Hi Scott,
I attach my login-webflow.
I can not see where in the flow the TGT is checked for expiration, the
only check I see is existence of the ticked:
<decision-state id="ticketGrantingTicketExistsCheck">
<if test="${flowScope.ticketGrantingTicketId != null}"
then="hasServiceCheck" else="gatewayRequestCheck" />
</decision-state>
What I have in the logs is the following (i have remove user , service
details and SPNEGO token)
First login of user -> SPNEGO used TGT is created
2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler
successfully authenticated the user which provided the following
credentials: user>
2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG
[org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver]
- <Attempting to resolve a principal...>
2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG
[org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver]
- <Creating SimplePrincipal for [user]>
2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket
[TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] to
registry.>
2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Obtained
output token: <removed>
2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action
'SpnegoCredentialsAction' completed execution; result is 'success'>
2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG
[org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie
with name [CASTGC] and value
[TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]>
2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket
[TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]>
2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket
[TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] found in
registry.>
2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket
[ST-192-VqPUouVAzfP9UdSZeYeO-cas] to registry.>
2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket
[ST-192-VqPUouVAzfP9UdSZeYeO-cas] for service [
http://service/j_spring_cas_security_check] for user [user]>
2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG
[org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated
service for: http://service/j_spring_cas_security_check>
2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket [ST-192-VqPUouVAzfP9UdSZeYeO-cas]>
2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket
[ST-192-VqPUouVAzfP9UdSZeYeO-cas] found in registry.>
2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket
[ST-192-VqPUouVAzfP9UdSZeYeO-cas] from registry>
so first login is working as expected.
time after TGT is expired
2011-03-29 11:11:10,267 INFO [STDOUT] 2011-03-29 11:11:10,267 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket
[TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] from
registry>
User that mantains browser open, tries to make other action in the app GUI
2011-03-29 12:08:06,110 INFO [STDOUT] 2011-03-29 12:08:06,110 DEBUG
[org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated
service for: http://service/j_spring_cas_security_check>
2011-03-29 12:08:06,111 INFO [STDOUT] 2011-03-29 12:08:06,111 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket
[TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]>
but nothing more appears in logs after that
It seems that browser is sending the cookie in order to retrieve TGT and the
service, the server is trying to retrieve ticket but no more traces occurs
at server side
I think I'm going to enable DEBUG for web flow category just to see if any
more traces occurs.
I don't know if the modifications needed in order to detect ticked
expirating are already included in CAS server 3.4.7 and the effort to
include that in CAS 3.2 are nearly the same that migrating to newer version.
I can not see any specific flow state to check TGT expiration in version
3.4.7 but I have not reviewed all the code and my undestading of spring
web-flow is limited.
I would be aprecciated if you could give me any more detail on the subject
or some more detailed indication in how to solve the incidence.
Thanks in advance
Regards
On Thu, Mar 31, 2011 at 3:25 AM, Scott Battaglia
<[email protected]>wrote:
> You're quite behind on your CAS versions so any help we give will be
> limited.
>
> Its possible the "error" state of the flow is pointing to displaying the
> credentials form if the TGT is expired instead of where collecting
> credentials starts. You can try adjusting that.
>
> Cheers,
> Scott
>
>
> On Wed, Mar 30, 2011 at 8:58 AM, J Lopez <[email protected]> wrote:
>
>> Hi,
>>
>> I have a working CAS server (version 3.2) that uses SPNEGO,X509
>> certificates and JAAS Autentication against kerberos (login creedentials
>> view).
>> When a TGT is expired due TimeOutPolicy (default time 2 hours) the full
>> autentication flow is not triggered and user ends in the login creedentials
>> form.
>> My problem is that regulars users (80% of staff) does not have
>> creedentials enabled, they use certificates and/or SPNEGO authentication.
>>
>> We are using a workaround of closing the browser and trying again an
>> access to the application then a correct login flow is executed and user log
>> into the application using SPNEGO or certificates.
>>
>> Is there a method to prevent this behaviour when TGT expires?
>> Our security policies does not allow us to extend TGT timeout policy
>> Is issue CAS-686 related to this?
>>
>>
>> thanks in advance.
>> --
>> Saludos.
