Skip to content
This repository has been archived by the owner on Nov 3, 2017. It is now read-only.

Request Based Ticket Expiration Policy

Jump to bottom
Dmitriy Kopylenko edited this page Oct 14, 2013 · 14 revisions

Since 1.9, there is now the ability to define ticket expiration policies that may dynamically and conditionally be selected based on various attributes of the incoming request, such as the remote IP address and more.

Configuration

Adjust the ticketExpirationPolicies.xml file to match the following:

<bean id="grantingTicketExpirationPolicy" 
      class="net.unicon.cas.addons.ticket.expiration.CompositeTicketGrantingTicketExpirationPolicy"
      p:defaultExpirationPolicy-ref="defaultGrantingTicketExpirationPolicy"
      c:evaluators-ref="mapOfEvaluators" />

<util:map id="mapOfEvaluators">
  <entry key-ref="ipAddressEvaluator">
    <ref bean="anotherGrantingTicketExpirationPolicy" />
  </entry>
</util:map>

<bean id="ipAddressEvaluator" class="net.unicon.cas.addons.ticket.expiration.IpAddressBasedExpirationPolicyEvaluator" 
       c:ipPattern="^192\."/>

<bean id="anotherGrantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy"
      p:maxTimeToLiveInSeconds="15000"
      p:timeToKillInSeconds="6200"/>

<bean id="defaultGrantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy"
      p:maxTimeToLiveInSeconds="${tgt.maxTimeToLiveInSeconds:28800}"
      p:timeToKillInSeconds="${tgt.timeToKillInSeconds:7200}"/>

The bulk of the work is done by CompositeTicketGrantingTicketExpirationPolicy that receives a map of evaluators linked to expiration policies. Evaluators are components that decide how the linked expiration policy is to be selected based on particular attributes of the request. CompositeTicketGrantingTicketExpirationPolicy will enumerate this map, invoking each evaluator to examine the request. If the current looping evaluator decides that the request is satisfactory, CompositeTicketGrantingTicketExpirationPolicy will locate the mapped expiration policy to decide the fate of the ticket.

For instance, the above configuration indicates that if the IP address of the incoming request matches the pattern begins with 192, then the expiration policy that is explained by anotherGrantingTicketExpirationPolicy will be used. Otherwise the default defaultGrantingTicketExpirationPolicy will be used.

Note: Setting the default policy is optional. If none is set, tickets will always be considered expired. Note: You SHOULD NOT change the bean id grantingTicketExpirationPolicy as it's expected by CAS.

Available evaluators

The following implementations are provided OOTB:

  • IpAddressBasedExpirationPolicyEvaluator

An implementation of the TicketExpirationPolicyEvaluator that is able to determine whether the remote address of the incoming request matches a particular IP pattern. The pattern may be specified as a regular expression that is compiled and run against the remote address. The value of the remote IP address may be provided via IPv6 or IPv4 syntax depending on container configuration.

Note: If you prefer to configure the pattern by IPv4 syntax only, add the -Djava.net.preferIPv4Stack=true flag to your JAVA_OPTS environment variable prior to restarting the container.

<bean id="ipAddressEvaluator" class="net.unicon.cas.addons.ticket.expiration.IpAddressBasedExpirationPolicyEvaluator" 
       c:ipPattern="^192\."/>

What about other use cases?

  • Implement the TicketExpirationPolicyEvaluator to write your own evaluator
  • Configure a ticket expiration policy that would be activated by the evaluator
  • Link the two together in the above map
  • ...and done!
Clone this wiki locally