John,
https://apereo.github.io/cas/6.1.x/ticketing/Configuring-Ticket-Expiration-Policy.html
timeout.maxTimeToLive... is a hard timeout. The other is a 'must be used within
this time' to be valid. If the TGT is used within this window, the validity
will extend by that time up to timeout.maxTimeToLive...
Ray
On Mon, 2020-06-01 at 08:09 -0700, John Bond wrote:
Hello All,
In out config we set both cas.ticket.tgt.timeout.maxTimeToLiveInSeconds and
cas.ticket.tgt.maxTimeToLiveInSeconds to the same value believing theses where
the same and made a note to validate this with this group[1]. That later step
never happened and the config remained. however today i tried to implement
memcache as the ticket store and i noticed via tcpdump that CAS was setting the
memcache value with an expiry time of -1, this effectively means don't cache so
when CAS tries to fetch the ticket it doesn't exist. Checking my logs i
notice the following debug messages which seemed confusing
2020-06-01 14 05 44,597 DEBUG
[org.apereo.cas.ticket.expiration.builder.TicketGrantingTicketExpirationPolicyBuilder]
- <Ticket-granting ticket expiration policy is based on a timeout of [604800]
seconds>
2020-06-01 14 05 44,599 DEBUG
[org.apereo.cas.ticket.expiration.builder.TicketGrantingTicketExpirationPolicyBuilder]
- <Final effective time-to-live of ticket-granting ticket expiration policy is
[9223372036854775807] seconds>
memcache only supports an int for the expiry however the final value we have is
9223372036854775807, my assumption is that this at some point this gets
coalesced down to -1. however i'm curious why the final value is not 604800.
Looking at the code i see that when setting
`cas.ticket.tgt.timeout.maxTimeToLiveInSeconds` the final timeout value comes
from TimeoutExpirationPolicy.java which always returns Long.MAX_VALUE[1]. When
setting only `cas.ticket.tgt.maxTimeToLiveInSeconds` the timeout value comes
from TicketGrantingTicketExpirationPolicy.java which returns
`this.maxTimeToLiveInSeconds` which is the value i would expect. The logic
that makes this choice is in TicketGrantingTicketExpirationPolicyBuilder.java
With this in mind could someone explain the difference between the two config
items or point me to further documentation. Further it seems that the use of
cas.ticket.tgt.timeout.maxTimeToLiveInSeconds is not currently compatible with
memcache.
We are running CAS 6.5.1 on debian buster, let me know if further information
is required.
Thanks
[1]https://github.com/apereo/cas/blob/v6.1.5/core/cas-server-core-tickets-api/src/main/java/org/apereo/cas/ticket/expiration/builder/TicketGrantingTicketExpirationPolicyBuilder.java#L63-L98
[2]https://github.com/apereo/cas/blob/v6.1.5/core/cas-server-core-tickets-api/src/main/java/org/apereo/cas/ticket/expiration/TimeoutExpirationPolicy.java#L74
[3]https://github.com/apereo/cas/blob/v6.1.5/core/cas-server-core-tickets-api/src/main/java/org/apereo/cas/ticket/expiration/builder/TicketGrantingTicketExpirationPolicyBuilder.java#L70-L73
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb37f20f7525dd1ebee05de7e10bb7833107c4d6.camel%40uvic.ca.
