Failed To Add TGT Ticket - MongoDB Ticket Registry CAS 45.2.

308 views
Skip to first unread message

Mike Kromarek

unread,
Feb 7, 2018, 4:03:43 AM2/7/18
to CAS Community
I recently switched from the Postgresql JPA ticket registry to MongoDB and am having a strange issue.  The authentication succeeds, but then it fails to add the ticket to the mongo database, causing the process to fail and return to the login screen.

-- cas.properties --
cas.ticket.registry.mongo.host=localhost
cas.ticket.registry.mongo.userId=<redacted>
cas.ticket.registry.mongo.password=<redacted>
cas.ticket.registry.mongo.databaseName=casdb
cas.ticket.registry.mongo.collectionName=cas-ticket-registry
cas.ticket.registry.mongo.dropCollection=false
cas.ticket.registry.mongo.timeout=5000
cas.ticket.registry.mongo.writeConcern=NORMAL
cas.ticket.mongo.conns.lifetime=60000
cas.ticket.mongo.conns.perHost=10
cas.ticket.registry.mongo.idleTimeout=30000


CAS connects to the database with the specified user, makes all the tables and seems like everything should be good.  Then it encodes the TGT, but fails to add it.  


2018-02-07 00:46:30,024 DEBUG [org.apereo.cas.ticket.factory.DefaultTicketGrantingTicketFactory] - <Encoded ticket-granting ticket id [TGT-******************************************3wOfaglzGL-JNpegctV--qfA0S5-xCE-aws-stage-cas.highline.edu]>
2018-02-07 00:46:30,025 DEBUG [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Adding ticket [TGT-******************************************3wOfaglzGL-JNpegctV--qfA0S5-xCE-aws-stage-cas.highline.edu]>
2018-02-07 00:46:30,118 ERROR [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Failed adding [TGT-******************************************3wOfaglzGL-JNpegctV--qfA0S5-xCE-aws-stage-cas.highline.edu]: [java.lang.NullPointerException]>
2018-02-07 00:46:30,118 DEBUG [org.apereo.cas.AbstractCentralAuthenticationService] - <Publishing [org.apereo.cas.support.events.ticket.CasTicketGrantingTicketCreatedEvent@2c84b7f8[ticketGrantingTicket=TGT-******************************************3wOfaglzGL-JNpegctV--qfA0S5-xCE-aws-stage-cas.highline.edu]]>

Has anyone else ran into this?

--Mike K


Tomcat.log
mongodb.log

Mike Kromarek

unread,
Feb 7, 2018, 4:04:18 AM2/7/18
to CAS Community
The title should read CAS 5.2.2 for the version

--Mike K.

Uxío Prego

unread,
Feb 7, 2018, 7:38:45 AM2/7/18
to CAS Community
I'm sorry I can't help you, but it would be very sweet if you could share your effective serviceticket or ticketgrantingticket table schema from the times when you were using PostgrelSQL as ticket registry for CAS 5...

Regards,

Uxío Prego

             

Madiva Soluciones
CL / SERRANO GALVACHE 56
BLOQUE ABEDUL PLANTA 4
28033 MADRID

+34 917 56 84 94
www.madiva.com
www.bbva.com

The activity of email inboxes can be systematically tracked by colleagues, business partners and third parties. Turn off automatic loading of images to hamper it.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/051a23e8-bb02-48a3-ab26-86b9a2fa3c40%40apereo.org.

Man H

unread,
Feb 7, 2018, 8:05:53 AM2/7/18
to cas-...@apereo.org
 assuming its not a time-out issue  , then debug from source 
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cedbef03-0359-4725-95d4-bf606492c163%40apereo.org.

