Redis Ticket Registry

Redis integration is enabled by including the following dependency in the WAR overlay:

1
2
3
4
5
<dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-support-redis-ticket-registry</artifactId>
    <version>${cas.version}</version>
</dependency>
1
implementation "org.apereo.cas:cas-server-support-redis-ticket-registry:${project.'cas.version'}"
1
2
3
4
5
6
7
8
9
dependencyManagement {
    imports {
        mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
    }
}

dependencies {
    implementation "org.apereo.cas:cas-server-support-redis-ticket-registry"
}
1
2
3
4
5
6
7
8
9
10
dependencies {
    /*
    The following platform references should be included automatically and are listed here for reference only.
            
    implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
    implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
    */

    implementation "org.apereo.cas:cas-server-support-redis-ticket-registry"
}

This registry stores tickets in one or more Redis instances. CAS presents and uses Redis as a key/value store that accepts String keys and CAS ticket documents as values. The key is started with CAS_TICKET:.

The Redis ticket registry supports Redis Sentinel, which provides high availability for Redis. In practical terms this means that using Sentinel you can create a Redis deployment that resists without human intervention to certain kind of failures. Redis Sentinel also provides other collateral tasks such as monitoring, notifications and acts as a configuration provider for clients.

Configuration

The following settings and properties are available from the CAS configuration catalog:

The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.

  • cas.ticket.registry.redis.crypto.encryption.key=
  • The encryption key. The encryption key by default and unless specified otherwise must be randomly-generated string whose length is defined by the encryption key size setting.

    org.apereo.cas.configuration.model.core.util.EncryptionRandomizedCryptoProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.crypto.signing.key=
  • The signing key is a JWT whose length is defined by the signing key size setting.

    org.apereo.cas.configuration.model.core.util.SigningJwtCryptoProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.cluster.nodes[0].host=
  • Server's host address.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.cluster.nodes[0].port=
  • Server's port number.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.cluster.nodes[0].replica-of=
  • Set the id of the master node.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.cluster.nodes[0].type=
  • Indicate the type/role of this node. Accepted values are: MASTER, REPLICA.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.cluster.password=
  • The cluster connection's password.

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.cluster.username=
  • The cluster connection's username.

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.pool.enabled=false
  • Enable the pooling configuration.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.sentinel.master=
  • Name of Redis server.

    org.apereo.cas.configuration.model.support.redis.RedisSentinelProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.database=0
  • Database index used by the connection factory.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.enabled=true
  • Whether the module is enabled or not, defaults to true.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.host=localhost
  • Redis server host.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.password=
  • Login password of the redis server.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.port=6379
  • Redis server port.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.username=
  • Login username of the redis server.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

    The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value. In other words, you should only include this field in your configuration if you need to modify the default value or if you need to turn on the feature controlled by the setting.

  • cas.ticket.registry.redis.cache.cache-size=10000
  • This cache size specifies the maximum number of entries the cache may contain. Note that the cache may evict an entry before this limit is exceeded or temporarily exceed the threshold while evicting. As the cache size grows close to the maximum, the cache evicts entries that are less likely to be used again. For example, the cache may evict an entry because it hasn't been used recently or very often. Note: to disable the cache, you may choose a cache size of 0.

    org.apereo.cas.configuration.model.core.cache.SimpleCacheProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.cache.initial-capacity=1000
  • This cache capacity sets the minimum total size for the internal data structures. Providing a large enough estimate at construction time avoids the need for expensive resizing operations later, but setting this value unnecessarily high wastes memory.

    org.apereo.cas.configuration.model.core.cache.SimpleCacheProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.crypto.alg=AES
  • The signing/encryption algorithm to use.

    org.apereo.cas.configuration.model.core.util.EncryptionRandomizedSigningJwtCryptographyProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.crypto.enabled=true
  • Whether crypto operations are enabled.

    org.apereo.cas.configuration.model.core.util.EncryptionRandomizedSigningJwtCryptographyProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.crypto.encryption.key-size=16
  • Encryption key size.

    org.apereo.cas.configuration.model.core.util.EncryptionRandomizedCryptoProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.crypto.signing.key-size=512
  • The signing key size.

    org.apereo.cas.configuration.model.core.util.SigningJwtCryptoProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.cluster.adaptive-topology-refresh=false
  • Whether adaptive topology refreshing using all available refresh triggers should be used.

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.cluster.dynamic-refresh-sources=true
  • Whether to discover and query all cluster nodes for obtaining the cluster topology. When set to false, only the initial seed nodes are used as sources for topology discovery.

