TGC and RememberMe with Ehcache (CAS 4.1.9)

[Martin Mössner]

Hi Folks,

I have some questions about the Topics TGC (aka TGT), RememberMe and the integrated Ehcache.

So first, everything works fine but after a review we've seen that the long term TGC (aka remember me) will

be removed in the ehcache.

In the "ticketExpirationPolicies.xml" we've configured four policies with different lifetimes (ServiceTicket, standardTGT, longTermTGT with RememberMeDelegatingExpirationPolicy).

<bean id="serviceTicketExpirationPolicy"

class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy"

c:numberOfUses="${st.numberOfUses:1}" c:timeToKill="${st.timeToKillInSeconds:15}"

c:timeUnit-ref="SECONDS" />

<bean id="standardSessionTGTExpirationPolicy"

class="org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy"

c:maxTimeToLive="${tgt.maxTimeToLiveInSeconds:14400}"

c:timeToKill="${tgt.timeToKillInSeconds:3600}"

c:timeUnit-ref="SECONDS" />

<bean id="longTermSessionTGTExpirationPolicy" class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy"

c:timeToKill="${tgt.rememberMeDuration:15768000}"

c:timeUnit-ref="SECONDS" />

<bean id="grantingTicketExpirationPolicy"

class="org.jasig.cas.ticket.support.RememberMeDelegatingExpirationPolicy"

p:sessionExpirationPolicy-ref="standardSessionTGTExpirationPolicy"

p:rememberMeExpirationPolicy-ref="longTermSessionTGTExpirationPolicy" />

All variables are stored in a property file

tgt.maxTimeToLiveInSeconds=14400

tgt.timeToKillInSeconds=3600

tgt.rememberMeDuration=15768000 

st.timeToKillInSeconds=15

In case of "remember me" CAS create a cookie with a lifetime of half a year

In the "ticketRegistry.xml" we configured exactly two caches "serviceTicketsCache" and "ticketsGrantingTicketsCache":

  

<bean id="serviceTicketsCache"

     class="org.springframework.cache.ehcache.EhCacheFactoryBean"

     parent="abstractTicketCache"

     p:cacheName="cas_st"

     p:timeToIdle="0"

     p:timeToLive="15"

     p:cacheEventListeners-ref="ticketRMISynchronousCacheReplicator" />

<bean id="ticketGrantingTicketsCache"

     class="org.springframework.cache.ehcache.EhCacheFactoryBean"

     parent="abstractTicketCache"

     p:cacheName="cas_tgt"

     p:timeToIdle="3600" 

     p:timeToLive="14400" 

     p:cacheEventListeners-ref="ticketRMIAsynchronousCacheReplicator" />

It works as designed, the Ehcache invalidate all TGC after four hours (= 14400 seconds), but the client has a cookie stored with expiration date half a year later. 

If we configure the lifetime for half a year in the ticketRegistry ALL TGCs will be in cache for this lifetime, regardless if long term (remember me) or not. Isn't it???

So my question is how to solve this problem? Have anybody ideas or some workarounds/solutions?

Thank you in advance

Martin

[Ray Bon]

Martin,

We used ehcache with CAS 3.5.2.1 and it proved less than acceptable.

Ehcache was slow at replicating preventing round robin (active/active) load balancing. 

We created a custom keep-me-signed-in and cache listener. Although ehcache would listen to the listener and restore the ticket when keep-me-signed-in said the ticket was still valid, it would return an invalid to CAS (before calling keep-me-signed-in) resulting in the user having to log in again. We had to set ehcache timeout to 2 hours with no long term session option instead of ehcache checking every 10 min.

The 2 hour window in ehcache then resulted in ehcache having to process a large (GB) file of tickets which overwhelmed the server.

In general, ehcache has its own expiration policy. I am not sure how to get it to match what you set in CAS.

I have been stung. I am now moving to hazelcast.

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca