Cas and time synchronization

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Cas and time synchronization

Fabio Canepa
Hi,
I've spent two days because one client application that use Java-Client had the following error:
2009-08-13 16:30:58,313 DEBUG [org.jasig.cas.client.validation.Saml11TicketValidator] - <skipping assertion that's not yet valid...>
2009-08-13 16:30:58,316 WARN [org.jasig.cas.client.validation.Saml11TicketValidationFilter] - <org.jasig.cas.client.validation.TicketValidationException: No valid assertions from the SAML response found.>
org.jasig.cas.client.validation.TicketValidationException: No valid assertions from the SAML response found.
        at org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:95)
        at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:188)
        at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:121)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
        at java.lang.Thread.run(Thread.java:619)

Then I after lot of tests I found that error was due to unsyncronized time between the client machine ad the server machine.
Reading Saml11TicketValidator.java source code I see that the tolerance it's just one second, is it safe to change this class to have a toleration of one minute ?

Thanx
Reply | Threaded
Open this post in threaded view
|

Re: Cas and time synchronization

Marvin Addison
> I've spent two days because one client application that use Java-Client had
> the following error:
> 2009-08-13 16:30:58,313 DEBUG
> [org.jasig.cas.client.validation.Saml11TicketValidator] - <skipping
> assertion that's not yet valid...>
> Then I after lot of tests I found that error was due to unsyncronized time
> between the client machine ad the server machine.
> Reading Saml11TicketValidator.java source code I see that the tolerance it's
> just one second, is it safe to change this class to have a toleration of one
> minute ?

We have found in our testing of the SAML ticket validator that the
default 1s is too strict for our environment in many cases.  We
typically increase to whatever is needed to account for reasonable
clock drift.  I would recommend using the smallest value needed to get
past that error.  I'm curious -- are you using NTP for time
synchronization on both the CAS client and server?  If not, you
probably should be for a number of reasons.  Even with NTP sync you
may need to increase the tolerance of the SAML validator.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Reply | Threaded
Open this post in threaded view
|

Re: Cas and time synchronization

Scott Battaglia-2
Marvin,

What have you found to be a reasonable default.   I think it would be good if our default was reasonable ;-)

Cheers,
Scott


On Fri, Aug 14, 2009 at 9:21 AM, Marvin Addison <[hidden email]> wrote:
> I've spent two days because one client application that use Java-Client had
> the following error:
> 2009-08-13 16:30:58,313 DEBUG
> [org.jasig.cas.client.validation.Saml11TicketValidator] - <skipping
> assertion that's not yet valid...>
> Then I after lot of tests I found that error was due to unsyncronized time
> between the client machine ad the server machine.
> Reading Saml11TicketValidator.java source code I see that the tolerance it's
> just one second, is it safe to change this class to have a toleration of one
> minute ?

We have found in our testing of the SAML ticket validator that the
default 1s is too strict for our environment in many cases.  We
typically increase to whatever is needed to account for reasonable
clock drift.  I would recommend using the smallest value needed to get
past that error.  I'm curious -- are you using NTP for time
synchronization on both the CAS client and server?  If not, you
probably should be for a number of reasons.  Even with NTP sync you
may need to increase the tolerance of the SAML validator.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Reply | Threaded
Open this post in threaded view
|

Re: Cas and time synchronization

Fabio Canepa
In reply to this post by Marvin Addison

Marvin Addison wrote
We have found in our testing of the SAML ticket validator that the
default 1s is too strict for our environment in many cases.  We
typically increase to whatever is needed to account for reasonable
clock drift.  I would recommend using the smallest value needed to get
past that error.  I'm curious -- are you using NTP for time
synchronization on both the CAS client and server?  If not, you
probably should be for a number of reasons.  Even with NTP sync you
may need to increase the tolerance of the SAML validator.
Yes in production we will use NTP but in our development environment we didn't have access to an NTP server. Furthermore we are using virtual machine and usually the clock on vm it's very unstable.
Thanx.
Reply | Threaded
Open this post in threaded view
|

