OK, I think this is a bug.... Is anybody using the
MultiTimeUseOrTimeoutExpirationPolicy?
Here is a code snippet from AbstractTicket.java
public final boolean isExpired() {
return this.expirationPolicy.isExpired(this) ||
(getGrantingTicket() != null && getGrantingTicket().isExpired()) ||
isExpiredInternal();
}
This applies to TicketGrantingTicket and ServiceTicket
When ServiceTicket.isExpired() is called it checks itself and it's
expirationPolicy, it then checks its TGT.isExpired which checks the
TGT's policy also. Which will almost always be under the expected
p:timeInBetweenUsesInMilliSeconds="2000" parameter.
I have tried to set the timeInBetweenUsesInMilliSeconds parameter to
under 10ms and I can get it to work (mostly). I don't think that that
is very helpful as it is too short of a timeframe.
Here is also a debug listing from cas.log that shows this happening:
2011-09-23 11:58:37,843 DEBUG
[org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated
service for: http://www.depaul.edu
2011-09-23 11:58:37,843 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to
retrieve ticket [ST-2-odFloVCeBleCfW6IFNPt-cas]
2011-09-23 11:58:37,843 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket
[ST-2-odFloVCeBleCfW6IFNPt-cas] found in registry.
2011-09-23 11:58:37,850 WARN
[org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy] -
Ticket is expired due to the time being less than the waiting period.
2011-09-23 11:58:37,850 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceTicket
[ST-2-odFloVCeBleCfW6IFNPt-cas] has expired.
2011-09-23 11:58:37,851 WARN
[org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy] -
Ticket is expired due to the time being less than the waiting period.
2011-09-23 11:58:37,851 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing ticket
[ST-2-odFloVCeBleCfW6IFNPt-cas] from registry
2011-09-23 11:58:37,852 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to
retrieve ticket [ST-2-odFloVCeBleCfW6IFNPt-cas]
2011-09-23 11:58:39,101 DEBUG
[org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not
generate service.
2011-09-23 11:58:39,101 DEBUG
[org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor did not
generate service.
From: Ourada, John [mailto:[email protected]]
Sent: Thursday, September 22, 2011 9:25 AM
To: [email protected]
Subject: RE: [cas-user] cas login throttling error with ticket
expiration policy
I didn't add to this that the proxyValidate call fails the ST validation
so the client isn't able to complete the authentication.
I would really like to implement this and am wondering if I am missing
something.
-John
From: Ourada, John [mailto:[email protected]]
Sent: Wednesday, September 21, 2011 12:15 PM
To: [email protected]
Subject: [cas-user] cas login throttling error with ticket expiration
policy
I configured login throttling per:
https://wiki.jasig.org/display/CASUM/Ticket+Expiration+Policy
Here is the config contents:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
<http://www.springframework.org/schema/beans%20http:/www.springframework
.org/schema/beans/spring-beans-2.0.xsd> ">
<description>
Assignment of expiration policies for the different tickets
generated by CAS including ticket granting ticket (TGT), service ticket
(ST), proxy granting ticket (PGT), and proxy ticket (PT).
These expiration policies determine how long the ticket they are
assigned to can be used and even how often they can be used before
becoming expired / invalid.
</description>
<!-- Expiration policies -->
<bean id="serviceTicketExpirationPolicy"
class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolic
y">
<!-- This argument is the number of times that a ticket
can be used before its considered expired. -->
<constructor-arg
index="0"
value="1" />
<!-- This argument is the time a ticket can exist before
its considered expired. -->
<constructor-arg
index="1"
value="5000" />
</bean>
<bean id="grantingTicketExpirationPolicy"
class="org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPoli
cy"
p:timeToKillInMilliSeconds="7200000"
p:timeInBetweenUsesInMilliSeconds="2000"
/>
</beans>
When I put this policy in place, I get the following errors when trying
to proxyValidate the ST. I did try setting the policy for longer and
was able to force the TGT to expire pre-maturely by authenticating a
service too quickly. I don't understand why the
throttleUseAndTimeoutExpirationPolicyy is failing during ST validation.
Cas.log contents:
2011-09-21 12:03:13,154 WARN
[org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy] -
Ticket is expired due to the time being less than the waiting period.
2011-09-21 12:03:13,156 WARN
[org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy] -
Ticket is expired due to the time being less than the waiting period.
-John
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
