Could you please check the new (Java 8 based) implementation of TicketGrantingTicketExpirationPolicy.isExpired?
To my opinion the timeToKill check (sliding window) is not correct: public boolean isExpired(final TicketState ticketState) { final ZonedDateTime currentSystemTime = ZonedDateTime.now(ZoneOffset .UTC); final ZonedDateTime creationTime = ticketState.getCreationTime(); // Ticket has been used, check maxTimeToLive (hard window) // ... // Ticket is within hard window, check timeToKill (sliding window) expirationTime = creationTime.plus(this.timeToKillInMilliSeconds, ChronoUnit.MILLIS); if (ticketState.getLastTimeUsed().isAfter(expirationTime)) { LOGGER.debug("Ticket is expired because the time since last use is greater than timeToKillInMilliseconds"); return true; } return false; } Looking at the 4.2.2 implementation it should be something like this public boolean isExpired(final TicketState ticketState) { final ZonedDateTime currentSystemTime = ZonedDateTime.now(ZoneOffset .UTC); final ZonedDateTime creationTime = ticketState.getCreationTime(); // ... /* 4.2.2 final long currentSystemTimeInMillis = System.currentTimeMillis(); ... // Ticket is within hard window, check timeToKill (sliding window) if (currentSystemTimeInMillis - ticketState.getLastTimeUsed() >= timeToKillInMilliSeconds) { LOGGER.debug("Ticket is expired because the time since last use is greater than timeToKillInMilliseconds"); return true; } */ // Ticket is within hard window, check timeToKill (sliding window) expirationTime = ticketState.getLastTimeUsed().plus(this. timeToKillInMilliSeconds, ChronoUnit.MILLIS); if (currentSystemTime.isAfter(expirationTime)) { LOGGER.debug("Ticket is expired because the time since last use is greater than timeToKillInMilliseconds"); return true; } return false; } Thx! Best regards Axel -- CAS gitter chatroom: https://gitter.im/apereo/cas CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html CAS documentation website: https://apereo.github.io/cas CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1ecb8a15-d8ff-4283-9eee-1ad7ba2da2aa%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout.