Paul,
I think that this is more of a CAS topic than uPortal. I think that
people on that list might have more insight than I. I am sending a copy
there.
Adam
On 3/4/2011 14:30, Paul Gazda wrote:
Hello again, Adam.
Unfortunately, we have been unable to find a CAS policy that allows a soft
timeout. Are we missing something? Here is what our CAS admin says:
Adam says, "Could it be that your TGT expiration policy is simply 2 hours?"
This is indeed the case. In our "ticketRegistry.xml" we use the default
"TimeoutExpirationPolicy" with a value of 2 hrs. Documentation of various
included policies can be found at:
https://wiki.jasig.org/display/CASUM/Ticket+Expiration+Policy
While over there, I checked out the
"ThrottledUseAndTimeoutExpirationPolicy" policy, as it's wording made me
think that it proposed a "soft timeout" as per it's wording: "Maximum
amount of inactivity in ms from the last time the ticket was used beyond
which it is considered expired" After testing, I find that this is not the
case. This policy acts exactly like the default "TimeoutExpirationPolicy"
with the addition of throttling.
Paul Gazda
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Paul Gazda
Sent: Friday, March 04, 2011 9:16 AM
To: [email protected]
Subject: RE: [uportal-user] Portlets can't get CAS proxy tickets after 2 hours
Hi Adam.
Thanks very much for this tip. I have forwarded it to our team member who
administers CAS. We currently have a hard timeout of 2 hours for CAS and
weren't aware there was a soft timeout option. We are going to test the soft
timeout policy. This may be the solution to our problem.
Paul Gazda
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Adam Rybicki
Sent: Tuesday, March 01, 2011 6:47 PM
To: [email protected]
Subject: Re: [uportal-user] Portlets can't get CAS proxy tickets after 2 hours
Paul,
That is an interesting use case. PGT is sort of like the TGT. The
default CAS ticket expiration policy for those should be 2 hours of
inactivity. When the portlets continue getting proxy tickets by
presenting uPortal's PGT to CAS, I would expect CAS to reset the timeout
on the PGT. Could it be that your TGT expiration policy is simply 2
hours? Or is it a CAS bug?
Adam
On 2/28/2011 7:21, Paul Gazda wrote:
Benito,
Thanks for the suggestion. I can't find those files anywhere in the uP3 source.
I'm guessing you are referring to the cas implementation itself and changing
how long tickets last before expiring. If that is the case, we have talked
about that option her, and do not want to extend the life of CAS tickets for
security reasons. I think what we need to do is renew the proxy ticket. This
was relatively easy to do with an IChannel in uP2, but the portlet api seems to
have made it impossible.
Paul Gazda
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Benito J. Gonzalez
Sent: Friday, February 25, 2011 5:23 PM
To: [email protected]
Subject: Re: [uportal-user] Portlets can't get CAS proxy tickets after 2 hours
My guess is that you want to look at the following two files:
cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml
cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketExpirationPolicies.xml
Benito J. Gonzalez
Manager, Enterprise Web Application Development
Information Technology Department
University of California, Merced
Desk: 209.228.2974
Cell: 209.201.5052
Email: [email protected]
On 02/25/11 15:51, Paul Gazda wrote:
We are implementing uP 3.2, and have several portlets that use CAS
proxy tickets. I have read the doc at
https://wiki.jasig.org/display/UPM32/Portlets+using+Proxy+CAS and I am
getting a new CAS proxy ticket every time I request the userInfo map
thus:Map userInfo = (Map)request.getAttribute(PortletRequest.USER_INFO);
That is wonderful, and it works just fine for 2 hours until the CAS
PGT from the framework expires and the userInfo map starts returning
null for the proxy tickets. How can I get the PGT refreshed so I can
get valid proxy tickets again? The portal session timeout is 2 hours,
but it is reset every time there is user activity, so quite often a
uportal session exceeds 2 hours, which means the proxy tickets turn
into nulls, which breaks every portlet that relies on them.
Paul Gazda
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/uportal-user
---
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/uportal-user
---
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/uportal-user
---
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/uportal-user
---
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/uportal-user
---
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/uportal-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
