TGT timeout issue with v5.3.5
100 views
Skip to first unread message
Dave Steiner
Dec 1, 2020, 1:10:26 PM12/1/20
to CAS Community
We are upgrading to v5.3.5 and I was just testing the TGT timeout. I am using hazelcast and have the following settings:
cas.ticket.tgt.maxTimeToLiveInSeconds=28800
cas.ticket.tgt.timeToKillInSeconds=28800
cas.ticket.tgt.timeToKillInSeconds=28800
But I notice after an hour or so, that I have to re-authenticate. In the logs, I'm seeing the following:
2020-11-24 16:20:52,614 WARN [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Ticket passed is null and cannot be decoded>
I haven't been able to figure out what's causing this. Any ideas?
thanks,
ds
Dmitriy Kopylenko
Dec 1, 2020, 1:28:56 PM12/1/20
to cas-...@apereo.org
Hi Dave.
I was just wondering, is there any reason you’d not go to the latest CAS v 6.x, as 5.x is EOL?
Best,
D.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9e9f9789-e52f-482c-aa00-3516e7d25af1n%40apereo.org.
Dave Steiner
Dec 1, 2020, 3:06:02 PM12/1/20
to CAS Community, dkopylenko
We had started the upgrade a while back but then got distracted by other projects. So when we restarted we kept with the same version.
-ds
Priyambada Madala
Dec 2, 2020, 12:11:28 AM12/2/20
to CAS Community, Dave Steiner, dkopylenko
Hi Dave,
Do you have any hazelcast config with time out . This can also result with tickets getting timed out .
Dave Steiner
Dec 2, 2020, 5:25:30 PM12/2/20
to CAS Community, Priyambada Madala, Dave Steiner, dkopylenko
I don't see the TGT tickets getting timed out. In fact, if I run a script that uses Rest, I can get ST tickets for 8 hours with the same TGT ticket. It's just through the web that I have to re-authenticate after an hour or so.
-ds
Ray Bon
Dec 2, 2020, 5:31:12 PM12/2/20
to cas-...@apereo.org, steine...@gmail.com, dkopy...@unicon.net, madala.p...@gmail.com
Dave,
What is the expiry time on the TGC in your browser?
Ray
On Wed, 2020-12-02 at 14:25 -0800, Dave Steiner wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Dave Steiner
Dec 4, 2020, 3:44:18 PM12/4/20
to CAS Community, Ray Bon, steine...@gmail.com, dkopylenko, Priyambada Madala
The usual "expire when the browser is closed".
Dave Steiner
Dec 8, 2020, 11:42:02 PM12/8/20
to CAS Community, Dave Steiner, Ray Bon, dkopylenko, Priyambada Madala
Here's the debug logs I see when I have to reauthenticate:
2020-12-08 23:35:28,117 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Encoded original ticket id [TGT-2-*************************************************qqSZUWoYpA00N
5K2yklocalhost] to [8ac82aa3ae3ce4640e87268ff25f1f2d2680907d891413e6231a66dcdf9f8a9787741cd9e292d766f3cf62612cf474ff6203803af11e12bf23259698598888aa]>
2020-12-08 23:35:28,117 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Locating map name [ticketGrantingTicketsCache] for ticket definition [DefaultTicketDefinition(i
mplementationClass=class org.apereo.cas.ticket.TicketGrantingTicketImpl, prefix=TGT, properties=DefaultTicketDefinitionProperties(cascade=false, storageName=ticketGrantingTicketsCache, stor
ageTimeout=10800, storagePassword=null), order=2147483647)]>
2020-12-08 23:35:28,117 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Located Hazelcast map instance [ticketGrantingTicketsCache]>
2020-12-08 23:35:28,123 WARN [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Ticket passed is null and cannot be decoded>
5K2yklocalhost] to [8ac82aa3ae3ce4640e87268ff25f1f2d2680907d891413e6231a66dcdf9f8a9787741cd9e292d766f3cf62612cf474ff6203803af11e12bf23259698598888aa]>
2020-12-08 23:35:28,117 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Locating map name [ticketGrantingTicketsCache] for ticket definition [DefaultTicketDefinition(i
mplementationClass=class org.apereo.cas.ticket.TicketGrantingTicketImpl, prefix=TGT, properties=DefaultTicketDefinitionProperties(cascade=false, storageName=ticketGrantingTicketsCache, stor
ageTimeout=10800, storagePassword=null), order=2147483647)]>
