CAS session expiration

Paul Ortman portman at goshen.edu
Tue Jul 3 10:44:36 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott Battaglia wrote:
> This is easily changed!  By default (if I recall correctly), the 
> timeout is 6 hours.  In our WEB-INF/applicationContext.xml, there 
> should be ticketGrantingTicketExpirationPolicy defined where you can
> specify the exact length of time.

Thanks for the quick reply Scott, I appreciate it immensely.  But, I
think I need a bit more clarification:

Here are snippets from CAS 3.0.7 which I haven't changed at all from
the download:


<bean                                                                                                                                                                 
   id="serviceTicketExpirationPolicy"                                                                                                                                 
   class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy">                                                                                        
   <!-- This argument is the number of times that a ticket can be used before its considered expired. -->                                                             
   <constructor-arg                                                                                                                                                   
      index="0"                                                                                                                                                       
      value="1" />                                                                                                                                                    
                                                                                                                                                                      
   <!-- This argument is the time a ticket can exist before its considered expired.  -->                                                                              
   <constructor-arg                                                                                                                                                   
      index="1"                                                                                                                                                       
      value="300000" />                                                                                                                                               
</bean>

Arg 0: No reason to change this as each service should only get a
unique ticket once.

Arg 1: What is this measured in (minutes, seconds, etc.)?  Also,
once this expires, and I'm using, for instance, a CASified email
client, what is the behavior as a user and as an application that 
takes place?


<bean                                                                                                                                                                 
   id="grantingTicketExpirationPolicy"                                                                                                                                
   class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">                                                                                                      
   <!-- This argument is the time a ticket can exist before its considered expired.  -->                                                                              
   <constructor-arg                                                                                                                                                   
      index="0"                                                                                                                                                       
      value="7200000" />                                                                                                                                              
</bean>

Arg 0: What is this measured in (minutes, seconds, etc.)?  After the
TGT expires, any client that attempts to establish a new connection
will trigger a re-authentication.  Likewise it is up to individual
applications to expire their own sessions after a given time so that
sufficient inactivity will expire the client and the CAS server and
force reauthentication using CAS.  Is that correct?

In general, there seem to be a lot of "time" settings in that file with no comments as to the units (seconds, milliseconds, etc.) being used.  I think it would be helpful to include those attribute notations in the comments in the file.

- -- 
Paul Ortman

PGP Key: 55602C81
- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGimDUfw8KGlVgLIERAg7uAJ98TDCqjkmptPYztl/QXxNZQtrKaQCfYNp4
qTmq5O7q517NL0Mb53UnYGY=
=EBcm
-----END PGP SIGNATURE-----

More information about the cas mailing list