I belive that you can set this in the cas.properties file:
## # Service Ticket Timeout # Default sourced from WEB-INF/spring-configuration/ticketExpirationPolices.xml # # Service Ticket timeout - typically kept short as a control against replay attacks, default is 10s. You'll want to # increase this timeout if you are manually testing service ticket creation/validation via tamperdata or similar tools # st.timeToKillInSeconds=10 From: Hendrik Coetzee [mailto:[email protected]] Sent: Friday, January 25, 2013 2:24 AM To: [email protected] Subject: RE: [cas-user] Ticket validation failed when IP changed ? Looks correct on this – Thanks ! >From “serviceTicketExpirationPolicy.xml” default set to… <util:constant id="SECONDS" static-field="java.util.concurrent.TimeUnit.SECONDS"/> <bean id="serviceTicketExpirationPolicy" class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy" c:numberOfUses="1" c:timeToKill="${st.timeToKillInSeconds:10}" c:timeUnit-ref="SECONDS"/> Changing to a minute and keeping an eye on responses on log-file. Perfect ! Cheers From: Ohsie, David [mailto:[email protected]] Sent: 24 January 2013 05:44 PM To: [email protected] Subject: RE: [cas-user] Ticket validation failed when IP changed ? > Thanks gents, > As stated this is not a problem happening continuously, but today we had an > occurrence of 26 vs. 3514 successful logins. > Also I ruled out the timeout as seen on the log, it is within minutes of the > original request... The default ST (Service Ticket) expiration period is very short (10 seconds). In your example below, the delay to validate the ticket is 20 seconds. It makes perfect sense that you see this only intermittently, because only intermittently will you see validations that take more than the ST expiration interval. I suggest bumping up your ST expiration period to 1 minute or so. You can parse through the logs to see how long ST validations are taking and adjust appropriately. > One of the differences that is apparent is the differing IP's, but I am > unsure if changing IP's causes ticket validation to fail ? > Any clues appreciated. David Ohsie Software Architect EMC Corporation From: Dmitriy Kopylenko [mailto:[email protected]] Sent: Thursday, January 24, 2013 6:57 AM To: [email protected] Subject: Re: [cas-user] Ticket validation failed when IP changed ? >From the log entries, it seems that the ST in question has expired, therefore >it is considered invalid. Dmitriy. Sent from my iPhone On Jan 24, 2013, at 4:45, Hendrik Coetzee <[email protected]> wrote: Good day, We have an intermitted error that appears on ticket expiry, here is what we can see in the logs from the catalina.out file: 2013-01-23 14:54:05,556 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za] for service [https://vula.uct.ac.za:443/sakai-login-tool/container] for user [<userid>]> 2013-01-23 14:54:05,557 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: <userid> WHAT: ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za for https://vula.uct.ac.za:443/sakai-login-tool/container ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Wed Jan 23 14:54:05 SAST 2013 CLIENT IP ADDRESS: 93.186.23.81 SERVER IP ADDRESS: 137.158.154.74 ============================================================= 2013-01-23 14:54:25,982 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceTicket [ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za] has expired.> 2013-01-23 14:54:25,982 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za ACTION: SERVICE_TICKET_VALIDATE_FAILED APPLICATION: CAS WHEN: Wed Jan 23 14:54:25 SAST 2013 CLIENT IP ADDRESS: 137.158.155.16 SERVER IP ADDRESS: 137.158.154.74 ============================================================= On the Apache side the following can be detected: [23/Jan/2013:14:54:25 +0200] 93.186.31.83 TLSv1 DHE-RSA-AES128-SHA "GET /sakai-login-tool/container?ticket=ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za HTTP/1.1" 749 "https://login.uct.ac.za/cas/login?service=https%3A%2F%2Fvula.uct.ac.za%3A443%2Fsakai-login-tool%2Fcontainer"; "Mozilla/5.0 (BlackBerry; U; BlackBerry 9900; en-GB) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.1.0.342 Mobile Safari/534.11+" 13467 13364 500 Sakai tomcat app server logs: 2013-01-23 14:54:25,987 WARN ajp-bio-8009-exec-723 org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter - org.jasig.cas.client.validation.TicketValidationException: ticket 'ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za' not recognized org.jasig.cas.client.validation.TicketValidationException: ticket 'ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za' not recognized at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:86) at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:217) at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:165) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:695) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:200) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:662 Any ideas on what could be causing this ? Current Configuration: CAS 3.5.1 Mysql 5.0.96 Maven 3.0.4 Tomcat 7.0.28 Jdk 1.7.0_06 Thanks Bernard _____ UNIVERSITY OF CAPE TOWN This e-mail is subject to the UCT ICT policies and e-mail disclaimer published on our website at http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from +27 21 650 9111. This e-mail is intended only for the person(s) to whom it is addressed. If the e-mail has reached you in error, please notify the author. If you are not the intended recipient of the e-mail you may not use, disclose, copy, redirect or print the content. If this e-mail is not related to the business of UCT it is sent by the sender in the sender's individual capacity. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
smime.p7s
Description: S/MIME cryptographic signature
