CAS 6.3 got InvalidTicketException when I stay on login page more than 5 minutes

[He Vincent]

I waited for more than 5 minues at the login page, then I login as normal, it will got error:

CAS is unable to process this request: "500:Internal Server Error"

org.apereo.cas.ticket.InvalidTicketException at org.apereo.cas.DefaultCentralAuthenticationService.validateServiceTicket(DefaultCentralAuthenticationService.java:225) at org.apereo.cas.DefaultCentralAuthenticationService$$FastClassBySpringCGLIB$$b02e48f2.invoke(<generated>) at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:771) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749) at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:88) at org.apereo.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:135) at jdk.internal.reflect.GeneratedMethodAccessor245.invoke(Unknown Source)

[He Vincent]

CAS Protocol has no such issue. It got this issue when I use SAML, OAuth2 or OIDC.

[Jeremiah Garmatter]

I had this issue with SAML as well. The issue appeared when I used the embedded web server, after deploying externally to apache tomcat, I no longer have this problem. CAS 6.3.4, Tomcat 9.0.46

[He Vincent]

Thank, I will try to deploy it with tomcat later.

[He Vincent]

I deployed it to external tomcat, it resolved the issue partially. It will got the same issue after 30 minutes.

[He Vincent]

I think I may find the RCA, it is due to the tomcat session-timeout.

    <session-config>

<session-timeout>30</session-timeout>

</session-config>

In external tomcat, it is 30 minutes by default. It may be set to 5 minutes for embedded tomcat.

He Vincent在 2021年10月18日星期一上午9:14:47 [UTC+8]寫道：

[Jeremiah Garmatter]

I have that set to 30 as well, but when I wait for 35 minutes I can still log in. One time I left it open for hours and was able to log in still. Using Chrome browser v94.0.4606.81

[He Vincent]

It is very strange, I set session-timeout to 3 minutes for testing, it will get the issue after 3 minutes.

Here is my configure:

Chrome 95.0.4638.54

nginx 1.18.0 as the reverse proxy at port 443.

Tomcat 9.0.54 at port 8443 with  protocol="org.apache.coyote.http11.Http11NioProtocol"  and SSLEnabled="true"

cas 6.3.7 with SAML OAUTH and OIDC

gradle.properties with appServer= since I use external tomcat.