Interesting. Looking into it here.
Andrew
On 9/23/2011 1:45 PM, Ourada, John wrote:
>
> OK, I think this is a bug.... Is anybody using the
> MultiTimeUseOrTimeoutExpirationPolicy?
>
> Here is a code snippet from AbstractTicket.java
>
> public final boolean isExpired() {
>
> return this.expirationPolicy.isExpired(this) ||
> (getGrantingTicket() != null && getGrantingTicket().isExpired()) ||
> isExpiredInternal();
>
> }
>
> This applies to TicketGrantingTicket and ServiceTicket
>
> When ServiceTicket.isExpired() is called it checks itself and it's
> expirationPolicy, it then checks its TGT.isExpired which checks the
> TGT's policy also. Which will almost always be under the expected
> p:timeInBetweenUsesInMilliSeconds="2000" parameter.
>
> I have tried to set the timeInBetweenUsesInMilliSeconds parameter to
> under 10ms and I can get it to work (mostly). I don't think that that
> is very helpful as it is too short of a timeframe.
>
> Here is also a debug listing from cas.log that shows this happening:
>
> 2011-09-23 11:58:37,843 DEBUG
> [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated
> service for: http://www.depaul.edu
>
> 2011-09-23 11:58:37,843 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to
> retrieve ticket [ST-2-odFloVCeBleCfW6IFNPt-cas]
>
> 2011-09-23 11:58:37,843 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket
> [ST-2-odFloVCeBleCfW6IFNPt-cas] found in registry.
>
> 2011-09-23 11:58:37,850 WARN
> [org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy]
> - Ticket is expired due to the time being less than the waiting period.
>
> 2011-09-23 11:58:37,850 INFO
> [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceTicket
> [ST-2-odFloVCeBleCfW6IFNPt-cas] has expired.
>
> 2011-09-23 11:58:37,851 WARN
> [org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy]
> - Ticket is expired due to the time being less than the waiting period.
>
> 2011-09-23 11:58:37,851 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing
> ticket [ST-2-odFloVCeBleCfW6IFNPt-cas] from registry
>
> 2011-09-23 11:58:37,852 DEBUG
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to
> retrieve ticket [ST-2-odFloVCeBleCfW6IFNPt-cas]
>
> 2011-09-23 11:58:39,101 DEBUG
> [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not
> generate service.
>
> 2011-09-23 11:58:39,101 DEBUG
> [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor did not
> generate service.
>
> *From:*Ourada, John [mailto:[email protected]]
> *Sent:* Thursday, September 22, 2011 9:25 AM
> *To:* [email protected]
> *Subject:* RE: [cas-user] cas login throttling error with ticket
> expiration policy
>
> I didn't add to this that the proxyValidate call fails the ST
> validation so the client isn't able to complete the authentication.
>
> I would really like to implement this and am wondering if I am missing
> something.
>
> -John
>
> *From:*Ourada, John [mailto:[email protected]]
> *Sent:* Wednesday, September 21, 2011 12:15 PM
> *To:* [email protected]
> *Subject:* [cas-user] cas login throttling error with ticket
> expiration policy
>
> I configured login throttling per:
> https://wiki.jasig.org/display/CASUM/Ticket+Expiration+Policy
>
> Here is the config contents:
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <beans xmlns="http://www.springframework.org/schema/beans";
>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>
> xmlns:p="http://www.springframework.org/schema/p";
>
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> <http://www.springframework.org/schema/beans%20http:/www.springframework.org/schema/beans/spring-beans-2.0.xsd>">
>
> <description>
>
> Assignment of expiration policies for the different tickets
> generated by CAS including ticket granting ticket (TGT), service
> ticket (ST), proxy granting ticket (PGT), and proxy ticket (PT).
>
> These expiration policies determine how long the ticket they
> are assigned to can be used and even how often they can be used before
> becoming expired / invalid.
>
> </description>
>
> <!-- Expiration policies -->
>
> <bean id="serviceTicketExpirationPolicy"
> class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy">
>
> <!-- This argument is the number of times that a ticket can be used
> before its considered expired. -->
>
> <constructor-arg
>
> index="0"
>
> value="1" />
>
> <!-- This argument is the time a ticket can exist before its
> considered expired. -->
>
> <constructor-arg
>
> index="1"
>
> value="5000" />
>
> </bean>
>
> <bean id="grantingTicketExpirationPolicy"
>
>
> class="org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy"
>
> p:timeToKillInMilliSeconds="7200000"
>
> p:timeInBetweenUsesInMilliSeconds="2000"
>
> />
>
> </beans>
>
> When I put this policy in place, I get the following errors when
> trying to proxyValidate the ST. I did try setting the policy for
> longer and was able to force the TGT to expire pre-maturely by
> authenticating a service too quickly. I don't understand why the
> throttleUseAndTimeoutExpirationPolicyy is failing during ST validation.
>
> Cas.log contents:
>
> 2011-09-21 12:03:13,154 WARN
> [org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy]
> - Ticket is expired due to the time being less than the waiting period.
>
> 2011-09-21 12:03:13,156 WARN
> [org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy]
> - Ticket is expired due to the time being less than the waiting period.
>
> -John
>
> --
> You are currently subscribed [email protected]
> <mailto:[email protected]> as:[email protected]
> <mailto:[email protected]>
> To unsubscribe, change settings or access archives,
> seehttp://www.ja-sig.org/wiki/display/JSG/cas-user
> --
> You are currently subscribed [email protected]
> <mailto:[email protected]> as:[email protected]
> <mailto:[email protected]>
> To unsubscribe, change settings or access archives,
> seehttp://www.ja-sig.org/wiki/display/JSG/cas-user
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
