I am facing troubles using CAS JASIG 3.5.2.1. I am using it for a long time, and this seems to be a new problem since my last deployment.
First time I log in, every is alright :
- TICKET_GRANTING_TICKET_CREATED
- SERVICE_TICKET_CREATED
After a while, ticket cleanup removes the TGT, which is correct :
- Ticket is expired due to the time since last use being greater than the timeToKillInMilliseconds
- Removing ticket [TGT-...
So when I go to my application, I am redirected on the login page.
Even if my browser still has the cookie with TGT information, and sends it to CAS, it refused, as it has been cleaned up, which is normal :
- Attempting to retrieve ticket [TGT-402...
- SERVICE_TICKET_NOT_CREATED
2019-03-07 09:57:58,929 DEBUG [org.springframework.webflow.mvc.view.AbstractMvcView] - <Rendering MVC [org.springframework.web.servlet.view.JstlView: name 'casLoginView'; URL [/WEB-INF/view/jsp/default/ui/casLoginView.jsp]] with model map [{flowRequestContext=[RequestControlContextImpl@6d171024 externalContext = org.springframework.webflow.mvc.servlet.MvcExternalContext@3dc20cd8, currentEvent = generated, requestScope = map[[empty]], attributes = map[[empty]], messageContext = [DefaultMessageContext@3520ba5b sourceMessages = map[[null] -> list[[empty]]]], flowExecution = [FlowExecutionImpl@524e370 flow = 'login', flowSessions = list[[FlowSessionImpl@38cfd0b3 flow = 'login', state = 'viewLoginForm', scope = map['loginTicket' -> 'LT-1505-Dnd7hs2pezvt51fj79MQnLxHfoZzew', 'service' -> http://preprod.enpc-center.fr/login, 'credentials' -> [username: null], 'warnCookieValue' -> false, 'ticketGrantingTicketId' -> 'TGT-402-ZxdMougCuYRVhFskdVBSiF7tqepwvRFx3FNtwR6Ktk3KQchM5L-preprod.sso.enpc-center.fr', 'viewScope' -> map['commandName' -> 'credentials']]]]]], flashScope=map[[empty]], currentUser=null, loginTicket=LT-1505-Dnd7hs2pezvt51fj79MQnLxHfoZzew, service=http://preprod.enpc-center.fr/login, org.springframework.validation.BindingResult.credentials=org.springframework.webflow.mvc.view.BindingModel: 0 errors, commandName=credentials, credentials=[username: null], flowExecutionKey=e1s1, warnCookieValue=false, flowExecutionUrl=/cas/login?service=%5BLjava.lang.String%3B%4077aac79c, ticketGrantingTicketId=TGT-402-ZxdMougCuYRVhFskdVBSiF7tqepwvRFx3FNtwR6Ktk3KQchM5L-preprod.sso.enpc-center.fr, viewScope=map['commandName' -> 'credentials']}]>
2019-03-07 09:57:59,437 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - <Error getting service from flow state.>
java.lang.IllegalStateException: No active FlowSession to access; this FlowExecution has ended
Evreything seems to be alright at this point.
The problem is that when I log in, using credentials, the browser sent the existing TGT Cookie, so the CAS tries to retrieve it, and redirects me again aon login page.
I have to removed TGT cookie so I can successfully log in again.
Do you have any clue to this strange behaviour ?
Thank you in advance.
This is how CAS 3.5.x operated. The software did not immediately check the validity of the TGT that was linked to the cookie, and it only did that in certain situations when it wanted to do something specific with the TGT passed by the cookie. When a TGT was removed as part of the cleanup process, in some cases CAS/browser still showed you're successfully logged in, because the software only checked to see if a cookie existed and did it verify its relationship with its TGT. The best course of action is to close your browser, and as you note, clear cookies.
Newer CAS versions have fixed this problem.
PS: You may want to consider removing the
TerminateWebSessionListeneror increasing its timeout value to something larger.