David Curry

unread,
Feb 7, 2018, 8:15:31 AM2/7/18
to cas-...@apereo.org
Mike,

The only thing that strikes me as odd in your settings is this one:

cas.ticket.registry.mongo.collectionName=cas-ticket-registry

The Mongo ticket registry uses multiple collections:

proxyGrantingTicketsCollection
proxyTicketsCollection
samlArtifactsCache
samlAttributeQueryCache
serviceTicketsCollection
ticketGrantingTicketsCollection

So while I'm not sure if that setting is having any impact on your configuration at all, I suspect that if it _is_ having an impact, it's a negative one. Although, I don't see anything in the logs to suggest that it is -- the server seems to be using the "right" collection:

2018-02-07 00:46:30,159 DEBUG [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Locating collection name [ticketGrantingTicketsCollection] for ticket definition [org.apereo.cas.ticket.DefaultTicketDefinition@28556a8b[implementationClass=class org.apereo.cas.ticket.TicketGrantingTicketImpl,prefix=TGT]]>
2018-02-07 00:46:30,159 DEBUG [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Located MongoDb collection instance [ticketGrantingTicketsCollection]>
2018-02-07 00:46:30,160 DEBUG [org.mongodb.driver.protocol.command] - <Sending command {find : BsonString{value='ticketGrantingTicketsCollection'}} to database casdb on connection [connectionId{localValue:6, serverValue:68}] to server localhost:27017>
2018-02-07 00:46:30,161 DEBUG [org.mongodb.driver.protocol.command] - <Command execution completed>

For what it's worth, mine is working on 5.2.2 using these settings (essentially the same as yours except I have a replica set):

#
# Components of the MongoDB connection string broken out for ease of editing.
#
mongo.db:                               casdb
mongo.rs:                               rs0
mongo.opts:                             &ssl=true
mongo.creds:                            mongocas:<redacted>
mongo.hosts:                            casdev-srv01-lid.newschool.edu,casdev-srv02-lid.newschool.edu,casdev-srv03-lid.newschool.edu

#
# The connection string, assembled
#
mongo.uri:                              mongodb://${mongo.creds}@${mongo.hosts}/${mongo.db}?replicaSet=${mongo.rs}${mongo.opts}

#
# Ticket registry
#
cas.ticket.registry.mongo.clientUri:    ${mongo.uri}

#
# Service registry
#
cas.serviceRegistry.mongo.clientUri:    ${mongo.uri}
cas.serviceRegistry.mongo.collection:   casServiceRegistry


--Dave



--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu

The New School


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

michael kromarek

unread,
Feb 7, 2018, 8:25:28 AM2/7/18
to cas-...@apereo.org
Hi Dave,

I actually tried those settings first (I was following your guide, but only having a single server instead of a cluster for mongo).  Unfortunately, it fails in the same way with those settings too.  I might be able to eek out a little  more information if I set
org.apereo.cas.ticket.registry.MongoDbTicketRegistry
to debug in the logger, though I  already have org.apero.cas and com.mongo set to debug.

--Mike K

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

David Curry

unread,
Feb 7, 2018, 8:31:26 AM2/7/18
to cas-...@apereo.org
Ah - you just reminded me, and I should have mentioned this last time. Try adding this to your log4j2.xml:

<AsyncLogger name="org.mongodb.driver" level="debug" />

That's the actual Java driver.

--Dave


--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu

The New School


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

michael kromarek

unread,
Feb 7, 2018, 8:49:46 AM2/7/18
to cas-...@apereo.org
Hi Uxio,

Sure I can share that.  I had to do a few tweaks to the database. The first is if you are using SAML, you need to change the samlobject columns from varchar(5000) to text, because signed assertions will exceed those 5000 characters really fast.

Next you want to update the constraints for tables saml2_artifacts and saml2_attribute_query_tickets to cascade on delete.  I ran into a situation where the TGT got removed but the SAML stuff stayed behind, causing exceptions to be throw in my log a lot.

