Hi Matt, I submitted the patch but seems no one interesting to give a review. This patch has been in my production system for a while and successfully combat rogue clients that continuously consumed ST but no attempt to validate them.
-Ken On Fri, Apr 12, 2013 at 10:06 PM, Matt Elson < [email protected]> wrote: > Hi all, > > Hope this is the right list for this, but I'm having trouble using the > ThrottledUseAndTimeoutExpirationPolicy. Namely, it results in every > service ticket causing an immediate expire. The bug here: > https://issues.jasig.org/browse/CAS-1246 describes what I'm encountering > and has a patch that will fix the issue (but I'm not sure if the patch > is fully appropriate since it's bypassing having a ST check to see if > the TGT that issued it is expired, I think - been awhile since I last > looked at the internals). > > Is this analysis correct? Is the patch an appropriate fix? Am I (and > the person reporting the bug) misunderstanding the expected behavior? I > recently ran into a rogue client in my environment that nearly brought > down CAS (it was endlessly requesting a new service ticket every 5 > seconds if the user left their browser open) so it'd be really nice to > figure out a way to have a working throttle. > > (Right now I just have a crude if ticketState.getCountOfUsers() > > $SomeNumberIThinkIsReasonableForAmountofUses to buy me some time). > > Matt > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
