[cas-user] Ticket validation failed when IP changed ?

373 views
Skip to first unread message

Hendrik Coetzee

unread,
Jan 24, 2013, 4:45:46 AM1/24/13
to cas-...@lists.jasig.org

Good day,

 

We have an intermitted error that appears on ticket expiry,

here is what we can see in the logs  from the catalina.out file:

2013-01-23 14:54:05,556 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za] for service [https://vula.uct.ac.za:443/sakai-login-tool/container] for user [<userid>]>

2013-01-23 14:54:05,557 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: <userid>

WHAT: ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za for https://vula.uct.ac.za:443/sakai-login-tool/container

ACTION: SERVICE_TICKET_CREATED

APPLICATION: CAS

WHEN: Wed Jan 23 14:54:05 SAST 2013

CLIENT IP ADDRESS: 93.186.23.81

SERVER IP ADDRESS: 137.158.154.74

=============================================================

2013-01-23 14:54:25,982 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceTicket [ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za] has expired.>

2013-01-23 14:54:25,982 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za

ACTION: SERVICE_TICKET_VALIDATE_FAILED

APPLICATION: CAS

WHEN: Wed Jan 23 14:54:25 SAST 2013

CLIENT IP ADDRESS: 137.158.155.16

SERVER IP ADDRESS: 137.158.154.74

=============================================================

 

On the Apache side the following can be detected:

 

[23/Jan/2013:14:54:25 +0200] 93.186.31.83 TLSv1 DHE-RSA-AES128-SHA "GET /sakai-login-tool/container?ticket=ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za HTTP/1.1" 749 "https://login.uct.ac.za/cas/login?service=https%3A%2F%2Fvula.uct.ac.za%3A443%2Fsakai-login-tool%2Fcontainer" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9900; en-GB) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.1.0.342 Mobile Safari/534.11+" 13467 13364 500

 

Sakai tomcat app server logs:

 

2013-01-23 14:54:25,987 WARN ajp-bio-8009-exec-723 org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter - org.jasig.cas.client.validation.TicketValidationException:

                ticket 'ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za' not recognized

 

org.jasig.cas.client.validation.TicketValidationException:

                ticket 'ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za' not recognized

 

        at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:86)

        at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:217)

        at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:165)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

        at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

        at org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:695)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)

        at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:200)

        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)

        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

        at java.lang.Thread.run(Thread.java:662

 

Any ideas on what could be causing this ?

 

Current Configuration:

CAS      3.5.1

Mysql  5.0.96

Maven 3.0.4

Tomcat 7.0.28

Jdk 1.7.0_06

 

Thanks

 

Bernard

 

 

UNIVERSITY OF CAPE TOWN

This e-mail is subject to the UCT ICT policies and e-mail disclaimer published on our website at http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from +27 21 650 9111. This e-mail is intended only for the person(s) to whom it is addressed. If the e-mail has reached you in error, please notify the author. If you are not the intended recipient of the e-mail you may not use, disclose, copy, redirect or print the content. If this e-mail is not related to the business of UCT it is sent by the sender in the sender's individual capacity. 
-- 
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Dmitriy Kopylenko

unread,
Jan 24, 2013, 6:57:00 AM1/24/13
to cas-...@lists.jasig.org
From the log entries, it seems that the ST in question has expired, therefore it is considered invalid.

Dmitriy.

Sent from my iPhone
-- 
You are currently subscribed to cas-...@lists.jasig.org as: dkopy...@unicon.net

To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Ohsie, David

unread,
Jan 24, 2013, 10:43:45 AM1/24/13
to cas-...@lists.jasig.org

> Thanks gents,

 

> As stated this is not a problem happening continuously, but today we had an occurrence of 26 vs. 3514 successful logins.

> Also I ruled out the timeout as seen on the log, it is within minutes of the original request...

 

The default ST (Service Ticket) expiration period is very short (10 seconds).  In your example below, the delay to validate the ticket is 20 seconds.   It makes perfect sense that you see this only intermittently, because only intermittently will you see validations that take  more than the ST expiration interval.

 

I suggest bumping up your ST expiration period to 1 minute or so.   You can parse through the logs to see how long ST validations are taking and adjust appropriately.

 

> One of the differences that is apparent is the differing IP's, but I am unsure if changing IP's causes ticket validation to fail ?

 

> Any clues appreciated.

 

David Ohsie

Software Architect

EMC Corporation

-- 
You are currently subscribed to cas-...@lists.jasig.org as: david...@emc.com

Hendrik Coetzee

unread,
Jan 25, 2013, 2:16:24 AM1/25/13
to cas-...@lists.jasig.org

Thanks,

 

I’ll make the changes and report back.

 

Appreciated !

-- 
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com

Hendrik Coetzee

unread,
Jan 25, 2013, 2:23:49 AM1/25/13
to cas-...@lists.jasig.org

Looks correct on this – Thanks !

 

From “serviceTicketExpirationPolicy.xml” default set to…

 

    <util:constant id="SECONDS" static-field="java.util.concurrent.TimeUnit.SECONDS"/>

    <bean id="serviceTicketExpirationPolicy" class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy"

          c:numberOfUses="1" c:timeToKill="${st.timeToKillInSeconds:10}" c:timeUnit-ref="SECONDS"/>

 

Changing to a minute and keeping an eye on responses on log-file.

 

Perfect !

 

Cheers

 

From: Ohsie, David [mailto:david...@emc.com]

Sent: 24 January 2013 05:44 PM
To: cas-...@lists.jasig.org

-- 
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com

Ohsie, David

unread,
Jan 25, 2013, 2:54:15 PM1/25/13
to cas-...@lists.jasig.org

I belive that you can set this in the cas.properties file:

 

##

# Service Ticket Timeout

# Default sourced from WEB-INF/spring-configuration/ticketExpirationPolices.xml

#

# Service Ticket timeout - typically kept short as a control against replay attacks, default is 10s.  You'll want to

# increase this timeout if you are manually testing service ticket creation/validation via tamperdata or similar tools

# st.timeToKillInSeconds=10

Hendrik Coetzee

unread,
Jan 28, 2013, 12:34:36 AM1/28/13
to cas-...@lists.jasig.org

Thanks,

 

Will test this option, thanks.

Prefer keeping the configuration options separate if possible - so this will be a better “location”.

 

Appreciated

-- 
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages