Logout - PGT not removed from ticket registry

[David Wise]

Hi Everyone,

I have an application that makes heavy use of Proxy Tickets and am using Redis as a ticket registry.  When my user logs out of CAS, the PGT does not get destroyed but what I assume to be the parent TGT does.  I get the same behavior using Hazelcast.  When I use the DefaultTicketRegistry, it appears that both the TGT and PGT are destroyed.

Does anyone have an idea why the PGT is being cleaned up with the DefaultTicketRegistry but not with Redis/Hazelcast?

I've tried CAS 5.2.6 and 5.3.3 with the same results.

When the maxTimeToLiveInSeconds value expires, both the parent TGT and child PGT are destroyed.

I pulled down the 5.2.6 source, set the log level to DEBUG and was able to trace some of the flow.  Here are my findings:

AbstractTicketRegistry.deleteTicket() – handles the removal of all of the tickets.  If a TGT is passed in, this will look for child, PGTs and clean them up first.  In a CAS-only session, this got a TGT, found a PGT and deleted them both.  In a CAS/Redis session, this only got a TGT – no PGT.  I’m guessing that this means that either the PGT was never added to the parent, TGT or that the reference to it was cleared out before the deleteTicket() call.

 

ServiceTicketImpl.grantProxyGrantingTicket() – creates the PGT and adds it to the TGT’s getProxyGrantingTickets() Map.  There wasn’t much logging here.  I know the PGT was created but I don’t know if it was actually assigned to its parent.  I didn’t see any Exceptions.  So, I assume the child-to-parent assignment was made.

 

RedisTicketRegistry – uses an org.springframework.data.redis.core.RedisTemplate  – to set and get entries.  This differs with DefaultTicketRegistry that simply uses a ConcurrentHashMap to handle the tickets.  It kind of makes me wonder whether there’s an issue with the spring data component.

I'm not able to build CAS from source - running as a normal user or administrator.  So, I haven't managed to add more logging statements.  This is my build environment:

Windows 7 

CAS 5.2.6

Gradle 4.10.2

Java 1.8.0_144

gradle -DskipFindbugs=true -DskipCheckstyle=true -DskipTests=true --stacktrace --debug clean build

18:03:57.304 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] Caused by: org.gradle.process.internal.ExecException: Process 'command 'C:\sandbox\cas\webapp\cas-server-webapp-jetty\.gradle\nodejs\node-v7.10.0-win-x64\npm.cmd'' finished with non-zero exit value -4048

18:03:57.305 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] at org.gradle.process.internal.DefaultExecHandle$ExecResultImpl.assertNormalExitValue(DefaultExecHandle.java:395)

18:03:57.305 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] at org.gradle.process.internal.DefaultExecAction.execute(DefaultExecAction.java:37)

18:03:57.306 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] at org.gradle.api.internal.file.DefaultFileOperations.exec(DefaultFileOperations.java:232)

...

cas.properties:

logging.config: file:/etc/cas/config/log4j2.xml

server.contextPath=/cas

server.port=8443

server.ssl.keyStore=file:/etc/cas/keystore.jks

server.ssl.keyStorePassword=myPassword

server.ssl.keyPassword=myPassword

#Disable default casuser

cas.authn.accept.users=

cas.authn.ldap[0].type=AUTHENTICATED

cas.authn.ldap[0].ldapUrl=ldaps://LDAPBOX:636

cas.authn.ldap[0].baseDn=OU=TAP,DC=tap,DC=test

cas.authn.ldap[0].userFilter=sAMAccountName={user}

cas.authn.ldap[0].usePasswordPolicy=true

cas.authn.ldap[0].bindDn=CN=USER1,OU=Service,OU=Users,OU=ABC,DC=abc,DC=test

cas.authn.ldap[0].bindCredential=myCredential

cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true

cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,givenName,memberOf

cas.authn.ldap[0].trustCertificates=file:/etc/cas/cert.cer

# IP address may be enough to protect all endpoints.

cas.adminPagesSecurity.ip=0\.0\.0\.0

cas.adminPagesSecurity.loginUrl=https://CASMACHINE:8443/cas/login

cas.adminPagesSecurity.service=https://CASMACHINE:8443/cas/status/dashboard

cas.adminPagesSecurity.users=file:/etc/cas/config/adminusers.properties

cas.adminPagesSecurity.adminRoles=ROLE_ADMIN

cas.adminPagesSecurity.actuatorEndpointsEnabled=true

cas.serviceRegistry.json.location=file:/etc/cas/config

# Sessions are terminated if no new tickets are requested in 15 minutes

cas.ticket.tgt.timeToKillInSeconds=900

# Sessions are never allowed to last longer than 8 hours (default)

cas.ticket.tgt.maxTimeToLiveInSeconds=28800

#Redis 

cas.ticket.registry.redis.host=CASMACHINE

cas.ticket.registry.redis.port=6379

cas.ticket.registry.redis.database=0

Thanks,

d