:46:30,118 DEBUG 
>>>>>> [org.apereo.cas.AbstractCentralAuthenticationService]
>>>>>> - <Publishing [org.apereo.cas.support.events
>>>>>> .ticket.CasTicketGrantingTicketCreatedEvent@2c84b7f8[ticketG
>>>>>> rantingTicket=TGT-******************************************
>>>>>> 3wOfaglzGL-JNpegctV--qfA0S5-xCE-aws-stage-cas.highline.edu
>>>>>> <http://3wofaglzgl-jnpegctv--qfa0s5-xce-aws-stage-cas.highline.edu/>
>>>>>> ]]>
>>>>>>
>>>>>> Has anyone else ran into this?
>>>>>>
>>>>>> --Mike K
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> - Website: https://apereo.github.io/cas
>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>>>> - Contributions: https://goo.gl/mh7qDG
>>>>>> ---
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "CAS Community" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to cas-user+unsubscr...@apereo.org.
>>>>>> To view this discussion on the web visit https://groups.google.
>>>>>> com/a/apereo.org/d/msgid/cas-user/051a23e8-bb02-48a3-ab26-
>>>>>> 86b9a2fa3c40%40apereo.org
>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/051a23e8-bb02-48a3-ab26-86b9a2fa3c40%40apereo.org?utm_medium=email&utm_source=footer>
>>>>>> .
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> - Website: https://apereo.github.io/cas
>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>>> - Contributions: https://goo.gl/mh7qDG
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "CAS Community" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to cas-user+unsubscr...@apereo.org.
>>>>> To view this discussion on the web visit https://groups.google.
>>>>> com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPtgS2W5jqHcYROay
>>>>> mtCYyTnb2FyjAJQhKCAOUH%2BvCNbQ%40mail.gmail.com
>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPtgS2W5jqHcYROaymtCYyTnb2FyjAJQhKCAOUH%2BvCNbQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>
>>>>
>>>> --
>>>> - Website: https://apereo.github.io/cas
>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>> - Contributions: https://goo.gl/mh7qDG
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "CAS Community" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to cas-user+unsubscr...@apereo.org.
>>>> To view this discussion on the web visit https://groups.google.
>>>> com/a/apereo.org/d/msgid/cas-user/CALfsmq71-
>>>> hfpdSXFe7nQZ5w0t4299jtOswjGzkhBLgHJKFEcSg%40mail.gmail.com
>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALfsmq71-hfpdSXFe7nQZ5w0t4299jtOswjGzkhBLgHJKFEcSg%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit https://groups.google.
>>> com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOy%2B0pG-HA%
>>> 2BbVTDbvUv0GX%2Bnw0vhO3nK3Cgw%2BMPEzuLbA%40mail.gmail.com
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOy%2B0pG-HA%2BbVTDbvUv0GX%2Bnw0vhO3nK3Cgw%2BMPEzuLbA%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.
> com/a/apereo.org/d/msgid/cas-user/CALfsmq5iHbn%
> 2BKAv6c9dF1Et988OHvXOXqwJTaQBuV1UDCbfBBw%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALfsmq5iHbn%2BKAv6c9dF1Et988OHvXOXqwJTaQBuV1UDCbfBBw%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/83382BCD-F10C-461C-93F5-
> 0FC96D1E012B%40madiva.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/83382BCD-F10C-461C-93F5-0FC96D1E012B%40madiva.com?utm_medium=email&utm_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALfsmq4pDkz8U%3D2_247mkF0sXQXTFrdXqfC2QO-b01BpkFLvpQ%40mail.gmail.com.

Reply via email to