Good day,
We have an intermitted error that appears on ticket expiry,
here is what we can see in the logs from the catalina.out file:
2013-01-23 14:54:05,556 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za] for service [https://vula.uct.ac.za:443/sakai-login-tool/container] for user [<userid>]>
2013-01-23 14:54:05,557 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: <userid>
WHAT: ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za for https://vula.uct.ac.za:443/sakai-login-tool/container
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Jan 23 14:54:05 SAST 2013
CLIENT IP ADDRESS: 93.186.23.81
SERVER IP ADDRESS: 137.158.154.74
=============================================================
2013-01-23 14:54:25,982 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceTicket [ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za] has expired.>
2013-01-23 14:54:25,982 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Wed Jan 23 14:54:25 SAST 2013
CLIENT IP ADDRESS: 137.158.155.16
SERVER IP ADDRESS: 137.158.154.74
=============================================================
On the Apache side the following can be detected:
[23/Jan/2013:14:54:25 +0200] 93.186.31.83 TLSv1 DHE-RSA-AES128-SHA "GET /sakai-login-tool/container?ticket=ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za HTTP/1.1" 749 "https://login.uct.ac.za/cas/login?service=https%3A%2F%2Fvula.uct.ac.za%3A443%2Fsakai-login-tool%2Fcontainer" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9900; en-GB) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.1.0.342 Mobile Safari/534.11+" 13467 13364 500
Sakai tomcat app server logs:
2013-01-23 14:54:25,987 WARN ajp-bio-8009-exec-723 org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter - org.jasig.cas.client.validation.TicketValidationException:
ticket 'ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za' not recognized
org.jasig.cas.client.validation.TicketValidationException:
ticket 'ST-13215-bAqdKgJd2dOR6xObAnYn-srvslscas001.uct.ac.za' not recognized
at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:86)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:217)
at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:165)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:695)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:200)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662
Any ideas on what could be causing this ?
Current Configuration:
CAS 3.5.1
Mysql 5.0.96
Maven 3.0.4
Tomcat 7.0.28
Jdk 1.7.0_06
Thanks
Bernard
--
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.org as: dkopy...@unicon.net
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
> Thanks gents,
> As stated this is not a problem happening continuously, but today we had an occurrence of 26 vs. 3514 successful logins.
> Also I ruled out the timeout as seen on the log, it is within minutes of the original request...
The default ST (Service Ticket) expiration period is very short (10 seconds). In your example below, the delay to validate the ticket is 20 seconds. It makes perfect sense that you see this only intermittently, because only intermittently will you see validations that take more than the ST expiration interval.
I suggest bumping up your ST expiration period to 1 minute or so. You can parse through the logs to see how long ST validations are taking and adjust appropriately.
> One of the differences that is apparent is the differing IP's, but I am unsure if changing IP's causes ticket validation to fail ?
> Any clues appreciated.
David Ohsie
Software Architect
EMC Corporation
--
You are currently subscribed to cas-...@lists.jasig.org as: david...@emc.com
Thanks,
I’ll make the changes and report back.
Appreciated !
--
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
Looks correct on this – Thanks !
From “serviceTicketExpirationPolicy.xml” default set to…
<util:constant id="SECONDS" static-field="java.util.concurrent.TimeUnit.SECONDS"/>
<bean id="serviceTicketExpirationPolicy" class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy"
c:numberOfUses="1" c:timeToKill="${st.timeToKillInSeconds:10}" c:timeUnit-ref="SECONDS"/>
Changing to a minute and keeping an eye on responses on log-file.
Perfect !
Cheers
From: Ohsie, David [mailto:david...@emc.com]
Sent: 24 January 2013 05:44 PM
To: cas-...@lists.jasig.org
--
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
I belive that you can set this in the cas.properties file:
##
# Service Ticket Timeout
# Default sourced from WEB-INF/spring-configuration/ticketExpirationPolices.xml
#
# Service Ticket timeout - typically kept short as a control against replay attacks, default is 10s. You'll want to
# increase this timeout if you are manually testing service ticket creation/validation via tamperdata or similar tools
# st.timeToKillInSeconds=10
Thanks,
Will test this option, thanks.
Prefer keeping the configuration options separate if possible - so this will be a better “location”.
Appreciated
--
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com