How does ProxyTicketReceptor work? Does it leak memory?
A: It's probably worth describing this in a bit of detail. In terms strictly of CAS's protocols, the PGT IOU is used exactly once by a "proxy" to retrieve a "proxy granting ticket" (PGT). As far as the CAS server is concerned, the IOU has only this function (which in turn serves to authenticate the proxy).
In the ProxyTicketReceptor code — one mechanism provided by the client library to make it easier to set up a CAS proxy — the IOU is used also as a convenient handle that lets code calling
ProxyTicketReceptor.getProxyTicket()
retrieve a proxy ticket. In other words, you need some way to identify the PGT that you want to use when you call getProxyTicket(), and using the PGT itself might be less secure in a portal environment in which you don't trust individual channels (i.e., callers of getProxyTicket()) with sensitive information (such as a plaintext PGT). The ProxyTicketReceptor could easily generate an arbitrary handle and make sure clients get this handle, but the IOU happened to serve this function conveniently, so there was no reason to bother with a separate handle.
Thus, while the IOU is "used" only once as far as CAS is concerned, it continues to be used by ProxyTicketReceptor and the code that calls it. So an arbitrary fixed timeout wouldn't be appropriate; the PGT might outlast this timeout. However, since the PGT expires after a period of disuse, an inactivity timeout in ProxyTicketReceptor might be appropriate, as might the weak reference you suggest. (I haven't thought the latter through — perhaps uPortal persists data in ways that would cause a weak reference not to work as you expect — but it makes sense on the surface, for you only want to keep the data in the ProxyTicketReceptor's Map as long as someone else has a reference to it. But, for instance, in a distributed environment involving multiple JVMs, an inactivity timeout might be easier.)
Another alternative would be to add a clean-up method to ProxyTicketReceptor called by code that invalidates a user's session or otherwise logs a user out.
Note that the data in the Map is so small, in practical terms, that it's unlikely ever to grow to a point that's problematic.
Originally answered by: Shawn Bayern on the CAS mailing list.
ProxyTicketReceptor
Comments (1)
Jan 24, 2006
wangjun says:
My problem is: In client side, a filter will check jsp A...My problem is:
In client side, a filter will check jsp A to determine if the user has loginned into the system, if not loginned , it will dispatch to another jsp B. Jsp B is cas protected, and if the user has not loginned, he will be asked to login in cas server, and when he loginned with correct username and password, the cas will return to jsp B. But I wish return to jsp A not jsp B. How can I implement this function ?
I use ProxyTicketReceptor in cas 2 client and server. It reports "javax.servlet.ServletException: Unable to validate ProxyTicketValidator".
The error message is:
严重: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicke
tValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.it
s.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/proxyValidat
e] proxyCallbackUrl=[https://localhost:8080/cas/CasProxyServlet] ticket=[ST-2-d2dihnfFTiIx
cAXSXvUj] service=[http%3A%2F%2Flocalhost%3A8080%2Fcas%2F] renew=false]]]
2006-1-24 15:17:44 edu.yale.its.tp.cas.client.filter.CASFilter doFilter
严重: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicke
tValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.it
s.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/proxyValidat
e] proxyCallbackUrl=[https://localhost:8080/cas/CasProxyServlet] ticket=[ST-2-d2dihnfFTiIx
cAXSXvUj] service=[http%3A%2F%2Flocalhost%3A8080%2Fcas%2F] renew=false]]]
I have configured ssl in tomcat and I have no problem if I don't use edu.yale.its.tp.cas.client.filter.proxyCallbackUrl.
What's wrong ? The configuration in web.xml is:
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://localhost:8443/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://localhost:8443/proxyValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>localhost:8080</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.wrapRequest</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.gateway</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.proxyCallbackUrl</param-name>
<param-value>https://localhost:8080/cas/CasProxyServlet</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>ProxyTicketReceptor</servlet-name>
<servlet-class>edu.yale.its.tp.cas.proxy.ProxyTicketReceptor</servlet-class>
<init-param>
<param-name>edu.yale.its.tp.cas.proxyUrl</param-name>
<param-value>https://localhost:8080/cas/a.jsp</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>ProxyTicketReceptor</servlet-name>
<url-pattern>/CasProxyServlet</url-pattern>
</servlet-mapping>