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.cluster.max-redirects=0
  • The max number of redirects to follow.

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.cluster.nodes=
  • List of nodes available in the redis cluster.

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.cluster.nodes[0].id=
  • Identifier of this node.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.cluster.nodes[0].name=
  • Name of this node.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.cluster.topology-refresh-period=
  • Enables periodic refresh of cluster topology and sets the refresh period.

    This settings supports the java.time.Duration syntax [?].

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.pool.fairness=false
  • Returns whether or not the pool serves threads waiting to borrow objects fairly. True means that waiting threads are served as if waiting in a FIFO queue.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.pool.lifo=true
  • Returns whether the pool has LIFO (last in, first out) behaviour with respect to idle objects - always returning the most recently used object from the pool, or as a FIFO (first in, first out) queue, where the pool always returns the oldest object in the idle object pool.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.pool.max-active=8
  • Max number of connections that can be allocated by the pool at a given time. Use a negative value for no limit.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.pool.max-idle=8
  • Max number of "idle" connections in the pool. Use a negative value to indicate an unlimited number of idle connections.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.pool.max-wait=PT5S
  • Maximum amount of time (in milliseconds) a connection allocation should block before throwing an exception when the pool is exhausted. Use a negative value to block indefinitely.

    This settings supports the java.time.Duration syntax [?].

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.pool.min-evictable-idle-time-millis=0
  • Sets the minimum amount of time an object may sit idle in the pool before it is eligible for eviction by the idle object evictor (if any - see setTimeBetweenEvictionRunsMillis(long)). When non-positive, no objects will be evicted from the pool due to idle time alone.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.pool.min-idle=0
  • Target for the minimum number of idle connections to maintain in the pool. This setting only has an effect if it is positive.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.pool.num-tests-per-eviction-run=0
  • Sets the maximum number of objects to examine during each run (if any) of the idle object evictor thread. When positive, the number of tests performed for a run will be the minimum of the configured value and the number of idle instances in the pool. When negative, the number of tests performed will be ceil(getNumIdle()/ abs(getNumTestsPerEvictionRun())) which means that when the value is -n roughly one nth of the idle objects will be tested per run.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.pool.soft-min-evictable-idle-time-millis=0
  • Sets the minimum amount of time an object may sit idle in the pool before it is eligible for eviction by the idle object evictor (if any - see setTimeBetweenEvictionRunsMillis(long)), with the extra condition that at least minIdle object instances remain in the pool. This setting is overridden by getMinEvictableIdleTimeMillis() (that is, if getMinEvictableIdleTimeMillis() is positive, then getSoftMinEvictableIdleTimeMillis() is ignored).

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.pool.test-on-borrow=false
  • Returns whether objects borrowed from the pool will be validated before being returned from the borrowObject() method. Validation is performed by the validateObject() method of the factory associated with the pool. If the object fails to validate, it will be removed from the pool and destroyed, and a new attempt will be made to borrow an object from the pool.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.pool.test-on-create=false
  • Returns whether objects created for the pool will be validated before being returned from the borrowObject() method. Validation is performed by the validateObject() method of the factory associated with the pool. If the object fails to validate, then borrowObject() will fail.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.pool.test-on-return=false
  • Returns whether objects borrowed from the pool will be validated when they are returned to the pool via the returnObject() method. Validation is performed by the validateObject() method of the factory associated with the pool. Returning objects that fail validation are destroyed rather then being returned the pool.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.pool.test-while-idle=false
  • Returns whether objects sitting idle in the pool will be validated by the idle object evictor ( if any - see setTimeBetweenEvictionRunsMillis(long)). Validation is performed by the validateObject() method of the factory associated with the pool. If the object fails to validate, it will be removed from the pool and destroyed.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.sentinel.node=
  • list of host:port pairs.

    org.apereo.cas.configuration.model.support.redis.RedisSentinelProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.sentinel.password=
  • Login password of the sentinel server.

    org.apereo.cas.configuration.model.support.redis.RedisSentinelProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.connect-timeout=PT10S
  • Connection timeout.

    This settings supports the java.time.Duration syntax [?].

