Hi, I Found my problem.. Actually it was the ticketExpirationPolicies.xml'** configuration. The thing is that when I was testing it, I set TimeoutExpirationPolicy to a very low value and yet didnt saw any immediate impact, So i figured its not the value that I was looking for. The thing I didnt knew is that the ticketCleaner runs by default every 30 minutes, and all I needed to do is to wait! So the value in TimeoutExpirationPolicy actually worked for me and was responsible for my timeouts.
Thanks!! On Mon, Jul 23, 2012 at 2:20 PM, Phil Ames <[email protected]> wrote: > On Mon, Jul 23, 2012 at 3:18 AM, Ronen Itkin <[email protected]> wrote: > >> Hi Phil, >> >> Thanks for the quick response! >> >> The thing is that I have set mod_cas_auth timeout parameters to a very >> high threshold and left Cas's xml file as default >> and it seems like my users are still being kicked of after two hours, *Can >> you thing of a reason why ?? *(By the way I am working with JPA ticket >> registration using mysql). >> >> *Cas web app (tomcat) 'web.xml'* >> <session-config> >> <!-- Default to 5 minute session timeouts --> >> <session-timeout>5</session-timeout> >> </session-config> >> >> *mod_cas_auth configurations:* >> # 30 days hard logout >> CASTimeout 2592000 >> # 2 days idle time logout >> CasIdleTimeout 172800 >> CASSSOEnabled On >> >> > This looks correct. Do you have debug logs from mod_auth_cas which > indicate why the sessions are being expired? (CASDebug On, LogLevel Debug > for the VirtualHost). > > >> *'ticketExpirationPolicies.xml':* >> <?xml version="1.0" encoding="UTF-8"?> >> <beans xmlns="http://www.springframework.org/schema/beans"; >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> xmlns:p="http://www.springframework.org/schema/p"; >> xsi:schemaLocation="http://www.springframework.org/schema/beans >> http://www.springframework.org/schema/beans/spring-beans-3.0.xsd";> >> <description> >> Assignment of expiration policies for the different tickets >> generated by CAS including ticket granting ticket (TGT), service ticket >> (ST), proxy granting ticket (PGT), and proxy$ >> These expiration policies determine how long the ticket they are >> assigned to can be used and even how often they can be used before becoming >> expired / invalid. >> </description> >> >> <!-- Expiration policies --> >> <bean id="serviceTicketExpirationPolicy" >> class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy"> >> <!-- This argument is the number of times that a ticket >> can be used before its considered expired. --> >> <constructor-arg >> index="0" >> value="1" /> >> >> <!-- This argument is the time a ticket can exist before >> its considered expired. --> >> <constructor-arg >> index="1" >> value="10000" /> >> </bean> >> >> <bean id="grantingTicketExpirationPolicy" >> class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy"> >> <!-- This argument is the time a ticket can exist before >> its considered expired. --> >> <constructor-arg >> index="0" >> value="7200000" /> >> </bean> >> </beans> >> >> >> Any idea? >> >> Thanks!! >> >> On Sun, Jul 22, 2012 at 5:34 PM, Phil Ames <[email protected]> wrote: >> >>> >>> >>> On Sun, Jul 22, 2012 at 6:10 AM, Ronen Itkin <[email protected]> wrote: >>> >>>> Hi all, >>>> >>>> I have noticed that there are several places to tune different timeout >>>> parameters. >>>> I am using mod_cas_auth as a Cas client and there are two configurable >>>> directive (/etc/apache2/httpd.conf): >>>> >>>> *Directive*: CASTimeout >>>> *Default*: 7200 (2 hours) >>>> *Description*: This is the hard limit, in seconds, for a mod_auth_cas >>>> session (whether >>>> it is idle or not). When a session has reached this age and a new >>>> request is made, the user is redirected to the CASLoginURL to >>>> obtain a new service ticket. When this new ticket is validated, >>>> they will be assigned a new mod_auth_cas session. >>>> >>>> *Directive*: CASIdleTimeout >>>> *Default*: 3600 (1 hour) >>>> *Description*: This is a limit, in seconds, of how long a mod_auth_cas >>>> session can be idle. >>>> When a request comes in, if it has been inactive for CASIdleTimeout >>>> seconds, the user is redirected to the CASLoginURL to obtain a new >>>> service ticket >>>> >>>> I can also configure timeout parameters on Cas itself, in the >>>> 'ticketExpirationPolicies.xml'. >>>> I guess that the xml option is wider and I can configure more sets of >>>> timeout parameters. >>>> >>>> But regarding those two I can configure on /etc/apache2/httpd.conf, are >>>> there similar configurations on 'ticketExpirationPolicies.xml'? >>>> Which one is being enforced? >>>> >>>> >>> Both are enforced, and kick in under different circumstances. >>> >>> >>>> Basically I want to set Idle connection timeout to 4 hours (have it >>>> redirected to logout screen afterwards) and *not to have a hard limit >>>> timeout at all,* >>>> whatis the most suitable way of doing it? >>>> >>>> >>> You'd want to set the idle timeout to 4 hours, and the hard timeout to >>> some egregiously large value. There probably is some realistic upper bound >>> where you want people to re-authenticate (even if it's something like 5 >>> days to account for a work week). >>> >>> >>>> Is there a way to set CASTimeout to "never" (setting it to '-1' or '0' >>>> does not seem to work). >>>> >>>> >>> An "infinite" hard timeout is not supported. >>> >>> >>>> Thanks!! >>>> >>>> >>>> >>>> -- >>>> * >>>> Ronen Itkin* >>>> Taykey | www.taykey.com >>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >>>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> >> >> -- >> * >> Ronen Itkin* >> Taykey | www.taykey.com >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- * Ronen Itkin* Taykey | www.taykey.com -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
