Uploaded image for project: 'CAS Server'
  1. CAS-1003

Provide a TicketGrantingTicket expiration policy that incorporates both a hard timeout and sliding window idle timeout

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.4.9
    • Fix Version/s: 3.4.10
    • Component/s: None
    • Labels:
      None

      Description

      Create a MultiPolicyPollingTicketExpirationPolicy which takes as a dependency a List of TicketExpirationPolicies and polls this List in order to determine its opinion. Fail fast - on a child policy vote to expire, return that decision and don't bother polling remaining child policies if any.

      This would enable combining hard timeout and sliding window idle timeout. It is anticipated that most adopters of idle timeout would also want a hard timeout, even if a long such timeout, to prevent a SSO session from being held open indefinitely (dodging the pathological case where a CAS SSO session is hijacked (say, a browser session left open) and that hijacking results in a months-long ability to SSO as that user.)

      The existing ticket expiration policies suggest that combining policies in this way is already desirable.

      https://source.jasig.org/cas3/tags/cas-server-3.4.8/cas-server-core/src/main/java/org/jasig/cas/ticket/support/

      The default ticketExpirationPolicies.xml configuration should then be changed from infinitely renewable sliding idle timeout window to a combination of the idle timeout and the hard timeout for TGTs.

        Attachments

          Activity

            People

            • Assignee:
              wgthom WilliamT
              Reporter:
              awp9 Andrew Petro
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: