Ticket Expiration Policy

New CAS documentation site

CAS documentation has moved over to apereo.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link.

CAS supports a pluggable and extensible policy framework to control the expiration policy of ticket-granting tickets (TGT) and service tickets (ST).

Both TGT and ST expiration policy beans are defined in the /cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketExpirationPolicies.xml file in the CAS distribution.

Policies Are Not Ticket-Specific

Ticket expiration policies are not specific to a particular kind of ticket, so it is possible to apply a policy intended for service tickets to ticket-granting tickets, although it may make little sense to do so.

Ticket-Granting Ticket Policies

TGT expiration policy governs the time span during which an authenticated user may grant STs with a valid (non-expired) TGT without having to reauthenticate. An attempt to grant a ST with an expired TGT would require the user to reauthenticate to obtain a new (valid) TGT.

TimeoutExpirationPolicy

The default expiration policy applied to TGTs provides for most-recently-used expiration policy, similar to a Web server session timeout. For example, a 2-hour time span with this policy in effect would require a TGT to be used every 2 hours or less, otherwise it would be marked as expired.

Constructor Parameters

  1. timeToKillInMilliSeconds - Maximum amount of inactivity in ms from the last time the ticket was used beyond which it is considered expired.

Usage Example

<!-- TGT expires after 2 hours in inactivity -->
<bean id="grantingTicketExpirationPolicy"
  class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
  <constructor-arg
    index="0"
    value="7200000" />
</bean>

HardTimeoutExpirationPolicy

The hard timeout policy provides for finite ticket lifetime as measured from the time of creation. For example, a 4-hour time span for this policy means that a ticket created at 1PM may be used up until 5PM; subsequent attempts to use it will mark it expired and the user will be forced to reauthenticate.

Constructor Parameters

  1. timeToKillInMilliSeconds - Total ticket lifetime in ms.

Usage Example

<!-- TGT expires 4 hours after creation -->
<bean id="grantingTicketExpirationPolicy"
  class="org.jasig.cas.ticket.support.HardTimeoutExpirationPolicy">
  <constructor-arg
    index="0"
    value="14400000" />
</bean>

ThrottledUseAndTimeoutExpirationPolicy

The throttled timeout policy extends the TimeoutExpirationPolicy with the concept of throttling where a ticket may be used at most every N seconds. This policy was designed to thwart denial of service conditions where a rogue or misconfigured client attempts to consume CAS server resources by requesting high volumes of service tickets in a short time.

Ticket Properties

  1. timeToKillInMilliSeconds - Maximum amount of inactivity in ms from the last time the ticket was used beyond which it is considered expired.
  2. timeInBetweenUsesInMilliSeconds - The minimum amount of time permitted between consecutive uses of a ticket.

Usage Example

<!--
TGT expires under one of two conditions:
 * More than 3 hours of inactivity
 * Used consecutively where less than 5 seconds has elapsed from the first use
-->
<bean id="grantingTicketExpirationPolicy"
  class="org.jasig.cas.ticket.support.ThrottledUseAndTimeoutExpirationPolicy"
  p:timeToKillInMilliSeconds="10800000"
  p:timeInBetweenUsesInMilliSeconds="5000"
/>

NeverExpiresExpirationPolicy

The never expires policy allows tickets to exist indefinitely.

Usage Warning

Use of this policy has significant consequences to overall security policy and should be enabled only after thorough review by a qualified security team. There are also implications to server resource usage for the ticket registries backed by filesystem storage, e.g. JpaTicketRegistry and BerkleyDB. Since disk storage for tickets can never be reclaimed for those registries with this policy in effect, use of this policy with those ticket registry implementations is strongly discouraged.

Usage Example

<!-- TGT never expires -->
<bean id="grantingTicketExpirationPolicy"
  class="org.jasig.cas.ticket.support.NeverExpiresExpirationPolicy" />

RememberMeDelegatingExpirationPolicy

This policy implements the "Remember Me" feature for long-term ticket-granting tickets. Use of this policy is slightly more involved and is described fully on the Remember Me page.

Service Ticket Policies

MultiTimeUseOrTimeoutExpirationPolicy

This is the default policy applied to service tickets where a ticket is expired after a fixed number of uses or after a maximum period of inactivity elapses.

Constructor Parameters

  1. numberOfUses - Maximum number of times the ticket can be used.
  2. timeToKillInMilliSeconds - Maximum amount of inactivity in ms from the last time the ticket was used beyond which it is considered expired.

Usage Example

<!-- ST may be used exactly once and must be validated within 5 minutes. -->
<bean id="serviceTicketExpirationPolicy"
  class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy">
  <constructor-arg
    index="0"
    value="1" />
  <constructor-arg
    index="1"
    value="300000" />
</bean>