Hi Everyone,
I have an application that makes heavy use of Proxy Tickets and am using
Redis as a ticket registry. When my user logs out of CAS, the PGT does not
get destroyed but what I assume to be the parent TGT does. I get the same
behavior using Hazelcast. When I use the DefaultTicketRegistry, it appears
that both the TGT and PGT are destroyed.
Does anyone have an idea why the PGT is being cleaned up with the
DefaultTicketRegistry but not with Redis/Hazelcast?
I've tried CAS 5.2.6 and 5.3.3 with the same results.
When the maxTimeToLiveInSeconds value expires, both the parent TGT and
child PGT are destroyed.
I pulled down the 5.2.6 source, set the log level to DEBUG and was able to
trace some of the flow. Here are my findings:
AbstractTicketRegistry.deleteTicket() – handles the removal of all of the
tickets. If a TGT is passed in, this will look for child, PGTs and clean
them up first. In a CAS-only session, this got a TGT, found a PGT and
deleted them both. In a CAS/Redis session, this only got a TGT – no PGT.
I’m guessing that this means that either the PGT was never added to the
parent, TGT or that the reference to it was cleared out before the
deleteTicket() call.
ServiceTicketImpl.grantProxyGrantingTicket() – creates the PGT and adds it
to the TGT’s getProxyGrantingTickets() Map. There wasn’t much logging
here. I know the PGT was created but I don’t know if it was actually
assigned to its parent. I didn’t see any Exceptions. So, I assume the
child-to-parent assignment was made.
RedisTicketRegistry – uses an
org.springframework.data.redis.core.RedisTemplate – to set and get
entries. This differs with DefaultTicketRegistry that simply uses a
ConcurrentHashMap to handle the tickets. It kind of makes me wonder
whether there’s an issue with the spring data component.
I'm not able to build CAS from source - running as a normal user or
administrator. So, I haven't managed to add more logging statements. This
is my build environment:
Windows 7
CAS 5.2.6
Gradle 4.10.2
Java 1.8.0_144
gradle -DskipFindbugs=true -DskipCheckstyle=true -DskipTests=true
--stacktrace --debug clean build
18:03:57.304 [ERROR]
[org.gradle.internal.buildevents.BuildExceptionReporter] Caused by:
org.gradle.process.internal.ExecException: Process 'command
'C:\sandbox\cas\webapp\cas-server-webapp-jetty\.gradle\nodejs\node-v7.10.0-win-x64\npm.cmd''
finished with non-zero exit value -4048
18:03:57.305 [ERROR]
[org.gradle.internal.buildevents.BuildExceptionReporter] at
org.gradle.process.internal.DefaultExecHandle$ExecResultImpl.assertNormalExitValue(DefaultExecHandle.java:395)
18:03:57.305 [ERROR]
[org.gradle.internal.buildevents.BuildExceptionReporter] at
org.gradle.process.internal.DefaultExecAction.execute(DefaultExecAction.java:37)
18:03:57.306 [ERROR]
[org.gradle.internal.buildevents.BuildExceptionReporter] at
org.gradle.api.internal.file.DefaultFileOperations.exec(DefaultFileOperations.java:232)
...
cas.properties:
logging.config: file:/etc/cas/config/log4j2.xml
server.contextPath=/cas
server.port=8443
server.ssl.keyStore=file:/etc/cas/keystore.jks
server.ssl.keyStorePassword=myPassword
server.ssl.keyPassword=myPassword
#Disable default casuser
cas.authn.accept.users=
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://LDAPBOX:636
cas.authn.ldap[0].baseDn=OU=TAP,DC=tap,DC=test
cas.authn.ldap[0].userFilter=sAMAccountName={user}
cas.authn.ldap[0].usePasswordPolicy=true
cas.authn.ldap[0].bindDn=CN=USER1,OU=Service,OU=Users,OU=ABC,DC=abc,DC=test
cas.authn.ldap[0].bindCredential=myCredential
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,givenName,memberOf
cas.authn.ldap[0].trustCertificates=file:/etc/cas/cert.cer
# IP address may be enough to protect all endpoints.
cas.adminPagesSecurity.ip=0\.0\.0\.0
cas.adminPagesSecurity.loginUrl=https://CASMACHINE:8443/cas/login
cas.adminPagesSecurity.service=https://CASMACHINE:8443/cas/status/dashboard
cas.adminPagesSecurity.users=file:/etc/cas/config/adminusers.properties
cas.adminPagesSecurity.adminRoles=ROLE_ADMIN
cas.adminPagesSecurity.actuatorEndpointsEnabled=true
cas.serviceRegistry.json.location=file:/etc/cas/config
# Sessions are terminated if no new tickets are requested in 15 minutes
cas.ticket.tgt.timeToKillInSeconds=900
# Sessions are never allowed to last longer than 8 hours (default)
cas.ticket.tgt.maxTimeToLiveInSeconds=28800
#Redis
cas.ticket.registry.redis.host=CASMACHINE
cas.ticket.registry.redis.port=6379
cas.ticket.registry.redis.database=0
Thanks,
d
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b32cf28e-35f5-4ca8-bcec-d88001858db2%40apereo.org.
