The timeout policy configured should be for a period of inactivity. My guess as to what the issue is would be that proxy granting tickets don't affect the parent so even though you're "using" the proxy granting ticket, its not considered as "using" the parent ticket. So the parent ticket eventually expires due to what it perceives to be inactivity.
Cheers, Scott On Fri, Mar 4, 2011 at 8:34 PM, Adam Rybicki <[email protected]> wrote: > Paul, > > I think that this is more of a CAS topic than uPortal. I think that people > on that list might have more insight than I. I am sending a copy there. > > Adam > > On 3/4/2011 14:30, Paul Gazda wrote: > >> Hello again, Adam. >> Unfortunately, we have been unable to find a CAS policy that allows a soft >> timeout. Are we missing something? Here is what our CAS admin says: >> >> Adam says, "Could it be that your TGT expiration policy is simply 2 >> hours?" >> >> This is indeed the case. In our "ticketRegistry.xml" we use the default >> "TimeoutExpirationPolicy" with a value of 2 hrs. Documentation of various >> included policies can be found at: >> >> https://wiki.jasig.org/display/CASUM/Ticket+Expiration+Policy >> >> >> While over there, I checked out the >> "ThrottledUseAndTimeoutExpirationPolicy" policy, as it's wording made me >> think that it proposed a "soft timeout" as per it's wording: "Maximum >> amount of inactivity in ms from the last time the ticket was used beyond >> which it is considered expired" After testing, I find that this is not the >> case. This policy acts exactly like the default "TimeoutExpirationPolicy" >> with the addition of throttling. >> >> Paul Gazda >> >> -----Original Message----- >> From: [email protected] [mailto: >> [email protected]] On Behalf Of Paul Gazda >> Sent: Friday, March 04, 2011 9:16 AM >> To: [email protected] >> Subject: RE: [uportal-user] Portlets can't get CAS proxy tickets after 2 >> hours >> >> Hi Adam. >> Thanks very much for this tip. I have forwarded it to our team member who >> administers CAS. We currently have a hard timeout of 2 hours for CAS and >> weren't aware there was a soft timeout option. We are going to test the soft >> timeout policy. This may be the solution to our problem. >> >> Paul Gazda >> >> >> >> -----Original Message----- >> From: [email protected] [mailto: >> [email protected]] On Behalf Of Adam Rybicki >> Sent: Tuesday, March 01, 2011 6:47 PM >> To: [email protected] >> Subject: Re: [uportal-user] Portlets can't get CAS proxy tickets after 2 >> hours >> >> Paul, >> >> That is an interesting use case. PGT is sort of like the TGT. The >> default CAS ticket expiration policy for those should be 2 hours of >> inactivity. When the portlets continue getting proxy tickets by >> presenting uPortal's PGT to CAS, I would expect CAS to reset the timeout >> on the PGT. Could it be that your TGT expiration policy is simply 2 >> hours? Or is it a CAS bug? >> >> Adam >> >> On 2/28/2011 7:21, Paul Gazda wrote: >> >>> Benito, >>> Thanks for the suggestion. I can't find those files anywhere in the uP3 >>> source. I'm guessing you are referring to the cas implementation itself and >>> changing how long tickets last before expiring. If that is the case, we have >>> talked about that option her, and do not want to extend the life of CAS >>> tickets for security reasons. I think what we need to do is renew the proxy >>> ticket. This was relatively easy to do with an IChannel in uP2, but the >>> portlet api seems to have made it impossible. >>> >>> Paul Gazda >>> >>> -----Original Message----- >>> From: [email protected] [mailto: >>> [email protected]] On Behalf Of Benito J. Gonzalez >>> Sent: Friday, February 25, 2011 5:23 PM >>> To: [email protected] >>> Subject: Re: [uportal-user] Portlets can't get CAS proxy tickets after 2 >>> hours >>> >>> My guess is that you want to look at the following two files: >>> >>> >>> cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml >>> >>> cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketExpirationPolicies.xml >>> >>> Benito J. Gonzalez >>> Manager, Enterprise Web Application Development >>> Information Technology Department >>> University of California, Merced >>> Desk: 209.228.2974 >>> Cell: 209.201.5052 >>> Email: [email protected] >>> >>> >>> On 02/25/11 15:51, Paul Gazda wrote: >>> >>>> We are implementing uP 3.2, and have several portlets that use CAS >>>> proxy tickets. I have read the doc at >>>> https://wiki.jasig.org/display/UPM32/Portlets+using+Proxy+CAS and I am >>>> getting a new CAS proxy ticket every time I request the userInfo map >>>> thus:Map userInfo = (Map)request.getAttribute(PortletRequest.USER_INFO); >>>> >>>> That is wonderful, and it works just fine for 2 hours until the CAS >>>> PGT from the framework expires and the userInfo map starts returning >>>> null for the proxy tickets. How can I get the PGT refreshed so I can >>>> get valid proxy tickets again? The portal session timeout is 2 hours, >>>> but it is reset every time there is user activity, so quite often a >>>> uportal session exceeds 2 hours, which means the proxy tickets turn >>>> into nulls, which breaks every portlet that relies on them. >>>> >>>> Paul Gazda >>>> >>>> -- >>>> >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/uportal-user >>>> >>> --- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/uportal-user >>> >>> --- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/uportal-user >>> >> --- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/uportal-user >> >> --- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/uportal-user >> >> --- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/uportal-user >> > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
