Odd I don't see that my pgtIou maps to a pgtId that has the value TGT-194-1ZqXml002fRG5QEHPDueBxyXb6K5LnDD9tgawWJYbQ5yDFf56d-newcasdev2
and a subsequent request for a PT using this pgtId: GET https://[cas-server]/cas/proxy?targetService=https://[cas-server]/cas/clearPass&pgt=TGT-194-1ZqXml002fRG5QEHPDueBxyXb6K5LnDD9tgawWJYbQ5yDFf56d-newcasdev2 returns <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:proxySuccess> <cas:proxyTicket>ST-32-EokXCwsfKCAASAcCODv7-newcasdev2</cas:proxyTicket> </cas:proxySuccess> </cas:serviceResponse> So PGT and PT tickets have the prefixes TGT and ST..... -------------------------- I have another issue maybe with using the ehcache replicated config https://wiki.jasig.org/display/CASUM/EhcacheTicketRegistry points to https://github.com/Jasig/cas/blob/master/cas-server-integration-ehcache/src/test/resources/ticketRegistry.xml This file shows the ticketGrantingTicketsCache not having the parent="abstractTicketCache" Is this a bug? I've noticed that any cache bootstrapping does not involve the ticketGrantingTicketsCache................ Cheers On Tuesday, 29 October 2013 19:12:30 UTC, Misagh Moayyed wrote: > > CAS protocol requires that: <Proxy-granting tickets SHOULD begin with the > characters, "PGT-"> > > So you could potentially do something like: "if the ticket id begins with > "PGT then ..." > > -Misagh > ------------------------------ > *From: *"n99" <[email protected] <javascript:>> > *To: *[email protected] <javascript:> > *Cc: *[email protected] <javascript:>, > [email protected]<javascript:>, > [email protected] <javascript:> > *Sent: *Tuesday, October 29, 2013 9:14:43 AM > *Subject: *Re: [cas-user] cas 3.5.1 PGT replication using ehcache > replication > > thanks - will do. > how would I recognise a PGT by its id? > Cheers > > On Monday, 28 October 2013 17:20:50 UTC, Misagh Moayyed wrote: >> >> Thanks for the update. Splitting the proxy cache separate from the TGT/ST >> cache sounds like a plausible change. I'd encourage you to file a JIRA >> against 4.1 release or later as the change ideally would require a logical >> separation of PGTs and PTs from their counterparts and that's a rather big >> change to the codebase. >> >> For the time being, and if you do actually require to replicate PGTs >> separately and synchronously separate from TGTs, you'd have to do a bit of >> coding to only recognize a PGT by its id and put it into a separate cache >> instance. >> >> -Misagh >> ------------------------------ >> *From: *"n99" <[email protected]> >> *To: *[email protected] >> *Cc: *[email protected], [email protected], >> [email protected] >> *Sent: *Monday, October 28, 2013 8:07:17 AM >> *Subject: *Re: [cas-user] cas 3.5.1 PGT replication using ehcache >> replication >> >> Hi >> please see below >> >> On Thursday, 24 October 2013 18:27:20 UTC+1, Misagh Moayyed wrote: >>> >>> Sounds like what you're describing isn't so much about clearpass than it >>> is about how proxy tickets are treated in CAS. >>> >> >> yes, but specifically how TGTs are treated in a CAS that has been >> configured to replicate using the provided ehcache module available from >> version 3.5 onwards >> >> >>> Just to be clear, when you mention "slowly", you are actually referring >>> to synchronicity and not performance measures of the replication, correct? >>> >> yes >> >>> >>> Wouldn't you be able to replicate TGTs synchronously? >>> >> I would think so and I will test this. I've already >> tried severely dropping the replicationInterval in >> the ticketRMIAsynchronousCacheReplicator and this helps. >> >>> >>> PGTs and PTs are vicarious in the CAS codebase and aren't yet first >>> class citizens. If you do require to distinguish between them, you probably >>> would have to rely on ticket IDs for now. >>> >> >> I think the main issue is that in a clustered CAS setup, using the >> recommended ehcache maven overlay configured module, that the caching >> config >> supplied doesn't support installers who then want to use CAS Proxying as >> they will find the provided ehcache config will replicate their TGTs too >> slowly and cause errors when trying to get PTs >> Cheers >> >>> >>> -Misagh >>> ------------------------------ >>> *From: *"n99" <[email protected]> >>> *To: *[email protected] >>> *Sent: *Wednesday, October 23, 2013 3:37:21 AM >>> *Subject: *[cas-user] cas 3.5.1 PGT replication using ehcache >>> replication >>> >>> Hi >>> >>> We are using cas-server-extension-clearpass (using cas proxy tickets) >>> and cas-server-integration-ehcache modules together in cas 3.5.1. >>> >>> Looking at the ticketRegistry.xml file it says >>> >>> <bean id="ticketGrantingTicketsCache" >>> class="org.springframework.cache.ehcache.EhCacheFactoryBean" > >>> <description> >>> Ticket Granting Tickets (TGT) are valid for the lifetime of >>> the SSO Session. They become invalid either >>> by expiration policy (default 2 hours idle, 8 hours max) or >>> by explicit user sign off via /cas/login. >>> The TGT cache can be replicated slowly because TGT are only >>> manipulated via web user started operations >>> (mostly grant service ticket) and thus benefit of web >>> session affinity. >>> </description> >>> >>> <property name="cacheName" >>> value="org.jasig.cas.ticket.TicketGrantingTicket" /> >>> >>> <property name="cacheEventListeners"> >>> <ref local="ticketRMIAsynchronousCacheReplicator"/> >>> </property> >>> >>> ................ >>> >>> >>> Use of TGTs does seem to be tied to web user started operations in a >>> browser where you are stuck to one node and so maybe can be replicated >>> slowly. >>> However if you are using PGTs to obtain a PT it seems PGTs go into the >>> same cache as TGTs and are replicated slowly as well? >>> >>> However getting a PT using a PGT can be done in code and so you can't >>> rely on hitting the same node which means you can fall foul of the slower >>> replication of PGTs if: >>> >>> You get the PGT from node 1 >>> Form a request in code using this PGT that goes to node 2 to obtain your >>> PT. >>> >>> Are the use of both cas-server-extension-clearpass (using cas proxy >>> tickets) and cas-server-integration-ehcache modules together not supported >>> of do I simply need to tune my ticketRMIAsynchronousCacheReplicator? >>> >>> The code in >>> cas-server-3.5.1/cas-server-integration-ehcache/src/main/java/org/jasig/cas/ticket/registry/EhCacheTicketRegistry.java >>> says >>> >>> >>> public void addTicket(final Ticket ticket) { >>> final Element element = new Element(ticket.getId(), ticket); >>> if (ticket instanceof ServiceTicket) { >>> log.debug("Adding service ticket {} to the cache", >>> ticket.getId(), this.serviceTicketsCache.getName()); >>> this.serviceTicketsCache.put(element); >>> } else if (ticket instanceof TicketGrantingTicket) { >>> log.debug("Adding ticket granting ticket {} to the cache >>> {}", ticket.getId(), this.ticketGrantingTicketsCache.getName()); >>> this.ticketGrantingTicketsCache.put(element); >>> } else { >>> throw new IllegalArgumentException("Invalid ticket type " + >>> ticket); >>> } >>> } >>> >>> So doesn't seem to distinguish between TGTs and PGTs >>> >>> Any advice or recommendation to open a JIRA appreciated >>> >>> Thanks >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] <javascript:> as: > [email protected] <javascript:> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
