Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Whence this page?

This is less "troubleshooting" and more a how-to. I'm here posting the answer to a question I was asked privately, in the hope that doing so will improve the available documentation and that this answer will be helpful to others.

This how-to was developed against CAS 3.2.1.1 . Casual examination suggests this how-to is applicable to CAS 3.3 also and it is likely it will remain relevant for future releases.

CAS ticket timeouts are configured in ticketExpirationPolicies.xml . In CAS 3.2.1.1 source this lives at

/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketExpirationPolicies.xml

This configuration file is deployed into

TOMCAT/webapps/cas/WEB-INF/spring-configuration/ticketExpirationPolicies.xml

This file configures two policies. Relevant for configuring single sign on session timeouts is configuration of ticket granting ticket expiration.

By default these tickets are configured to expire after 7,200,000 milliseconds == 7,200 seconds == 2 hours.

ticketExpirationPolicies.xml default configuration of ticket granting ticket timeout of 2 hours
<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
<!-- This argument is the time a ticket can exist before its considered expired. -->
<constructor-arg
index="0"
value="7200000" />
</bean>

Suppose you'd prefer ticket granting tickets remain valid for 45 minutes == 2,700 seconds == 2,700,000 milliseonds before expiring. Here's how you'd configure that:

ticketExpirationPolicies.xml changed configuration of ticket granting ticket timeout to 45 minutes
<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
<!-- This argument is the time a ticket can exist before its considered expired. -->
<constructor-arg
index="0"
value="2700000" />
</bean>

This timeout is independent of the CAS web application session timeout, which is only important for keeping user place in the login workflow. That timeout is configured in the CAS webapp web.xml and defaults configured to five minutes:

Default configuration in CAS server web.xml of five minute application session timeout
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
...
<session-config>
<!-- Default to 5 minute session timeouts -->
<session-timeout>5</session-timeout>
</session-config>
...
</web-app>

Changing this value will change the interval of time in which CAS remembers the user's place in the login workflow, e.g. if the user takes some time after first rendering the CAS login screen to read his password from the sticky note on his monitor and type it into the CAS login form. Changing this value will not change the interval of time in which a CAS ticket granting cookie (bearing a ticket granting ticket) is valid.

Changing this session timeout interval is typically only interesting if the login workflow is also enhanced to include more interesting and time-consuming steps or if user-facing functionality other than the login workflow is being provided via the CAS web application. For instance, a session timeout of five minutes while interacting with administrative panes of the optional services registry management application in CAS might well be annoying and worth increasing to make that application more usable.

  • No labels