On 08/09/2013 02:22 PM, Marvin S. Addison wrote:
> You should configure both cache expiration/eviction semantics and CAS
> ticket expiration policy. For service tickets it's pretty easy to
> configure both such that they're semantically equivalent; set the TTL on
> the cache entry to equal the absolute expiration period of a ticket. For
> ticket-granting tickets, on the other hand, you can implement more
> complex policies than that of a simple cache entry TTL. If you're using
> the default sliding expiration policy for TGTs, then you'd want the
> cache TTL to equal the maximum lifetime of a ticket. The sliding window
> should be substantially less than the maximum lifetime; for example 8h
> maximum and 2h sliding window.
Thanks for the clarification; and if I only want to set a maximum
lifetime, ignoring when last used, I guess I'd set them to be equal (as
long as TTL >= TTK)?
> st.timeToKillInSeconds=X
> tgt.maxTimeToLiveInSeconds=Y
> tgt.timeToKillInSeconds=Y
Cf. TicketGrantingTicketExpirationPolicy.java
> public boolean isExpired(final TicketState ticketState) {
> // Ticket has been used, check maxTimeToLive (hard window)
> if ((System.currentTimeMillis() - ticketState.getCreationTime() >=
> maxTimeToLiveInMilliSeconds)) {
> if (log.isDebugEnabled()) {
> log.debug("Ticket is expired due to the time since creation
> being greater than the maxTimeToLiveInMilliSeconds");
> }
> return true;
> }
>
> // Ticket is within hard window, check timeToKill (sliding window)
> if ((System.currentTimeMillis() - ticketState.getLastTimeUsed() >=
> timeToKillInMilliSeconds)) {
> if (log.isDebugEnabled()) {
> log.debug("Ticket is expired due to the time since last use
> being greater than the timeToKillInMilliseconds");
> }
> return true;
> }
>
> return false;
> }
Thanks.
Tom.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