2020-12-08 23:35:28,117 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Located Hazelcast map instance [ticketGrantingTicketsCache]>
2020-12-08 23:35:28,123 WARN [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Ticket passed is null and cannot be decoded>
and then
2020-12-08 23:35:28,139 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Tue Dec 08 23:35:28 EST 2020,source=RankedAuthenticationProviderWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Tue Dec 08 23:35:28 EST 2020
CLIENT IP ADDRESS: 172.29.220.74
SERVER IP ADDRESS: dev-cas.rutgers.edu
=============================================================
>
2020-12-08 23:35:28,140 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Encoded original ticket id [TGT-2-*************************************************qqSZUWoYpA00N
5K2yklocalhost] to [8ac82aa3ae3ce4640e87268ff25f1f2d2680907d891413e6231a66dcdf9f8a9787741cd9e292d766f3cf62612cf474ff6203803af11e12bf23259698598888aa]>
2020-12-08 23:35:28,140 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Locating map name [ticketGrantingTicketsCache] for ticket definition [DefaultTicketDefinition(i
mplementationClass=class org.apereo.cas.ticket.TicketGrantingTicketImpl, prefix=TGT, properties=DefaultTicketDefinitionProperties(cascade=false, storageName=ticketGrantingTicketsCache, stor
ageTimeout=10800, storagePassword=null), order=2147483647)]>
2020-12-08 23:35:28,140 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Located Hazelcast map instance [ticketGrantingTicketsCache]>
2020-12-08 23:35:28,146 WARN [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Ticket passed is null and cannot be decoded>
2020-12-08 23:35:28,147 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Encoded original ticket id [TGT-2-*************************************************qqSZUWoYpA00N
5K2yklocalhost] to [8ac82aa3ae3ce4640e87268ff25f1f2d2680907d891413e6231a66dcdf9f8a9787741cd9e292d766f3cf62612cf474ff6203803af11e12bf23259698598888aa]>
2020-12-08 23:35:28,147 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Locating map name [ticketGrantingTicketsCache] for ticket definition [DefaultTicketDefinition(i
mplementationClass=class org.apereo.cas.ticket.TicketGrantingTicketImpl, prefix=TGT, properties=DefaultTicketDefinitionProperties(cascade=false, storageName=ticketGrantingTicketsCache, stor
ageTimeout=10800, storagePassword=null), order=2147483647)]>
2020-12-08 23:35:28,147 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Located Hazelcast map instance [ticketGrantingTicketsCache]>
2020-12-08 23:35:28,153 WARN [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Ticket passed is null and cannot be decoded>
2020-12-08 23:35:28,154 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: TGT-2-*************************************************qqSZUWoYpA00N5K2yklocalhost
ACTION: TICKET_GRANTING_TICKET_DESTROYED
APPLICATION: CAS
WHEN: Tue Dec 08 23:35:28 EST 2020
CLIENT IP ADDRESS: 172.29.220.74
SERVER IP ADDRESS: dev-cas.rutgers.edu
=============================================================
>
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Tue Dec 08 23:35:28 EST 2020,source=RankedAuthenticationProviderWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Tue Dec 08 23:35:28 EST 2020
CLIENT IP ADDRESS: 172.29.220.74
SERVER IP ADDRESS: dev-cas.rutgers.edu
=============================================================
>
2020-12-08 23:35:28,140 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Encoded original ticket id [TGT-2-*************************************************qqSZUWoYpA00N
5K2yklocalhost] to [8ac82aa3ae3ce4640e87268ff25f1f2d2680907d891413e6231a66dcdf9f8a9787741cd9e292d766f3cf62612cf474ff6203803af11e12bf23259698598888aa]>
2020-12-08 23:35:28,140 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Locating map name [ticketGrantingTicketsCache] for ticket definition [DefaultTicketDefinition(i
