Scott, I'm working with Paul on this one, and yes this is exactly what we're seeing happen with uPortal & CAS. I think there is a valid need in the cas/uportal communities to extend CAS timeout for various PGT usage.
I currently believe a "soft timeout" policy based on PGT usage would be a plausible method to resolve this issue. But in reading past discussions, some think this idea goes against the fundamentals of CAS SSO. We've brainstormed a couple of ideas to tackle this issue (input on these ideas welcomed!): - Extend ticket timeout. This is not plausible for a number of business reasons, as when someone doesn't use a service, we want them to expire in 2hrs. The issue stems from the fact that we (& I'd go out on a limb and say the uPortal community) consider PT usage a usage of service (uPortal expects PTG & PT usage in their portlets, but no abilty to update the root service ticket.) - Have portlets in uPortal create cas service requests for "fake" (random, unique) new services. This would extend CAS timeout, but is essentially an abuse of CAS service. - Create a "soft timeout" policy. There are two major questions about this idea: -- Does this really go agains fundamentals of CAS? I currently don't see how it would, but I'm all ears... -- When and where would we extend root credential timeout? One option would be to extend the timeout when a PGT is used to generate a ticket, whereas another method is to extend when a PT is used. There are plusses and minuses to both. -- Raymond Walker Software Systems Engineer Sr. ITS Northern Arizona University -----Original Message----- From: Scott Battaglia <[email protected]> Reply-To: <[email protected]> Date: Sat, 5 Mar 2011 00:22:09 -0500 To: <[email protected]> Cc: Adam Rybicki <[email protected]> Subject: Re: [cas-user] [uportal-user] Portlets can't get CAS proxy tickets after 2 hours >The timeout policy configured should be for a period of inactivity. My >guess as to what the issue is would be that proxy granting tickets don't >affect the parent so even though you're "using" the proxy granting >ticket, its not considered as "using" the parent ticket. So the parent >ticket eventually expires due to what it perceives to be inactivity. > >Cheers, >Scott > > >On Fri, Mar 4, 2011 at 8:34 PM, Adam Rybicki <[email protected]> wrote: > >Paul, > >I think that this is more of a CAS topic than uPortal. I think that >people on that list might have more insight than I. I am sending a copy >there. > >Adam > >On 3/4/2011 14:30, Paul Gazda wrote: >Hello again, Adam. >Unfortunately, we have been unable to find a CAS policy that allows a >soft timeout. Are we missing something? Here is what our CAS admin says: > >Adam says, "Could it be that your TGT expiration policy is simply 2 >hours?" > >This is indeed the case. In our "ticketRegistry.xml" we use the default >"TimeoutExpirationPolicy" with a value of 2 hrs. Documentation of various >included policies can be found at: > >https://wiki.jasig.org/display/CASUM/Ticket+Expiration+Policy > > >While over there, I checked out the >"ThrottledUseAndTimeoutExpirationPolicy" policy, as it's wording made me >think that it proposed a "soft timeout" as per it's wording: "Maximum >amount of inactivity in ms from the last time the ticket was used beyond >which it is considered expired" After testing, I find that this is not the >case. This policy acts exactly like the default "TimeoutExpirationPolicy" >with the addition of throttling. > >Paul Gazda > >-----Original Message----- >From: [email protected] >[mailto:[email protected]] On Behalf Of Paul Gazda > > >Sent: Friday, March 04, 2011 9:16 AM >To: [email protected] >Subject: RE: [uportal-user] Portlets can't get CAS proxy tickets after 2 >hours > >Hi Adam. >Thanks very much for this tip. I have forwarded it to our team member who >administers CAS. We currently have a hard timeout of 2 hours for CAS and >weren't aware there was a soft timeout option. We are going to test the >soft timeout policy. This may be the solution to our problem. > >Paul Gazda > > > >-----Original Message----- >From: [email protected] >[mailto:[email protected]] On Behalf Of Adam Rybicki > > >Sent: Tuesday, March 01, 2011 6:47 PM >To: [email protected] >Subject: Re: [uportal-user] Portlets can't get CAS proxy tickets after 2 >hours > >Paul, > >That is an interesting use case. PGT is sort of like the TGT. The >default CAS ticket expiration policy for those should be 2 hours of >inactivity. When the portlets continue getting proxy tickets by >presenting uPortal's PGT to CAS, I would expect CAS to reset the timeout >on the PGT. Could it be that your TGT expiration policy is simply 2 >hours? Or is it a CAS bug? > >Adam > >On 2/28/2011 7:21, Paul Gazda wrote: >Benito, >Thanks for the suggestion. I can't find those files anywhere in the uP3 >source. I'm guessing you are referring to the cas implementation itself >and changing how long tickets last before expiring. If that is the case, >we have talked about that option her, and do not want to extend the life >of CAS tickets for security reasons. I think what we need to do is renew >the proxy ticket. This was relatively easy to do with an IChannel in uP2, >but the portlet api seems to have made it impossible. > >Paul Gazda > >-----Original Message----- >From: [email protected] >[mailto:[email protected]] On Behalf Of Benito J. >Gonzalez > > >Sent: Friday, February 25, 2011 5:23 PM >To: [email protected] >Subject: Re: [uportal-user] Portlets can't get CAS proxy tickets after 2 >hours > >My guess is that you want to look at the following two files: > >cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketRegis >try.xml >cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketExpir >ationPolicies.xml > >Benito J. Gonzalez >Manager, Enterprise Web Application Development >Information Technology Department >University of California, Merced >Desk: 209.228.2974 >Cell: 209.201.5052 >Email: [email protected] > > >On 02/25/11 15:51, Paul Gazda wrote: >We are implementing uP 3.2, and have several portlets that use CAS >proxy tickets. I have read the doc at >https://wiki.jasig.org/display/UPM32/Portlets+using+Proxy+CAS and I am >getting a new CAS proxy ticket every time I request the userInfo map >thus:Map userInfo = (Map)request.getAttribute(PortletRequest.USER_INFO); > >That is wonderful, and it works just fine for 2 hours until the CAS >PGT from the framework expires and the userInfo map starts returning >null for the proxy tickets. How can I get the PGT refreshed so I can >get valid proxy tickets again? The portal session timeout is 2 hours, >but it is reset every time there is user activity, so quite often a >uportal session exceeds 2 hours, which means the proxy tickets turn >into nulls, which breaks every portlet that relies on them. > >Paul Gazda > >-- > >You are currently subscribed to [email protected] as: >[email protected] > > >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/uportal-user > > >--- >You are currently subscribed to [email protected] as: >[email protected] >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/uportal-user > >--- >You are currently subscribed to [email protected] as: >[email protected] >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/uportal-user > > >--- >You are currently subscribed to [email protected] as: >[email protected] >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/uportal-user > >--- >You are currently subscribed to [email protected] as: >[email protected] >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/uportal-user > >--- >You are currently subscribed to [email protected] as: >[email protected] >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/uportal-user > > > >-- >You are currently subscribed to [email protected] as: >[email protected] >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > >-- >You are currently subscribed to [email protected] as: >[email protected] >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