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>>
>>
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
--
Saludos.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user<?xml version="1.0" encoding="UTF-8"?>
<flow xmlns="http://www.springframework.org/schema/webflow";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="
http://www.springframework.org/schema/webflow
http://www.springframework.org/schema/webflow/spring-webflow-1.0.xsd";>
<var name="pcurl" class="java.lang.String" bean="passwordChangeUrl" />
<start-state idref="initialFlowSetup"/>
<action-state id="initialFlowSetup">
<action bean="initialFlowSetupAction" />
<transition on="success" to="ticketGrantingTicketExistsCheck" />
</action-state>
<decision-state id="ticketGrantingTicketExistsCheck">
<if test="${flowScope.ticketGrantingTicketId != null}" then="hasServiceCheck" else="gatewayRequestCheck" />
</decision-state>
<decision-state id="gatewayRequestCheck">
<if test="${externalContext.requestParameterMap['gateway'] != '' && externalContext.requestParameterMap['gateway'] != null && flowScope.service != null}" then="redirect" else="startAuthenticate" />
</decision-state>
<decision-state id="hasServiceCheck">
<if test="${flowScope.service != null}" then="renewRequestCheck" else="viewGenericLoginSuccess" />
</decision-state>
<decision-state id="renewRequestCheck">
<if test="${externalContext.requestParameterMap['renew'] != '' && externalContext.requestParameterMap['renew'] != null}" then="startAuthenticate" else="generateServiceTicket" />
</decision-state>
<!--
The "warn" action makes the determination of whether to redirect directly to the requested
service or display the "confirmation" page to go back to the server.
-->
<decision-state id="warn">
<if test="${flowScope.warnCookieValue}" then="showWarningView" else="redirect" />
</decision-state>
<!-- X509 -->
<action-state id="startAuthenticateX509">
<action bean="x509Check" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="error" to="viewLoginForm" />
</action-state>
<!-- X509 -->
<!-- SPNEGO -->
<action-state id="startAuthenticate">
<action bean="negociateSpnego" />
<transition on="success" to="spnego" />
</action-state>
<action-state id="spnego">
<action bean="spnego" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="error" to="startAuthenticateX509" />
</action-state>
<!-- SPNEGO -->
<view-state id="viewLoginForm" view="casLoginView">
<render-actions>
<action bean="authenticationViaFormAction" method="setupForm"/>
<action bean="authenticationViaFormAction" method="referenceData"/>
</render-actions>
<transition on="submit" to="bindAndValidate" />
</view-state>
<action-state id="bindAndValidate">
<action bean="authenticationViaFormAction" />
<transition on="success" to="submit" />
<transition on="error" to="viewLoginForm" />
</action-state>
<action-state id="submit">
<action bean="authenticationViaFormAction" method="submit" />
<transition on="warn" to="warn" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="error" to="viewLoginForm" />
</action-state>
<action-state id="sendTicketGrantingTicket">
<action bean="sendTicketGrantingTicketAction" />
<transition on="success" to="serviceCheck" />
</action-state>
<decision-state id="serviceCheck">
<if test="${flowScope.service != null}" then="generateServiceTicket" else="viewGenericLoginSuccess" />
</decision-state>
<action-state id="generateServiceTicket">
<action bean="generateServiceTicketAction" />
<transition on="success" to ="warn" />
<transition on="error" to="viewLoginForm" />
<transition on="gateway" to="redirect" />
</action-state>
<!--
the "viewGenericLogin" is the end state for when a user attempts to login without coming directly from a service.
They have only initialized their single-sign on session.
-->
<end-state id="viewGenericLoginSuccess" view="casLoginGenericSuccessView" />
<!--
The "showWarningView" end state is the end state for when the user has requested privacy settings (to be "warned") to be turned on. It delegates to a
view defines in default_views.properties that display the "Please click here to go to the service." message.
-->
<end-state id="showWarningView" view="casLoginConfirmView" />
<!--
The "redirect" end state allows CAS to properly end the workflow while still redirecting
the user back to the service required.
-->
<end-state id="redirect" view="bean:dynamicRedirectViewSelector" />
<end-state id="viewServiceErrorView" view="viewServiceErrorView" />
<end-state id="viewServiceSsoErrorView" view="viewServiceSsoErrorView" />
<global-transitions>
<transition to="viewServiceErrorView" on-exception="org.springframework.webflow.execution.repository.NoSuchFlowExecutionException" />
<transition to="viewServiceSsoErrorView" on-exception="org.jasig.cas.services.UnauthorizedSsoServiceException" />
<transition to="viewServiceErrorView" on-exception="org.jasig.cas.services.UnauthorizedServiceException" />
</global-transitions>
</flow>
