Summary
Tickets (TGTs) and credentials are cached for ever, or at least much longer than desired for frequent callers.
Actual Behavior
When setting up the CasAuthenticationProvider in spring-security-cas, is is possible to inject a ticketCache. The ticketCache is used to avoid validating the ticket/fetching credentials against the cas-server on every user requests. The cache may be a SpringCacheBasedTicketCache which in turn implements the StatelessTicketCache interface. When configuring the injected cache with a expireAfterWrite policy, we expect the tickets to be cached for a finite period of time.
However, the following code in CasAuthenticationProvider.java causes a cached entry to be rewritten to the cache on every request, hence nulling out any expireAfterWrite policy.
if (stateless) {
// Try to obtain from cache
result = statelessTicketCache.getByTicketId(authentication.getCredentials()
.toString());
}
if (result == null) {
result = this.authenticateNow(authentication);
result.setDetails(authentication.getDetails());
}
if (stateless) {
// Add to cache
statelessTicketCache.putTicketInCache(result);
}
Should not the putTicketInCache(...) happen inside the scope of if(result == null)? Otherwise, the expireAfterWrite will only have the same affect as expireAfterAccess
Expected Behavior
We expect the cache.put to happen only when the entry was not already fetched from the cache, but from the cas-server.
Configuration
Configuration not relevant
Version
4.1.3.RELEASE
Sample
Not available
Summary
Tickets (TGTs) and credentials are cached for ever, or at least much longer than desired for frequent callers.
Actual Behavior
When setting up the CasAuthenticationProvider in spring-security-cas, is is possible to inject a ticketCache. The ticketCache is used to avoid validating the ticket/fetching credentials against the cas-server on every user requests. The cache may be a SpringCacheBasedTicketCache which in turn implements the StatelessTicketCache interface. When configuring the injected cache with a expireAfterWrite policy, we expect the tickets to be cached for a finite period of time.
However, the following code in CasAuthenticationProvider.java causes a cached entry to be rewritten to the cache on every request, hence nulling out any expireAfterWrite policy.
Should not the putTicketInCache(...) happen inside the scope of if(result == null)? Otherwise, the expireAfterWrite will only have the same affect as expireAfterAccess
Expected Behavior
We expect the cache.put to happen only when the entry was not already fetched from the cache, but from the cas-server.
Configuration
Configuration not relevant
Version
4.1.3.RELEASE
Sample
Not available