The expiration will be checked when we attempt to use the service ticket. You can try changing the "error" transition in this instance:
<action-state id="generateServiceTicket"> <action bean="generateServiceTicketAction" /> <transition on="success" to ="warn" /> <transition on="error" to="viewLoginForm" /> <transition on="gateway" to="redirect" /> </action-state> to something besides viewLoginForm Let me know if that works. On Thu, Mar 31, 2011 at 6:38 AM, J Lopez <[email protected]> wrote: > Hi Scott, > > I attach my login-webflow. > > I can not see where in the flow the TGT is checked for expiration, the > only check I see is existence of the ticked: > > <decision-state id="ticketGrantingTicketExistsCheck"> > <if test="${flowScope.ticketGrantingTicketId != null}" > then="hasServiceCheck" else="gatewayRequestCheck" /> > </decision-state> > > What I have in the logs is the following (i have remove user , service > details and SPNEGO token) > > First login of user -> SPNEGO used TGT is created > > 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler > successfully authenticated the user which provided the following > credentials: user> > 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG > [org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver] > - <Attempting to resolve a principal...> > 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG > [org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver] > - <Creating SimplePrincipal for [user]> > 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket > [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] to > registry.> > 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Obtained > output token: <removed> > 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action > 'SpnegoCredentialsAction' completed execution; result is 'success'> > 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG > [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie > with name [CASTGC] and value > [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]> > 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to > retrieve ticket > [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]> > 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket > [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] found in > registry.> > 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket > [ST-192-VqPUouVAzfP9UdSZeYeO-cas] to registry.> > 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket > [ST-192-VqPUouVAzfP9UdSZeYeO-cas] for service [ > http://service/j_spring_cas_security_check] for user [user]> > 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG > [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated > service for: http://service/j_spring_cas_security_check> > 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to > retrieve ticket [ST-192-VqPUouVAzfP9UdSZeYeO-cas]> > 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket > [ST-192-VqPUouVAzfP9UdSZeYeO-cas] found in registry.> > 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket > [ST-192-VqPUouVAzfP9UdSZeYeO-cas] from registry> > so first login is working as expected. > > > time after TGT is expired > > 2011-03-29 11:11:10,267 INFO [STDOUT] 2011-03-29 11:11:10,267 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket > [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] from > registry> > User that mantains browser open, tries to make other action in the app > GUI > > 2011-03-29 12:08:06,110 INFO [STDOUT] 2011-03-29 12:08:06,110 DEBUG > [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated > service for: http://service/j_spring_cas_security_check> > 2011-03-29 12:08:06,111 INFO [STDOUT] 2011-03-29 12:08:06,111 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to > retrieve ticket > [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]> > > but nothing more appears in logs after that > > It seems that browser is sending the cookie in order to retrieve TGT and > the service, the server is trying to retrieve ticket but no more traces > occurs at server side > > I think I'm going to enable DEBUG for web flow category just to see if any > more traces occurs. > > I don't know if the modifications needed in order to detect ticked > expirating are already included in CAS server 3.4.7 and the effort to > include that in CAS 3.2 are nearly the same that migrating to newer version. > > I can not see any specific flow state to check TGT expiration in version > 3.4.7 but I have not reviewed all the code and my undestading of spring > web-flow is limited. > > I would be aprecciated if you could give me any more detail on the subject > or some more detailed indication in how to solve the incidence. > > > Thanks in advance > > Regards > > On Thu, Mar 31, 2011 at 3:25 AM, Scott Battaglia < > [email protected]> wrote: > >> You're quite behind on your CAS versions so any help we give will be >> limited. >> >> Its possible the "error" state of the flow is pointing to displaying the >> credentials form if the TGT is expired instead of where collecting >> credentials starts. You can try adjusting that. >> >> Cheers, >> Scott >> >> >> On Wed, Mar 30, 2011 at 8:58 AM, J Lopez <[email protected]> wrote: >> >>> Hi, >>> >>> I have a working CAS server (version 3.2) that uses SPNEGO,X509 >>> certificates and JAAS Autentication against kerberos (login creedentials >>> view). >>> When a TGT is expired due TimeOutPolicy (default time 2 hours) the full >>> autentication flow is not triggered and user ends in the login creedentials >>> form. >>> My problem is that regulars users (80% of staff) does not have >>> creedentials enabled, they use certificates and/or SPNEGO authentication. >>> >>> We are using a workaround of closing the browser and trying again an >>> access to the application then a correct login flow is executed and user log >>> into the application using SPNEGO or certificates. >>> >>> Is there a method to prevent this behaviour when TGT expires? >>> Our security policies does not allow us to extend TGT timeout policy >>> Is issue CAS-686 related to this? >>> >>> >>> thanks in advance. >>> -- >>> Saludos. >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> >>> >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > > > -- > Saludos. > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