Re: Cas and time synchronization

Marvin Addison
In reply to this post by Scott Battaglia-2
> What have you found to be a reasonable default.   I think it would be good
> if our default was reasonable ;-)

I _almost_ suggested changing the default, but didn't mention it
because I don't have enough data points yet to know whether it's a
problem of client misconfiguration (NTP config) or something more
general.  Our testing of the SAML validator has largely been on test
machines, including developer workstations, where NTP hasn't been
rigorously configured.  We should have more data in the near future
with our production deployment of CAS 3.3.3 in Sept, after which time
many clients will likely take advantage of SAML and attribute release.
 If we notice a more pervasive problem here at Tech, or this issue
becomes more prevalent on cas-user, then we should likely change the
default.  Until then, I would recommend we keep as-is.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply | Threaded
Open this post in threaded view
|

Re: Cas and time synchronization

Fabio Canepa
In reply to this post by Scott Battaglia-2
In my opinion 1 minute would be resonable but one seconds it's definitely too low.
It would also be good if tolerance could be configured without recompiling the class.

Thanx!
scott_battaglia wrote
Marvin,

What have you found to be a reasonable default.   I think it would be good
if our default was reasonable ;-)
Reply | Threaded
Open this post in threaded view
|

Re: Cas and time synchronization

Marvin Addison
> It would also be good if tolerance could be configured without recompiling
> the class.

That's totally unnecessary.  The filter takes a tolerance init param
where you specify the tolerance in ms:

<init-param>
  <param-name>tolerance</param-name>
  <param-value>60000</param-value>
</init-param>

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Reply | Threaded
Open this post in threaded view
|

Re: Cas and time synchronization

killbulle
I also encounter the same bug, but in a very performant network, with a very lilltle desync 1s between client and server
the ticket can arrive before it s valid
regards

On Fri, Aug 14, 2009 at 3:41 PM, Marvin Addison <[hidden email]> wrote:
> It would also be good if tolerance could be configured without recompiling
> the class.

That's totally unnecessary.  The filter takes a tolerance init param
where you specify the tolerance in ms:

<init-param>
 <param-name>tolerance</param-name>
 <param-value>60000</param-value>
</init-param>

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Reply | Threaded
Open this post in threaded view
|

Re: Cas and time synchronization

Fabio Canepa
In reply to this post by Marvin Addison

Marvin Addison wrote
That's totally unnecessary.  The filter takes a tolerance init param
where you specify the tolerance in ms:

<init-param>
  <param-name>tolerance</param-name>
  <param-value>60000</param-value>
</init-param>
Great! I didn't know about this configuration...
Thanx
Reply | Threaded
Open this post in threaded view
|

Re: Cas and time synchronization

Scott Battaglia-2
You can actually find all of the possible configure options here:
http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml

Cheers,
Scott


On Sat, Aug 15, 2009 at 3:26 AM, nothingman <[hidden email]> wrote:



Marvin Addison wrote:
>
> That's totally unnecessary.  The filter takes a tolerance init param
> where you specify the tolerance in ms:
>
> <init-param>
>   <param-name>tolerance</param-name>
>   <param-value>60000</param-value>
> </init-param>
>
Great! I didn't know about this configuration...
Thanx

--
View this message in context: http://www.nabble.com/Cas-and-time-synchronization-tp24969561p24982172.html
Sent from the CAS Users mailing list archive at Nabble.com.


--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Reply | Threaded
Open this post in threaded view
|

Re: Cas and time synchronization

ursulatabb
This post has NOT been accepted by the mailing list yet.
In reply to this post by Fabio Canepa
@Marvin -- I have tried your solution but I am not able to figure out the correct tolerance value. I cannot access the CAS server as well, as only configuration details were provided to me. The solutions provided elsewhere are same as what you have mentioned. Is there another way to approach this issue?