Hi Scott, Changing flow as you mentioned did the trick.
<action-state id="generateServiceTicket"> <action bean="generateServiceTicketAction" /> <transition on="success" to ="warn" /> <transition on="error" to="*startAuthenticate*" /> <transition on="gateway" to="redirect" /> </action-state> Thank you very much. Kind Regards. On Fri, Apr 1, 2011 at 3:31 AM, Scott Battaglia <[email protected]>wrote: > The expiration will be checked when we attempt to use the service ticket. > > > You can try changing the "error" transition in this instance: > > <action-state id="generateServiceTicket"> > > <action bean="generateServiceTicketAction" /> > > <transition on="success" to ="warn" /> > > <transition on="error" to="viewLoginForm" /> > > <transition on="gateway" to="redirect" /> > > </action-state> > > > to something besides viewLoginForm > > > Let me know if that works. > > On Thu, Mar 31, 2011 at 6:38 AM, J Lopez <[email protected]> wrote: > >> Hi Scott, >> >> I attach my login-webflow. >> >> I can not see where in the flow the TGT is checked for expiration, the >> only check I see is existence of the ticked: >> >> <decision-state id="ticketGrantingTicketExistsCheck"> >> <if test="${flowScope.ticketGrantingTicketId != null}" >> then="hasServiceCheck" else="gatewayRequestCheck" /> >> </decision-state> >> >> What I have in the logs is the following (i have remove user , service >> details and SPNEGO token) >> >> First login of user -> SPNEGO used TGT is created >> >> 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 INFO >> [org.jasig.cas.authentication.AuthenticationManagerImpl] - >> <AuthenticationHandler: >> org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler >> successfully authenticated the user which provided the following >> credentials: user> >> 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG >> [org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver] >> - <Attempting to resolve a principal...> >> 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG >> [org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver] >> - <Creating SimplePrincipal for [user]> >> 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket >> [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] to >> registry.> >> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG >> [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Obtained >> output token: <removed> >> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG >> [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action >> 'SpnegoCredentialsAction' completed execution; result is 'success'> >> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG >> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie >> with name [CASTGC] and value >> [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]> >> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to >> retrieve ticket >> [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]> >> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket >> [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] found in >> registry.> >> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket >> [ST-192-VqPUouVAzfP9UdSZeYeO-cas] to registry.> >> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 INFO >> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket >> [ST-192-VqPUouVAzfP9UdSZeYeO-cas] for service [ >> http://service/j_spring_cas_security_check] for user [user]> >> 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG >> [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated >> service for: http://service/j_spring_cas_security_check> >> 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to >> retrieve ticket [ST-192-VqPUouVAzfP9UdSZeYeO-cas]> >> 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket >> [ST-192-VqPUouVAzfP9UdSZeYeO-cas] found in registry.> >> 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket >> [ST-192-VqPUouVAzfP9UdSZeYeO-cas] from registry> >> so first login is working as expected. >> >> >> time after TGT is expired >> >> 2011-03-29 11:11:10,267 INFO [STDOUT] 2011-03-29 11:11:10,267 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket >> [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] from >> registry> >> User that mantains browser open, tries to make other action in the app >> GUI >> >> 2011-03-29 12:08:06,110 INFO [STDOUT] 2011-03-29 12:08:06,110 DEBUG >> [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated >> service for: http://service/j_spring_cas_security_check> >> 2011-03-29 12:08:06,111 INFO [STDOUT] 2011-03-29 12:08:06,111 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to >> retrieve ticket >> [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]> >> >> but nothing more appears in logs after that >> >> It seems that browser is sending the cookie in order to retrieve TGT and >> the service, the server is trying to retrieve ticket but no more traces >> occurs at server side >> >> I think I'm going to enable DEBUG for web flow category just to see if any >> more traces occurs. >> >> I don't know if the modifications needed in order to detect ticked >> expirating are already included in CAS server 3.4.7 and the effort to >> include that in CAS 3.2 are nearly the same that migrating to newer version. >> >> I can not see any specific flow state to check TGT expiration in version >> 3.4.7 but I have not reviewed all the code and my undestading of spring >> web-flow is limited. >> >> I would be aprecciated if you could give me any more detail on the subject >> or some more detailed indication in how to solve the incidence. >> >> >> Thanks in advance >> >> Regards >> >> On Thu, Mar 31, 2011 at 3:25 AM, Scott Battaglia < >> [email protected]> wrote: >> >>> You're quite behind on your CAS versions so any help we give will be >>> limited. >>> >>> Its possible the "error" state of the flow is pointing to displaying the >>> credentials form if the TGT is expired instead of where collecting >>> credentials starts. You can try adjusting that. >>> >>> Cheers, >>> Scott >>> >>> >>> On Wed, Mar 30, 2011 at 8:58 AM, J Lopez <[email protected]> wrote: >>> >>>> Hi, >>>> >>>> I have a working CAS server (version 3.2) that uses SPNEGO,X509 >>>> certificates and JAAS Autentication against kerberos (login creedentials >>>> view). >>>> When a TGT is expired due TimeOutPolicy (default time 2 hours) the >>>> full autentication flow is not triggered and user ends in the login >>>> creedentials form. >>>> My problem is that regulars users (80% of staff) does not have >>>> creedentials enabled, they use certificates and/or SPNEGO authentication. >>>> >>>> We are using a workaround of closing the browser and trying again an >>>> access to the application then a correct login flow is executed and user >>>> log >>>> into the application using SPNEGO or certificates. >>>> >>>> Is there a method to prevent this behaviour when TGT expires? >>>> Our security policies does not allow us to extend TGT timeout policy >>>> Is issue CAS-686 related to this? >>>> >>>> >>>> thanks in advance. >>>> -- >>>> Saludos. >>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> >>>> >>>> >>>> >>>> >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >>>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> >> >> -- >> Saludos. >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- Saludos. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
