Expiration Policies define how long a session or access request will last. In general, the ones provided by CAS do not need to be changed, other than possibly, the timeout time. Therefore, while this is identified as an extension point, this is one of the last ones you should be modifying or creating, if ever.
Expiration.java
/** * Copyright (C) 2009 Jasig, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.jasig.cas.server.session; import org.jasig.cas.server.authentication.Authentication; /** * Defines a policy for determining whether an object is expired or not. Assumes that these objects * hold some form of {@link org.jasig.cas.server.session.State}. * * @author Scott Battaglia * @version $Revision$ $Date$ * @since 4.0.0 * */ public interface ExpirationPolicy { /** * Determines whether the object is valid or not. * * @param state the state to check. * @param authentication the root authentication object, if it exists. Implementations should check if this is null * if they plan on using it. * @return true if its expired, false otherwise. */ boolean isExpired(State state, Authentication authentication); }
Expiration policies base their decisions on the current state of the ticket as well as possibly the original authentication was. I.e. if it was a request for a longer term session and it had a strong password used.
Expiration policies for protocols are generally not changeable, as they are often defined by the protocol definition. Sessions generally have it configured with the factory that creates sessions.