Creating multiple Proxy Tickets using same PGT
75 views
Skip to first unread message
Prakash Thapa
Mar 6, 2026, 9:59:53 AMMar 6
to CAS Community
In older version of CAS, we noticed that the multiple Proxy Tickets can be created and can co-exists in CAS Ticket Registry till it is expired or validated, even though they are generated using same PGT.
But in CAS 7.2.4, we noticed that once a new Proxy Ticket is created, the older PT generated from same PGT is automatically removed from the Ticket Registry. We are running multiple threads, and making multiple microservice calls, each microservice is protected by CAS, and holding/using the same PGT till it is valid to generate the Proxy Tickets.
Due to this behaviour few of the service calls are failing in upgraded CAS as a single PT is stored in Ticket Registry. Can it be configured or updated so that the multiple Proxy Tickets generated from same PGT could co-exist? We are using Redis Ticket Registry.
Regards,
Prakash
But in CAS 7.2.4, we noticed that once a new Proxy Ticket is created, the older PT generated from same PGT is automatically removed from the Ticket Registry. We are running multiple threads, and making multiple microservice calls, each microservice is protected by CAS, and holding/using the same PGT till it is valid to generate the Proxy Tickets.
Due to this behaviour few of the service calls are failing in upgraded CAS as a single PT is stored in Ticket Registry. Can it be configured or updated so that the multiple Proxy Tickets generated from same PGT could co-exist? We are using Redis Ticket Registry.
Regards,
Prakash
Petr Bodnár
Mar 7, 2026, 11:08:15 AMMar 7
to CAS Community, Prakash Thapa
Hi Prakash,
did you upgrade from a version before CAS v6.6.0-RC4? Then I think you've hit the infamous problem described in this thread: CAS 6.6.8 invalid ST. The thread talks about service tickets and TGT, but I would expect it relates to proxy tickets and PGT as well.
Regards
Petr
Prakash Thapa
Mar 9, 2026, 3:29:42 AMMar 9
to CAS Community, Petr Bodnár, Prakash Thapa
Hi Petr,
Thank you for your input. We upgraded from version before CAS v6.6.0-RC4 and the issue is related to the thread you mentioned. We are trying to proceed by removing the tickets deletion logic (beforeTrackingServiceTicket() method) from AllServicesSessionTrackingPolicy class as below:
Thank you for your input. We upgraded from version before CAS v6.6.0-RC4 and the issue is related to the thread you mentioned. We are trying to proceed by removing the tickets deletion logic (beforeTrackingServiceTicket() method) from AllServicesSessionTrackingPolicy class as below:
public String trackTicket(final Ticket ownerTicket, final Ticket ticket) {
val serviceTicket = (ServiceTicket) ticket;
val ticketGrantingTicket = (TicketGrantingTicket) ownerTicket;
val trackedEntry = String.format("%s,%s", serviceTicket.getId(), serviceTicket.getService());
lock.tryLock(__ -> {
ticketGrantingTicket.update();
serviceTicket.getService().setPrincipal(ticketGrantingTicket.getRoot().getAuthentication().getPrincipal().getId());
System.out.println("This is trying to delete the PTs of the PGT:" + ticketGrantingTicket.getId());
System.out.println("But we have commented this");
// beforeTrackingServiceTicket(ownerTicket, serviceTicket);
ticketGrantingTicket.getServices().put(serviceTicket.getId(), serviceTicket.getService());
});
return trackedEntry;
}
val serviceTicket = (ServiceTicket) ticket;
val ticketGrantingTicket = (TicketGrantingTicket) ownerTicket;
val trackedEntry = String.format("%s,%s", serviceTicket.getId(), serviceTicket.getService());
lock.tryLock(__ -> {
ticketGrantingTicket.update();
serviceTicket.getService().setPrincipal(ticketGrantingTicket.getRoot().getAuthentication().getPrincipal().getId());
System.out.println("This is trying to delete the PTs of the PGT:" + ticketGrantingTicket.getId());
System.out.println("But we have commented this");
// beforeTrackingServiceTicket(ownerTicket, serviceTicket);
ticketGrantingTicket.getServices().put(serviceTicket.getId(), serviceTicket.getService());
});
return trackedEntry;
}
Petr Bodnár
Mar 14, 2026, 10:05:32 AM (10 days ago) Mar 14
to CAS Community, Prakash Thapa, Petr Bodnár
Hi Prakash,
you're welcome.
Yes, you can probably achieve this by amending the AllServicesSessionTrackingPolicy class. But then I think you are effectively doing the same as simply setting
"cas.ticket.tgt.core.only-track-most-recent-session=false" (the setting mentioned in the thread I have linked before).
Alternatively, we have just commented out the problematic ticketRegistry.deleteTicket(entry.getKey()); line in the MostRecentServiceSessionTrackingPolicy.
Hopefully this clarifies things a bit.
Petr
Reply all
Reply to author
Forward
0 new messages