TGT expiration problem

[HURTEVENT VINCENT]

Hello,

We are using CAS Server 4.2.6 for few weeks now but we’re facing a problem with the SSO lifetime.

The ticket registry used is EhCache and the RememberMe feature is enabled, you can find the settings in this gist : 

<https://gist.github.com/vhurteve/af4a563645a7eaf131ccc9772c4f312a>

We would like default TGT lifetime of 12 hours (43200s) and a rememberMe of 7 days (604800s)

SSO works but it doesn’t last as expected, forcing users to reauthenticate. The SSO lifetime seems random and barely 2 hours long.

I tried the neverExpire policy but I still have the problem. I tried to investigate the problem logging EhCache in debug mode but there’s no message about forced eviction or something like this. I choosed large ehcache settings, enough memory settings, with disk overflow, but no amelioration.

The TGT, ST, TGC settings are set in a cas.properties file correctly loaded by the server as the other settings (ldap servers, ehcache, encryption, etc) are well applied.

Where could be the problem ?

Bonus question, the TGT seems linked to username/Client IP/UserAgent, which is not the behavior in version 3.5.x I think where the IP didn’t come into the equation.

As the users are more and more moving and switching network settings, it could be a problem. How I can link the TGT to username and UA only ?

Thank you,

[Ray Bon]

Vincent,

Ehcache has its own expiration policy. Look at timeToLive, timeToIdle for bean class org.springframework.cache.ehcache.EhCacheFactoryBean.

Ray

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/224C52C7-D018-4D71-B5C1-CFFC75310683%40univ-lyon1.fr.

-- 
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE C023 | rb...@uvic.ca

[HURTEVENT VINCENT]

Hello Ray,

EhCache has these settings to suit TGT lifetime :

ehcache.cache.st.name=org.jasig.cas.ticket.ServiceTicket
ehcache.cache.st.timeIdle=0
ehcache.cache.st.timeAlive=300
ehcache.cache.tgt.name=org.jasig.cas.ticket.TicketGrantingTicket
ehcache.cache.tgt.timeIdle=0
ehcache.cache.tgt.timeAlive=604800

> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/247752f5-c6dd-a634-db9c-fbf74e9cbbea%40uvic.ca.

[Ray Bon]

Vincent,

Try this logger to make sure ehcache is getting the correct timers:
<!-- at DEBUG prints Found system property value of ... -->
<logger name="net.sf.ehcache.config">
<level value="DEBUG" />
</logger>

Ray

[HURTEVENT VINCENT]

Hi,

I already done that, but at startup there is no log about the timeToIdleSeconds and timeToLiveSeconds.

I tried to follow the files which configures the EhCache registry. In the file ehcache-ticket-registry.xml in the bean describing the cache for TGT registry doesn’t inherit from the bean abstractTicketCache whereas serviceTicket does.

I think it’s a problem because the settings about memory max element, disk overflow, etc, doesn’t apply to the TGT cache which needs more persistence than serviceTicket.

How I can (where to put my file), using the maven overlay method, to replace this default file ?

> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/511451ab-e1e4-2dd1-4d9e-ee85fecf46de%40uvic.ca.

[Ray Bon]

In your project, create a directory path that exactly matches the one in
CAS. Copy ehcache-ticket-registry.xml into your project. Edit as you see
fit.

Ray