Thoughts?
I can correlate STs generated/validated per AUTHENTICATION_SUCCESS, though
that's imperfect for e.g. those simultaneously using multiple devices/browsers.
Here's what we're trying to do:
Several CAS client implementations/users at times get into an ST
request/validation loop at, say, up to 150-200 times per second. A user not
paying attention may (and does) walk away from their browser, and it goes on
and on. I've recorded one session that looped over 14,000 times before
stopping. This can not be fixed by the CAS "brute force" authentication
feature; the user is already authenticated. This places undue load on the CAS
servers, network, cache replication, ....
The exact series of redirects/GETs/... in virtually every case evades browser
"this request will never complete" detection. Something about the
protocol/implementation perhaps includes a GET that doesn't return a redirect,
which resets browser loop-detection.
We've never been able to pinpoint exactly why. Some affected CAS clients we
run, so we can observe two (of the three) sides of the equation (the 3rd being
the user), and still can't explain why.
We've thought of putting mod_security in front of CAS and writing rules to
trigger an error page when the number of ST requests per user per service
exceeds a threshold within a given amount of time. For now, we've decided to
extend the CAS server code so TGTs can have a maximum use count, just like STs.
When the use count is exceeded, CAS stops and prompts with the login page. Very
simple.
My attempt at measuring the statistics is decide on a reasonable use count
threshold, taking into account the number of services one logs into in the
lifetime of a session plus how many times one re-logs into the same service,
separating that from outright looping.
Thanks.
Tom.
> On Feb 27, 2017, at 5:38 PM, Tom Poage <tfpo...@ucdavis.edu> wrote:
>
> CAS 4.2.6
>
> Think I'm missing something. Want to collect ST usage by user session from
> CAS (audit) logs and cannot find how to (w/o coding) inject username into the
> TGT creation log, cf.
>
> 2017-02-27 00:00:09,169 INFO
> [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Feb 27
> 00:00:09 PST
> 2017|CAS|TGT-**********...|TICKET_GRANTING_TICKET_CREATED|audit:unknown|{clientIP}|{servername}
>
> Effectively, I'd like to trace TGT-> username -> ST from logs to end up with
> per-(anonymized)user ST statistics.
>
> Tried working my way through the code, but can only find what looks like the
> Principal being made available to Inspektr with ST validation
> (org.jasig.cas.audit.spi.AssertionAsReturnValuePrincipalResolver).
>
> The username does end up in other log entries, such as
> AUTHENTICATION_SUCCESS, but trying to correlate one log entry
> (AUTHENTICATION_SUCCESS) with another (TICKET_GRANTING_TICKET_CREATED) on
> busy servers sounds difficult.
>
> We used to see username in TGT-creation logs on CAS 3.x. FWIW, we're using
> LDAP authN.
>
> Thanks.
> Tom.
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/9FDEB36F-ED95-4599-A73D-B20F38429E67%40ucdavis.edu.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0A9A817A-6D41-4440-ADFA-44EA7AFDB654%40ucdavis.edu.
