Hi Phil,
Thanks for the quick response!
The thing is that I have set mod_cas_auth timeout parameters to a very high
threshold and left Cas's xml file as default
and it seems like my users are still being kicked of after two hours, *Can
you thing of a reason why ?? *(By the way I am working with JPA ticket
registration using mysql).
*Cas web app (tomcat) 'web.xml'*
<session-config>
<!-- Default to 5 minute session timeouts -->
<session-timeout>5</session-timeout>
</session-config>
*mod_cas_auth configurations:*
# 30 days hard logout
CASTimeout 2592000
# 2 days idle time logout
CasIdleTimeout 172800
CASSSOEnabled On
*'ticketExpirationPolicies.xml':*
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd";>
<description>
Assignment of expiration policies for the different tickets
generated by CAS including ticket granting ticket (TGT), service ticket
(ST), proxy granting ticket (PGT), and proxy$
These expiration policies determine how long the ticket they are
assigned to can be used and even how often they can be used before becoming
expired / invalid.
</description>
<!-- Expiration policies -->
<bean id="serviceTicketExpirationPolicy"
class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy">
<!-- This argument is the number of times that a ticket can
be used before its considered expired. -->
<constructor-arg
index="0"
value="1" />
<!-- This argument is the time a ticket can exist before
its considered expired. -->
<constructor-arg
index="1"
value="10000" />
</bean>
<bean id="grantingTicketExpirationPolicy"
class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
<!-- This argument is the time a ticket can exist before
its considered expired. -->
<constructor-arg
index="0"
value="7200000" />
</bean>
</beans>
Any idea?
Thanks!!
On Sun, Jul 22, 2012 at 5:34 PM, Phil Ames <[email protected]> wrote:
>
>
> On Sun, Jul 22, 2012 at 6:10 AM, Ronen Itkin <[email protected]> wrote:
>
>> Hi all,
>>
>> I have noticed that there are several places to tune different timeout
>> parameters.
>> I am using mod_cas_auth as a Cas client and there are two configurable
>> directive (/etc/apache2/httpd.conf):
>>
>> *Directive*: CASTimeout
>> *Default*: 7200 (2 hours)
>> *Description*: This is the hard limit, in seconds, for a mod_auth_cas
>> session (whether
>> it is idle or not). When a session has reached this age and a new
>> request is made, the user is redirected to the CASLoginURL to
>> obtain a new service ticket. When this new ticket is validated,
>> they will be assigned a new mod_auth_cas session.
>>
>> *Directive*: CASIdleTimeout
>> *Default*: 3600 (1 hour)
>> *Description*: This is a limit, in seconds, of how long a mod_auth_cas
>> session can be idle.
>> When a request comes in, if it has been inactive for CASIdleTimeout
>> seconds, the user is redirected to the CASLoginURL to obtain a new
>> service ticket
>>
>> I can also configure timeout parameters on Cas itself, in the
>> 'ticketExpirationPolicies.xml'.
>> I guess that the xml option is wider and I can configure more sets of
>> timeout parameters.
>>
>> But regarding those two I can configure on /etc/apache2/httpd.conf, are
>> there similar configurations on 'ticketExpirationPolicies.xml'?
>> Which one is being enforced?
>>
>>
> Both are enforced, and kick in under different circumstances.
>
>
>> Basically I want to set Idle connection timeout to 4 hours (have it
>> redirected to logout screen afterwards) and *not to have a hard limit
>> timeout at all,*
>> whatis the most suitable way of doing it?
>>
>>
> You'd want to set the idle timeout to 4 hours, and the hard timeout to
> some egregiously large value. There probably is some realistic upper bound
> where you want people to re-authenticate (even if it's something like 5
> days to account for a work week).
>
>
>> Is there a way to set CASTimeout to "never" (setting it to '-1' or '0'
>> does not seem to work).
>>
>>
> An "infinite" hard timeout is not supported.
>
>
>> Thanks!!
>>
>>
>>
>> --
>> *
>> Ronen Itkin*
>> Taykey | www.taykey.com
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
--
*
Ronen Itkin*
Taykey | www.taykey.com
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