Finally the biggest thing you need to do is enable the lo module by running the query "CREATE EXTENSION lo;" so you can have lo_manager function take care of the oid fields, because jdbc and odbc both handle removing large objects in postgresql wrong. In that they don't exist in the table, so when they remove the row, the objects get orphaned and just take up space 

For each oid field in the tables ticketgrantingticket and serviceticket you'll want to create the following trigger:

CREATE TRIGGER t_trigger_name BEFORE UPDATE OR DELETE ON target_table
    FOR EACH ROW EXECUTE PROCEDURE lo_manage(target_column);

--- cas.properties --
cas.ticket.registry.jpa.url=jdbc:postgresql:cas-ticket-registry
cas.ticket.registry.jpa.dialect=org.hibernate.dialect.PostgreSQL95Dialect
cas.ticket.registry.jpa.user=<redacted>
cas.ticket.registry.jpa.ddlAuto=none
cas.ticket.registry.jpa.password=<redacted>
cas.ticket.registry.jpa.driverClass=org.postgresql.Driver

cas.ticket.registry.jpa.crypto.signing.key=<redacted>
cas.ticket.registry.jpa.crypto.signing.keySize=512
cas.ticket.registry.jpa.crypto.encryption.key=<redacted>
cas.ticket.registry.jpa.crypto.encryption.keySize=16
cas.ticket.registry.jpa.crypto.alg=AES
cas.ticket.registry.jpa.crypto.enabled=true

-- end file--

Make sure ddlAuto is none or else all your changes will get overwritten on the next reboot.

Attached is my SQL schema dump from my modified database.

Enjoy
--Mike K

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
20180207024922.sql

michael kromarek

unread,
Feb 7, 2018, 8:51:53 AM2/7/18
to cas-...@apereo.org
I'll give that a shot and let you know what I find.

Thank you.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

Uxío Prego

unread,
Feb 7, 2018, 11:35:22 AM2/7/18
to CAS Community
Oh... Goodness. I was hoping the ORM software to be at last using BYTEA instead of LO/OID.

Thank you, you are very much kind.

Uxío Prego

             

Madiva Soluciones
CL / SERRANO GALVACHE 56
BLOQUE ABEDUL PLANTA 4
28033 MADRID

+34 917 56 84 94
www.madiva.com
www.bbva.com

The activity of email inboxes can be systematically tracked by colleagues, business partners and third parties. Turn off automatic loading of images to hamper it.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

michael kromarek

unread,
Feb 9, 2018, 2:55:24 PM2/9/18
to cas-...@apereo.org
So it turns out I already had the driver turned to debug, so no new information there.  But I did up the verbosity level of MongoDB log to 5 and noticed that a write attempt for the TGT ticket wasn't even made (subsequent fetches where made though).

I decided to try pulling down the latest maven overlay and move my settings over one by one to see what would cause the problem, and culprit turned out to be 

cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=28800

If I comment that out, it writes the ticket no problem.  If I set it, it fails creating the ticket and new writes it to or even attempts to write it to Mongo.  I think this is an error in the ExpirationPolicy class as I have also tried Redis and noticed it was writing the expiration time as -1.  -1 is not acceptable to Redis so it won't make the record.  I also tried DynamoDB and noticed it was complaining about an empty string being written (which for whatever reason Dynamo does not like empty strings at all).  I'm thinking PostgreSQL didn't have a problem because the expiration policy is stored as a large object and it probably doesn't care what it is.

--Mike K.

Uxío Prego

unread,
Feb 9, 2018, 4:03:45 PM2/9/18
to 'Alan Noble' via CAS Community
I’m a little lost now.

Are you sure you need to waste that much energy investigating so many ticket registry alternatives? Shouldn’t you be trying to just assess the feasibility of using that data base with which you feel more comfortable?

To be more clear, let’s say it works better using MongoDB than PostgreSQL. If you already have a large body of PostgreSQL exposure, which you have demonstrated, even if MongoDB performs better there are chances your total cost of ownership will be smaller by using PostgreSQL.

I’m sorry again I can’t help you, but with these energy and eagerness you seem to have I’m sure you aren’t going to have a lot of trouble with CAS once you focus in your problem. Or is it that your thing is to assess which one performs better? And if so, why not just ask that?

Regards,

michael kromarek

unread,
Feb 9, 2018, 9:20:14 PM2/9/18
to cas-...@apereo.org
Sorry, there's a bit of a history to the problem that involved several other ticket registries.

