On 08/09/2013 02:22 PM, Marvin S. Addison wrote:
> You should configure both cache expiration/eviction semantics and CAS
> ticket expiration policy. For service tickets it's pretty easy to
> configure both such that they're semantically equivalent; set the TTL on
> the cache entry to equal the absolute expiration period of a ticket. For
> ticket-granting tickets, on the other hand, you can implement more
> complex policies than that of a simple cache entry TTL. If you're using
> the default sliding expiration policy for TGTs, then you'd want the
> cache TTL to equal the maximum lifetime of a ticket. The sliding window
> should be substantially less than the maximum lifetime; for example 8h
> maximum and 2h sliding window.

Thanks for the clarification; and if I only want to set a maximum
lifetime, ignoring when last used, I guess I'd set them to be equal (as
long as TTL >= TTK)?

> st.timeToKillInSeconds=X
> tgt.maxTimeToLiveInSeconds=Y
> tgt.timeToKillInSeconds=Y

Cf. TicketGrantingTicketExpirationPolicy.java

>     public boolean isExpired(final TicketState ticketState) {
>         // Ticket has been used, check maxTimeToLive (hard window)
>         if ((System.currentTimeMillis() - ticketState.getCreationTime() >= 
> maxTimeToLiveInMilliSeconds)) {
>             if (log.isDebugEnabled()) {
>                 log.debug("Ticket is expired due to the time since creation 
> being greater than the maxTimeToLiveInMilliSeconds");
>             }
>             return true;
>         }
> 
>         // Ticket is within hard window, check timeToKill (sliding window)
>         if ((System.currentTimeMillis() - ticketState.getLastTimeUsed() >= 
> timeToKillInMilliSeconds)) {
>             if (log.isDebugEnabled()) {
>                 log.debug("Ticket is expired due to the time since last use 
> being greater than the timeToKillInMilliseconds");
>             }
>             return true;
>         }
> 
>         return false;
>     }

Thanks.
Tom.



-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to