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.enable-redis-search=true
  • Allows the register to detect the presence of Redis modules, in particular RediSearch, which allows the registry to create specific indexes and search Redis documents to look up tickets. Enabling indexing and searching capabilities may lead to significant performance improvements.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.key-certificate-chain-file=
  • May be used when making SSL connections. Sets the certificate file to use for client authentication. This is typically an X.509 certificate file (or chain file) in PEM format.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.key-file=
  • May be used when making SSL connections. Sets the key file for client authentication. The key is reloaded on each connection attempt that allows to replace certificates during runtime. This is typically a PKCS#8 private key file in PEM format.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.key-password=
  • The password of the #keyFile, or null if it's not password-protected.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.protocol-version=RESP3
  • Redis protocol version.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.queue-identifier=
  • Identifier for this CAS server node that tags the sender/receiver in the queue and avoid processing of inbound calls. If left blank, an identifier is generated automatically and kept in memory.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.read-from=
  • Setting that describes how Lettuce routes read operations to replica nodes. Note that modes referencing MASTER/SLAVE are deprecated (but still supported) in the Lettuce redis client dependency so migrate config to UPSTREAM/REPLICA. Available values are as follows:

    • UPSTREAM: Read from the current upstream node.
    • UPSTREAMPREFERRED: Read from the upstream node, but if it is unavailable, read from replica nodes.
    • MASTER: Read from the current upstream node.
    • MASTERPREFERRED: Read from the upstream node, but if it is unavailable, read from replica nodes.
    • SLAVE: Read from replica nodes.
    • SLAVEPREFERRED: Read from the replica nodes, but if none is unavailable, read from the upstream node.
    • REPLICA: Read from replica nodes.
    • REPLICAPREFERRED: Read from the replica nodes, but if none is unavailable, read from the upstream node.
    • ANY: Read from any node of the cluster.
    • ANYREPLICA: Read from any replica node of the cluster.
    • NEAREST: Read from the nearest node.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.scan-count=0
  • Redis scan count option. When and if specified, SCAN operations would be "counted" or limited by this setting. While SCAN does not provide guarantees about the number of elements returned at every iteration, it is possible to empirically adjust the behavior of SCAN using the COUNT option. Basically with COUNT the user specified the amount of work that should be done at every call in order to retrieve elements from the collection. This is just a hint for the implementation, however generally speaking this is what you could expect most of the times from the implementation.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.share-native-connections=
  • The shared native connection is never closed by Lettuce connection, therefore it is not validated by default when connections are retrieved. If this setting is true, a shared connection will be used for regular operations and a connection provider will be used to select a connection for blocking and tx operations only, which should not share a connection. If native connection sharing is disabled, new (or pooled) connections will be used for all operations. By default, multiple connections share a single thread-safe native connection. If you enable connection pooling, then native connection sharing will be disabled and the connection pool will be used for all operations. You may however explicitly control connection sharing via this setting as an override.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.start-tls=false
  • Start mutual TLS. In order to support TLS, Redis should be configured with a X.509 certificate and a private key. In addition, it is necessary to specify a CA certificate bundle file or path to be used as a trusted root when validating certificates.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.timeout=PT60S
  • Command timeout.

    This settings supports the java.time.Duration syntax [?].

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.uri=
  • Database URI.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.use-ssl=false
  • Whether or not to use SSL for connection factory.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.verify-peer=true
  • Control how peer verification is handled with redis connections. Peer verification is a security feature that checks if the host you're connecting to is who it says it is. This is often done by checking a digital certificate.

    org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.crypto.encryption.key=
  • The encryption key. The encryption key by default and unless specified otherwise must be randomly-generated string whose length is defined by the encryption key size setting.

    org.apereo.cas.configuration.model.core.util.EncryptionRandomizedCryptoProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.crypto.signing.key=
  • The signing key is a JWT whose length is defined by the signing key size setting.

    org.apereo.cas.configuration.model.core.util.SigningJwtCryptoProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.crypto.alg=AES
  • The signing/encryption algorithm to use.

    org.apereo.cas.configuration.model.core.util.EncryptionRandomizedSigningJwtCryptographyProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.crypto.enabled=true
  • Whether crypto operations are enabled.

    org.apereo.cas.configuration.model.core.util.EncryptionRandomizedSigningJwtCryptographyProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.crypto.encryption.key-size=16
  • Encryption key size.

    org.apereo.cas.configuration.model.core.util.EncryptionRandomizedCryptoProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.crypto.signing.key-size=512
  • The signing key size.

    org.apereo.cas.configuration.model.core.util.SigningJwtCryptoProperties.

    How can I configure this property?

    This CAS feature is able to accept signing and encryption crypto keys. In most scenarios if keys are not provided, CAS will auto-generate them. The following instructions apply if you wish to manually and beforehand create the signing and encryption keys.

