CAS web app does not idle timeout
64 views
Skip to first unread message
Yan Zhou
Jul 25, 2016, 3:17:17 PM7/25/16
to CAS Community
Hi there,
I have a CAS 4.1.9 overlay setup, below is a section of my web.xml. CAS app should timeout in 15 minutes, but it does not.
On the login page, I waited for 20 minutes, I can still login, CAS does not timeout.
How can I debug this?
<session-config>
<session-timeout>15</session-timeout>
<cookie-config>
<name>CASSESSIONID</name>
</cookie-config>
</session-config>
Thx,
Yan
Misagh Moayyed
Jul 25, 2016, 5:27:26 PM7/25/16
to CAS Community
That's not how it works. See https://apereo.github.io/cas/4.1.x/installation/Configuring-Ticket-Expiration-Policy.html
Yan Zhou
Jul 26, 2016, 1:20:45 PM7/26/16
to CAS Community
Thanks, but, I was not talking about ticket timeout, etc.
I extended CAS login flow, so that a first-time user will be required to change password, confirm his email address, etc., before he is authenticated successfully by CAS. If the user stops in the middle of the login flow, the app. does not timeout.
He can go away for an hour and come back, everything still works. I was surprised by that, I thought my idle session timeout 15 minutes would have taken effective, and user will be redirected to login page, after he is gone for an hour and then attempts to continue on the flow.
Do you have any insights into this?
Thanks,
Yan
Misagh Moayyed
Jul 26, 2016, 2:12:39 PM7/26/16
to CAS Community
Your user is obviously and reportedly authenticated successfully. Otherwise you won’t see the login page. Examine your flow orchestration. Web flow/Web timeout setting are irrelevant here.
--
Misagh
Misagh
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/05b0d01b-540c-408a-9dea-2171fa0c94fa%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Yan Zhou
Jul 28, 2016, 10:46:54 AM7/28/16
to CAS Community, mmoa...@unicon.net
Hello,
Still trying to understand if I missed something in login flow setup.
I switched to the original login flow that came with CAS 4.1.x, and forced user to go to "success with warning" view, so that I can observe what happens if user walks away for a while (in the middle of login flow), then, come back and click on "continue".
This is what I noticed. the flow continues even after the idle session timeout has elapsed. The reason it continues is because flow resumes execution and flow variables are restored. Does that sound right?
This does not seem to be the case with CAS 3.5.x. With my login flow in CAS 3.5.x, I will be redirected to login page if I walked away in the middle of login flow and come back and attempt to resume.
Here are the logs. Is this CAS question or Spring Web flow question? I am just surprised that a flow can last that long, even after session expired.
2016-07-28 10:27:23,657 DEBUG [org.springframework.web.servlet.DispatcherServlet] - Null ModelAndView returned to DispatcherServlet with name 'cas': assuming HandlerAdapter completed request handling
2016-07-28 10:27:23,657 DEBUG [org.springframework.web.servlet.DispatcherServlet] - Successfully completed request
2016-07-28 10:28:46,757 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services.
2016-07-28 10:28:46,955 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 17 services.
2016-07-28 10:30:46,726 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services.
2016-07-28 10:30:46,912 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 17 services.
2016-07-28 10:32:46,727 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services.
2016-07-28 10:32:46,912 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 17 services.
