On 2010-11-08, at 2:47 PM, scott.battag...@gmail.com wrote: > Ray, > > Apparently the original issue got lost. Can you open a jira issue for this? > We're already looking at serialization issues in 3.5 but we should see which > ones we can resolve in 3.4.4. > > The issue of proxy tgt/tgt timeout is unrelated to serialization issues. I'll > comment on that later when I'm on a real keyboard.
Scott, I would like to here your thoughts on the PGT/TGT timeout issue. > Cheers > Scott > > Sent from my Verizon Wireless BlackBerry > > -----Original Message----- > From: Ray Davison <r...@sfu.ca> > Date: Mon, 08 Nov 2010 14:05:15 > To: <cas-dev@lists.jasig.org> > Reply-To: cas-dev@lists.jasig.org > Subject: [cas-dev] ProxyGrantingTicket expiration policy/difficulties > > Back on March 20, 2010 and April 22, 2010, Mihir Patel pointed out a problem > with ProxyGrantingTickets not being invalidated properly when the granting > TGT was expired. He then showed a solution that modified the isExpired method > in AbstractTicket. > > After many years of using CAS at Simon Fraser University, we finally had a > project that will make heavy use of Proxy tickets, and almost immediately ran > into similar, but more extensive, problems with PGTs. > > Part of the problem is similar to what Mihir found, but we ran into it from > the other side. We had the PGT expiring even though the PGT and granting TGT > were being kept alive. This problem was exactly the same as Mihir's, in that > the serialization of the PGT in the Cache (MemCache in our case) broke the > link with the granting TGT. > > We found another problem as well, and I am not sure if it was a design > decision to have it work like it does, or an oversight. The problem is that > if the PGT is being actively used, but the granting TGT is not then the TGT > will eventually time out and render the PGT invalid. The application that has > the PGT has no way of keeping the TGT alive. It seems to me that when a PGT > is used to generate a PT, this should be registered as a use of the granting > TGT as well. -- Ray Davison Senior Systems Consultant Institutional, Collaborative, and Academic Technologies (ICAT) University Computing Services Simon Fraser University 778-782-4448 r...@sfu.ca -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