On CAS 3.5 we where using PostgreSQL, but when I upgraded to CAS 5.x I switched to Hazelcast.  Which work okay except that after three days pinciple ID's start to become null after successful authentication.  WE thought it might be something with Hazelcast so we tried Dynamo which was an instant bust as it complained about an empty string.  We then tried Redis with AWS but the Setex command was being given a -1 for the ticket expiration time.  So we tried MongoDB, which wasn't writing tickets.  PostgreSQL was the fall back, though my manager prefered I find something more performant since the JPA driver can be a bit slow (not to mention the need to 4+ tiggers on the ticketgrantingticket table and another 2-3 on the serviceticke table).

But now that I found that the ticket expiration time was the culprit, I should be able to go forward with MongoDB or Redis.  Though the expiration time problem does sound like a bug to me, but I'm not sure where to report that.

--Mike K.

On Fri, Feb 9, 2018 at 1:03 PM, Uxío Prego <upr...@madiva.com> wrote:
I’m a little lost now.

Are you sure you need to waste that much energy investigating so many ticket registry alternatives? Shouldn’t you be trying to just assess the feasibility of using that data base with which you feel more comfortable?

To be more clear, let’s say it works better using MongoDB than PostgreSQL. If you already have a large body of PostgreSQL exposure, which you have demonstrated, even if MongoDB performs better there are chances your total cost of ownership will be smaller by using PostgreSQL.

I’m sorry again I can’t help you, but with these energy and eagerness you seem to have I’m sure you aren’t going to have a lot of trouble with CAS once you focus in your problem. Or is it that your thing is to assess which one performs better? And if so, why not just ask that?

Regards,

On 9 Feb 2018, at 20:55, michael kromarek <mkro...@gmail.com> wrote:

So it turns out I already had the driver turned to debug, so no new information there.  But I did up the verbosity level of MongoDB log to 5 and noticed that a write attempt for the TGT ticket wasn't even made (subsequent fetches where made though).

I decided to try pulling down the latest maven overlay and move my settings over one by one to see what would cause the problem, and culprit turned out to be 

cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=28800

If I comment that out, it writes the ticket no problem.  If I set it, it fails creating the ticket and new writes it to or even attempts to write it to Mongo.  I think this is an error in the ExpirationPolicy class as I have also tried Redis and noticed it was writing the expiration time as -1.  -1 is not acceptable to Redis so it won't make the record.  I also tried DynamoDB and noticed it was complaining about an empty string being written (which for whatever reason Dynamo does not like empty strings at all).  I'm thinking PostgreSQL didn't have a problem because the expiration policy is stored as a large object and it probably doesn't care what it is.

--Mike K.
On Wed, Feb 7, 2018 at 5:51 AM, michael kromarek <mkro...@gmail.com> wrote:
I'll give that a shot and let you know what I find.

Thank you.
On Wed, Feb 7, 2018 at 5:31 AM, David Curry <david.curry@newschool.edu> wrote:
Ah - you just reminded me, and I should have mentioned this last time. Try adding this to your log4j2.xml:

<AsyncLogger name="org.mongodb.driver" level="debug" />

That's the actual Java driver.

--Dave

--
DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/83382BCD-F10C-461C-93F5-0FC96D1E012B%40madiva.com.

Uxío Prego

unread,
Feb 12, 2018, 3:00:45 AM2/12/18
to CAS Community
Do you mean it is buggy because Redis was refusing to write -1 for expiration times?

If you have a lot of time I guess you could write your test case and request pull.

Uxío Prego

             

Madiva Soluciones
CL / SERRANO GALVACHE 56
BLOQUE ABEDUL PLANTA 4
28033 MADRID

+34 917 56 84 94
www.madiva.com
www.bbva.com

The activity of email inboxes can be systematically tracked by colleagues, business partners and third parties. Turn off automatic loading of images to hamper it.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
Reply all
Reply to author
Forward
0 new messages