Hi Ray,

Thank you for looking at this problem.

After the TGT times out, CAS continually tries to perform a purge of the TGT 
and writes out the following message over and over until it reaches the maximum 
lifetime. This is a problem just due to the volume of messages that are being 
generated for each user.

[INFO] 2018-02-19 08:38:52,239 org.apereo.cas.logout.DefaultLogoutManager 
performLogout - Performing logout operations for 
[TGT-**************************2JSFkHAz39-Poi85P7wTMGVm61SI0R0iSZMDzDU-2hxwuK4-login-test.fortlewis.edu]
[INFO] 2018-02-19 08:40:52,276 org.apereo.cas.logout.DefaultLogoutManager 
performLogout - Performing logout operations for 
[TGT-**************************2JSFkHAz39-Poi85P7wTMGVm61SI0R0iSZMDzDU-2hxwuK4-login-test.fortlewis.edu]
[INFO] 2018-02-19 08:42:52,306 org.apereo.cas.logout.DefaultLogoutManager 
performLogout - Performing logout operations for 
[TGT-**************************2JSFkHAz39-Poi85P7wTMGVm61SI0R0iSZMDzDU-2hxwuK4-login-test.fortlewis.edu]
[INFO] 2018-02-19 08:44:52,329 org.apereo.cas.logout.DefaultLogoutManager 
performLogout - Performing logout operations for 
[TGT-**************************2JSFkHAz39-Poi85P7wTMGVm61SI0R0iSZMDzDU-2hxwuK4-login-test.fortlewis.edu]

In our current production environment a CAS ticket is initially good for 4 
hours but if the user continues to interact with CAS enabled applications that 
CAS ticket’s lifetime is extendable up to 8 hours.  We are currently running 
4.0.3 in production and I have included a snippet from 
ticketExpirationPolicies.xml.  Does the same process I’ve described work in CAS 
5.2.2?

<!-- TicketGrantingTicketExpirationPolicy: Default as of 3.5 -->
    <!-- Provides both idle and hard timeouts, for instance 2 hour sliding 
window with an 8 hour max lifetime -->
    <bean id="grantingTicketExpirationPolicy" 
class="org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy"
          p:maxTimeToLiveInSeconds="${tgt.maxTimeToLiveInSeconds:28800}"
           p:timeToKillInSeconds="${tgt.timeToKillInSeconds:14400}"/>

We do have “Remember Me” turned off.

-Gary


From: cas-user@apereo.org<mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org] On Behalf Of Ray Bon
Sent: Friday, February 16, 2018 4:41 PM
To: cas-user@apereo.org<mailto:cas-user@apereo.org>
Subject: Re: [cas-user] CAS 5.2.2-snapshot identifies expired TGTs and 
erroneously reports they are deleted.

Gary,

My understanding of ehcache is that it performs a wholesale cleanup. Based on 
your settings I would expect the checks would happen every 4 minutes.
Do you have multiple servers?
Each server will do its own routine checks on its own clock. The actions of 
some of those checks will be communication with peers. I could see ehcache 
holding a ticket until maxTimeToLiveInSeconds is reached, just because a ticket 
is expired does not mean that it should be purged from the cache.

Are you saying that after 240 seconds the TGT can still be used?
That would be a CAS bug. If you just expect the tickets to be gone, that is an 
ehcache issue.

Do you use 'remember me' option or is the longest a TGT can be used 240 seconds?
If the latter, then set maxTimeToLiveInSeconds to the same value as 
timeToKillInSeconds.

Ray

On Fri, 2018-02-16 at 22:08 +0000, Maxwell, Gary wrote:
We are still experiencing a problem with the expiration of TGT's  Ehache. The 
“timeToKillInSeconds” value seems to have no effect on removing the TGT from 
Ehcache temp folder. The TGT entries are not deleted until the 
“maxTimeToLiveInSeconds” is reached. The attached log illustrates that CAS 
detects the TGT is expired and the TGT is removed however these same messages 
are written again every 2 minutes. We observe that the file still exists in the 
temp ehcache folder and does not get deleted until the “maxTimeToLiveInSeconds” 
is reached.

We are currently using 5.2.2-SNAPSHOT within a two server HA environment

cas.ticket.tgt.maxTimeToLiveInSeconds=28800
cas.ticket.tgt.timeToKillInSeconds=240

cas.ticket.registry.ehcache.replicateUpdatesViaCopy=true
cas.ticket.registry.ehcache.cacheManagerName=ticketRegistryCacheManager
cas.ticket.registry.ehcache.replicatePuts=true
cas.ticket.registry.ehcache.replicateUpdates=true
cas.ticket.registry.ehcache.memoryStoreEvictionPolicy=LRU
cas.ticket.registry.ehcache.configLocation=file:///opt/login-test/config/ehcache-replicated.xml
cas.ticket.registry.ehcache.maximumBatchSize=100
cas.ticket.registry.ehcache.shared=true
cas.ticket.registry.ehcache.replicationInterval=10000
cas.ticket.registry.ehcache.cacheTimeToLive=240
cas.ticket.registry.ehcache.diskExpiryThreadIntervalSeconds=0
cas.ticket.registry.ehcache.replicateRemovals=true
cas.ticket.registry.ehcache.maxChunkSize=5000000
cas.ticket.registry.ehcache.maxElementsOnDisk=0
cas.ticket.registry.ehcache.maxElementsInCache=0
cas.ticket.registry.ehcache.maxElementsInMemory=10000
cas.ticket.registry.ehcache.eternal=false
cas.ticket.registry.ehcache.loaderAsync=true
cas.ticket.registry.ehcache.replicatePutsViaCopy=true
cas.ticket.registry.ehcache.cacheTimeToIdle=240
cas.ticket.registry.ehcache.persistence=LOCALTEMPSWAP
cas.ticket.registry.ehcache.synchronousWrites=false

Any insight or thoughts would be great!

-Gary

.

--

Ray Bon

Programmer analyst

Development Services, University Systems

2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1518824432.1763.55.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1518824432.1763.55.camel%40uvic.ca?utm_medium=email&utm_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY4PR03MB3014144098B916B75E656BA795C80%40CY4PR03MB3014.namprd03.prod.outlook.com.

Reply via email to