2016-07-28 10:32:50,369 DEBUG [org.springframework.web.servlet.DispatcherServlet] - DispatcherServlet with name 'cas' processing GET request for [/cas/login]
2016-07-28 10:32:50,370 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] - Looking up handler method for path /login
2016-07-28 10:32:50,377 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] - Did not find handler method for [/login]
2016-07-28 10:32:50,378 DEBUG [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] - Mapping request with URI '/cas/login' to flow with id 'login'
2016-07-28 10:32:50,378 DEBUG [org.springframework.web.servlet.DispatcherServlet] - Last-Modified value for [/cas/login] is: -1
2016-07-28 10:32:50,379 DEBUG [org.springframework.webflow.executor.FlowExecutorImpl] - Resuming flow execution with key '996ee856-f8e1-4441-aa0b-2016-07-28 10:32:50,388 DEBUG [org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - Getting FlowDefinition with id 'login'
2016-07-28 10:32:50,388 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImpl] - Resuming in org.springframework.webflow.mvc.servlet.MvcExternalContext@32685dcd
2016-07-28 10:32:50,388 DEBUG [org.springframework.webflow.engine.Flow] - Restoring [FlowVariable@377ed8ad name = 'credential', valueFactory = [BeanFactoryVariableValueFactory@68c36251 type = UsernamePasswordCredential]]
2016-07-28 10:32:50,389 DEBUG [org.springframework.webflow.mvc.view.AbstractMvcView] - Processing user event 'proceed'
2016-07-28 10:32:50,389 DEBUG [org.springframework.webflow.mvc.view.AbstractMvcView] - No model to bind to; done processing user event
2016-07-28 10:32:50,389 DEBUG [org.springframework.webflow.engine.ViewState] - Event 'proceed' returned from view [ServletMvcView@61e65795 view = org.springframework.web.servlet.view.JstlView: name 'casLoginMessageView'; URL [/WEB-INF/view/jsp/default/ui/casLoginMessageView.jsp]]
2016-07-28 10:32:50,389 DEBUG [org.springframework.webflow.engine.Transition] - Executing [Transition@59802969 on = proceed, to = serviceCheck]
2016-07-28 10:32:50,389 DEBUG [org.springframework.webflow.engine.Transition] - Exiting state 'showMessages'
2016-07-28 10:32:50,390 DEBUG [org.springframework.webflow.engine.DecisionState] - Entering state 'serviceCheck' of flow 'login'
2016-07-28 10:32:50,391 DEBUG [org.springframework.webflow.engine.Transition] - Executing [Transition@6d1eda66 on = *, to = viewGenericLoginSuccess]
2016-07-28 10:32:50,391 DEBUG [org.springframework.webflow.engine.Transition] - Exiting state 'serviceCheck'
2016-07-28 10:32:50,391 DEBUG [org.springframework.webflow.engine.EndState] - Entering state 'viewGenericLoginSuccess' of flow 'login'
2016-07-28 10:32:50,391 DEBUG [org.springframework.webflow.execution.ActionExecutor] - Executing [EvaluateAction@4949682 expression = genericSuccessViewAction.getAuthenticationPrincipal(flowScope.ticketGrantingTicketId), resultExpression = requestScope.principal]
2016-07-28 10:32:50,391 DEBUG [org.springframework.webflow.execution.AnnotatedAction] - Putting action execution attributes map[[empty]]
2016-07-28 10:32:50,449 DEBUG [org.springframework.webflow.execution.AnnotatedAction] - Clearing action execution attributes map[[empty]]
2016-07-28 10:32:50,449 DEBUG [org.springframework.webflow.execution.ActionExecutor] - Finished executing [EvaluateAction@4949682 expression = genericSuccessViewAction.getAuthenticationPrincipal(flowScope.ticketGrantingTicketId), resultExpression = requestScope.principal]; result = success
2016-07-28 10:32:50,449 DEBUG [org.springframework.webflow.execution.ActionExecutor] - Executing org.springframework.webflow.action.ViewFactoryActionAdapter@6387ebfb
2016-07-28 10:32:50,450 DEBUG [org.springframework.webflow.mvc.view.AbstractMvcView] - Rendering MVC [org.springframework.web.servlet.view.JstlView: name 'casGenericSuccessView'; URL [/WEB-INF/view/jsp/default/ui/casGenericSuccessView.jsp]] with model map [{flowRequestContext=[RequestControlContextImpl@7f5597dd externalContext = org.springframework.webflow.mvc.servlet.MvcExternalContext@32685dcd, currentEvent = proceed, requestScope = map['principal' -> y], attributes = map[[empty]], messageContext = [DefaultMessageContext@4c656f7a sourceMessages = map[[null] -> list[[empty]]]], flowExecution = [FlowExecutionImpl@1779d9c5 flow = 'login', flowSessions = list[[FlowSessionImpl@40c8208d flow = 'login', state = 'viewGenericLoginSuccess', scope = map['service' -> [null], 'warnCookieValue' -> false, 'ticketGrantingTicketId' -> 'TGT-**********************************************XAUspgxjuc-localhost.dev.medplus.com', 'credential' -> y]]]]], flashScope=map[[empty]], principal=y, currentUser=null, service=null, flowExecutionKey=996ee856-f8e1-4441-aa0b-
Reply all
Reply to author
Forward
0 new messages