mplementationClass=class org.apereo.cas.ticket.TicketGrantingTicketImpl, prefix=TGT, properties=DefaultTicketDefinitionProperties(cascade=false, storageName=ticketGrantingTicketsCache, stor
ageTimeout=10800, storagePassword=null), order=2147483647)]>
2020-12-08 23:35:28,140 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Located Hazelcast map instance [ticketGrantingTicketsCache]>
2020-12-08 23:35:28,146 WARN [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Ticket passed is null and cannot be decoded>
2020-12-08 23:35:28,147 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Encoded original ticket id [TGT-2-*************************************************qqSZUWoYpA00N
5K2yklocalhost] to [8ac82aa3ae3ce4640e87268ff25f1f2d2680907d891413e6231a66dcdf9f8a9787741cd9e292d766f3cf62612cf474ff6203803af11e12bf23259698598888aa]>
2020-12-08 23:35:28,147 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Locating map name [ticketGrantingTicketsCache] for ticket definition [DefaultTicketDefinition(i
mplementationClass=class org.apereo.cas.ticket.TicketGrantingTicketImpl, prefix=TGT, properties=DefaultTicketDefinitionProperties(cascade=false, storageName=ticketGrantingTicketsCache, stor
ageTimeout=10800, storagePassword=null), order=2147483647)]>
2020-12-08 23:35:28,147 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Located Hazelcast map instance [ticketGrantingTicketsCache]>
2020-12-08 23:35:28,153 WARN [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Ticket passed is null and cannot be decoded>
2020-12-08 23:35:28,154 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: TGT-2-*************************************************qqSZUWoYpA00N5K2yklocalhost
ACTION: TICKET_GRANTING_TICKET_DESTROYED
APPLICATION: CAS
WHEN: Tue Dec 08 23:35:28 EST 2020
CLIENT IP ADDRESS: 172.29.220.74
SERVER IP ADDRESS: dev-cas.rutgers.edu
=============================================================
>
Dave Steiner
Dec 9, 2020, 4:41:43 PM12/9/20
to CAS Community, Dave Steiner, Ray Bon, dkopylenko, Priyambada Madala
I'm also seeing this ttl of 1800 seconds when adding the TGT to the Hazelcast ticket registry. Not sure where that's coming from. While the timing doesn't quite match up, could that be causing my problems?
cas-2020-12-09-11-1.log:2020-12-09 11:29:44,143 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Adding ticket [TGT-1-*************************************************foM3FNjNe43BFTFn-0localhost] with ttl [1800s]>
cas-2020-12-09-11-1.log:2020-12-09 11:29:44,147 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Added ticket [975f2d9f54c0975a5e75c074a12a2d2f30e3c1409c725b13717be556da9a11bb09d14f7a1b1c9a043e85393f00342a6e45b6d722eb36e96476de2bfc190d4f7a] with ttl [1800s]>
Ray Bon
Dec 9, 2020, 6:47:11 PM12/9/20
to steine...@gmail.com, cas-...@apereo.org, dkopy...@unicon.net, madala.p...@gmail.com
David,
I searched the cas code base and it does not exist.
It does show up in one build output (that I did not set), api/cas-server-core-api-configuration-model/build/classes/java/main/META-INF/spring-configuration-metadata.json:
{
"name" : "cas.authn.surrogate.tgt.time-to-kill-in-seconds",
"type" : "java.lang.Long",
"description" : "Timeout in seconds to kill the surrogate session and consider tickets expired.",
"defaultValue" : 1800,
"hints" : {
"keyHints" : [ ],
"keyProviders" : [ ],
"valueHints" : [ ],
"valueProviders" : [ ]
},
"deprecated" : false
}
Are you using a surrogate session?
Ray
Dave Steiner
Dec 11, 2020, 5:31:03 PM12/11/20
to CAS Community, Ray Bon, dkopylenko, Priyambada Madala, steine...@gmail.com
I'm still investigating but yes, we have the Surrogate/Impersonation overlay. To allow a TGT timeout of 8 hours, I had to also set
cas.authn.surrogate.tgt.timeToKillInSeconds
to 8 hours. Things now behave like I would expect. Not sure how that's different from cas.ticket.tgt.maxTimeToLiveInSeconds/cas.ticket.tgt.timeToKillInSeconds.
-ds
Reply all
Reply to author
Forward
0 new messages