Hello everybody! I have CAS 4.0 deployed in a cluster, using EH Cache distributed ticket registry.
A problem has recently appeared: Our users are sometimes logged out sooner than they should be. We have TGT validity set to 8 hours. Despite that, users are sometimes logged out much sooner, e.g. after 1 hour. Sometimes, however, they can stay logged in for whole 8 hours. It's quite hard to reproduce the problem, I must repeatedly click in the application and check if I'm logged out or not. Has anybody encountered this issue? I have switched debug logging on for some packages and the logs show that TGT tickets are deleted when the problem appears. Or, better said, an attempt is made to delete them but they cannot be found when they should be deleted. destroyTicketGrantingTicket() in the central authentication service: <Removing ticket [TGT-1-9JI9h0cgdBi6jbVJhXEgb5ieByDvb6PRmiAKL7YEDpXYuyx7tw-idc-cas-4] from registry.> <TicketGrantingTicket [TGT-1-9JI9h0cgdBi6jbVJhXEgb5ieByDvb6PRmiAKL7YEDpXYuyx7tw-idc-cas-4] cannot be found in the ticket registry.> <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: TGT-1-9JI9h0cgdBi6jbVJhXEgb5ieByDvb6PRmiAKL7YEDpXYuyx7tw-idc-cas-4 ACTION: TICKET_GRANTING_TICKET_DESTROYED APPLICATION: CAS WHEN: Mon Dec 08 05:16:29 EST 2014 CLIENT IP ADDRESS: 10.9.1.207 SERVER IP ADDRESS: 10.1.4.23 ============================================================= > The URL accessed by the application is: 10.9.1.207 - - [08/Dec/2014:05:16:29 -0500] "GET /login?site=idc&service=http%3A%2F%2Fdev.idc.com%2Fj_spring_cas_security_check HTTP/1.1" 200 17457 It returns HTTP code 200 (sending the login form back) instead of 302 = redirect to the application. I have tried both with HardTimeoutExpirationPolicy and TicketGrantingTicketExpirationPolicy, which is the default TGT policy in CAS 4. It makes no difference. Do you have an idea what might be the cause of this faulty behavior? Is there something I should check? I have no idea why something in CAS tries to delete the TGT when it should live for next X hours... And why the tickets seem not to exist when they should. Any feedback will be highly appreciated! Best Regards, Jarda -------------------------------------------------- Jaroslav Kačer IDC | Application Developer Phone: +420723914123 Mail: jka...@idc.com Join IDC beginning October 29, 2014 through January 29, 2015 for: IDC's 2015 Predictions and IDC FutureScapes Web Conference Series<www.idc.com/predictions2015> Accelerating Innovation on the 3rd Platform Register Now<http://event.on24.com/r.htm?e=861361&s=1&k=223AFC21785863D975C9D80CEE2A97C2> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user