    Note that if you are asked to create a JWK of a certain size for the key, you are to use the following set of commands to generate the token:

    1
    2
    
    wget https://raw.githubusercontent.com/apereo/cas/master/etc/jwk-gen.jar
    java -jar jwk-gen.jar -t oct -s [size]
    

    The outcome would be similar to:

    1
    2
    3
    4
    5
    
    {
      "kty": "oct",
      "kid": "...",
      "k": "..."
    }
    

    The generated value for k needs to be assigned to the relevant CAS settings. Note that keys generated via the above algorithm are processed by CAS using the Advanced Encryption Standard (AES) algorithm which is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology.


    Configuration Metadata

    The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.

    Be Selective

    This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.

    YAGNI

    Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.

    Naming Convention

    Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those that might be presented to the system via an external library or framework such as Spring Boot, etc.

    :information_source: Note

    When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value. The only possible exception to this rule is when naming actuator endpoints; The name of the actuator endpoints (i.e. ssoSessions) MUST remain in camelCase mode.

    Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the way you intend.

    Validation

    Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be recognized or validated by the configuration schema. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.

    Indexed Settings

    CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be incremented by the adopter to allow for distinct multiple configuration blocks.

    For better performance, it’s best for the Redis server deployment to turn up and enable RediSearch. RediSearch is a Redis module that enables querying, secondary indexing, and full-text search for Redis. These features allow CAS to build particular indexes for ticket documents for faster querying and search operations. In certain cases, this would significantly improve the performance of lookup operations.

    Caching & Messaging

    The Redis ticket registry layers an in-memory cache on top of Redis to assist with performance, particularly when it comes to fetching ticket objects from Redis using SCAN or KEYS operations that execute pattern matching. This cache is specific and isolated to the CAS server node’s memory, and is able to clean up after itself with a dedicated expiration policy that is constructed off of the ticket’s expiration policy. Each cache inside an individual CAS server node will attempt to synchronize ticket changes and updates with other CAS server nodes via a message-based mechanism backed by Redis itself. Note that you can always entirely disable the caching mechanism by forcing its maximum capacity to be at zero via dedicated CAS settings.

    The following settings and properties are available from the CAS configuration catalog:

    The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.

    The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value. In other words, you should only include this field in your configuration if you need to modify the default value or if you need to turn on the feature controlled by the setting.

  • cas.ticket.registry.redis.cache.cache-size=10000
  • This cache size specifies the maximum number of entries the cache may contain. Note that the cache may evict an entry before this limit is exceeded or temporarily exceed the threshold while evicting. As the cache size grows close to the maximum, the cache evicts entries that are less likely to be used again. For example, the cache may evict an entry because it hasn't been used recently or very often. Note: to disable the cache, you may choose a cache size of 0.

    org.apereo.cas.configuration.model.core.cache.SimpleCacheProperties.

    How can I configure this property?

  • cas.ticket.registry.redis.cache.initial-capacity=1000
  • This cache capacity sets the minimum total size for the internal data structures. Providing a large enough estimate at construction time avoids the need for expensive resizing operations later, but setting this value unnecessarily high wastes memory.

    org.apereo.cas.configuration.model.core.cache.SimpleCacheProperties.

    How can I configure this property?

    Configuration Metadata

    The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.

    Be Selective

    This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.

    YAGNI

    Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.

    Naming Convention

    Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those that might be presented to the system via an external library or framework such as Spring Boot, etc.

    :information_source: Note

    When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value. The only possible exception to this rule is when naming actuator endpoints; The name of the actuator endpoints (i.e. ssoSessions) MUST remain in camelCase mode.

    Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the way you intend.

    Validation

    Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be recognized or validated by the configuration schema. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.

    Indexed Settings

    CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be incremented by the adopter to allow for distinct multiple configuration blocks.

    Actuator Endpoints

    The following endpoints are provided by CAS:

     Invalidate and remove the provided ticket from the Redis first-level in-memory CAS cache. The ticket entity is not removed from the Redis instance itself. Invalidating the ticket entity will force CAS to re-fetch the ticket from Redis and ignore/discard its own cached copy, if any.

     Fetch the ticket entity from the Redis first-level in-memory CAS cache.


    Eviction Policy

    Redis manages the internal eviction policy of cached objects via its time-alive settings. The timeout is the ticket’s timeToLive value. So you need to ensure the cache is alive long enough to support the individual expiration policy of tickets, and let CAS clean the tickets as part of its own cleaner if necessary.

    Ticket Registry Locking

    This ticket registry implementation automatically supports distributed locking. The schemas and structures that track locking operations should be automatically created by CAS using Spring Integration Redis support.