Looks correct on this – Thanks !
From “serviceTicketExpirationPolicy.xml” default set to…
<util:constant id="SECONDS"
static-field="java.util.concurrent.TimeUnit.SECONDS"/>
<bean id="serviceTicketExpirationPolicy"
class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy"
c:numberOfUses="1" c:timeToKill="${st.timeToKillInSeconds:10}"
c:timeUnit-ref="SECONDS"/>
Changing to a minute and keeping an eye on responses on log-file.
Perfect !
Cheers
From: Ohsie, David [mailto:[email protected]]
Sent: 24 January 2013 05:44 PM
To: [email protected]
Subject: RE: [cas-user] Ticket validation failed when IP changed ?
> Thanks gents,
> As stated this is not a problem happening continuously, but today we had an
> occurrence of 26 vs. 3514 successful logins.
> Also I ruled out the timeout as seen on the log, it is within minutes of the
> original request...
The default ST (Service Ticket) expiration period is very short (10 seconds).
In your example below, the delay to validate the ticket is 20 seconds. It
makes perfect sense that you see this only intermittently, because only
intermittently will you see validations that take more than the ST expiration
interval.
I suggest bumping up your ST expiration period to 1 minute or so. You can
parse through the logs to see how long ST validations are taking and adjust
appropriately.
> One of the differences that is apparent is the differing IP's, but I am
> unsure if changing IP's causes ticket validation to fail ?
> Any clues appreciated.
David Ohsie
Software Architect
EMC Corporation
From: Dmitriy Kopylenko [mailto:[email protected]]
Sent: Thursday, January 24, 2013 6:57 AM
To: [email protected]<mailto:[email protected]>
Subject: Re: [cas-user] Ticket validation failed when IP changed ?
From the log entries, it seems that the ST in question has expired, therefore
it is considered invalid.
Dmitriy.
Sent from my iPhone
On Jan 24, 2013, at 4:45, Hendrik Coetzee
<[email protected]<mailto:[email protected]>> wrote:
Good day,
We have an intermitted error that appears on ticket expiry,
here is what we can see in the logs from the catalina.out file:
2013-01-23 14:54:05,556 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] -
<Granted service ticket [ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za]
for service [https://vula.uct.ac.za:443/sakai-login-tool/container] for user
[<userid>]>
2013-01-23 14:54:05,557 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: <userid>
WHAT: ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za for
https://vula.uct.ac.za:443/sakai-login-tool/container
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Jan 23 14:54:05 SAST 2013
CLIENT IP ADDRESS: 93.186.23.81
SERVER IP ADDRESS: 137.158.154.74
=============================================================
2013-01-23 14:54:25,982 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] -
<ServiceTicket [ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za] has
expired.>
2013-01-23 14:54:25,982 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Wed Jan 23 14:54:25 SAST 2013
CLIENT IP ADDRESS: 137.158.155.16
SERVER IP ADDRESS: 137.158.154.74
=============================================================
On the Apache side the following can be detected:
[23/Jan/2013:14:54:25 +0200] 93.186.31.83 TLSv1 DHE-RSA-AES128-SHA "GET
/sakai-login-tool/container?ticket=ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za
HTTP/1.1" 749
"https://login.uct.ac.za/cas/login?service=https%3A%2F%2Fvula.uct.ac.za%3A443%2Fsakai-login-tool%2Fcontainer";
"Mozilla/5.0 (BlackBerry; U; BlackBerry 9900; en-GB) AppleWebKit/534.11+
(KHTML, like Gecko) Version/7.1.0.342 Mobile Safari/534.11+" 13467 13364 500
Sakai tomcat app server logs:
2013-01-23 14:54:25,987 WARN ajp-bio-8009-exec-723
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter -
org.jasig.cas.client.validation.TicketValidationException:
ticket 'ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za'
not recognized
org.jasig.cas.client.validation.TicketValidationException:
ticket 'ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za'
not recognized
at
org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:86)
at
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:217)
at
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:165)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:695)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:200)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662
Any ideas on what could be causing this ?
Current Configuration:
CAS 3.5.1
Mysql 5.0.96
Maven 3.0.4
Tomcat 7.0.28
Jdk 1.7.0_06
Thanks
Bernard
________________________________
UNIVERSITY OF CAPE TOWN
This e-mail is subject to the UCT ICT policies and e-mail disclaimer published
on our website at http://www.uct.ac.za/about/policies/emaildisclaimer/ or
obtainable from +27 21 650 9111. This e-mail is intended only for the person(s)
to whom it is addressed. If the e-mail has reached you in error, please notify
the author. If you are not the intended recipient of the e-mail you may not
use, disclose, copy, redirect or print the content. If this e-mail is not
related to the business of UCT it is sent by the sender in the sender's
individual capacity.
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
