WORKERS AHEAD!
You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. To view the documentation for a specific Apereo CAS server release, please choose an appropriate version. The release schedule is also available here.
Ticket Expiration Policies
CAS supports a pluggable and extensible policy framework to control the expiration policy of ticket-granting
tickets (TGT
), proxy-granting tickets (PGT
), service tickets (ST
) and proxy tickets (PT
).
There are many other types of artifacts in CAS that take the base form of a ticket abstraction. Each protocol or feature may introduce a new ticket type that carries its own expiration policy and you will need to consult the documentation for that feature or behavior to realize how expiration policies for its own ticket types may be tuned and controlled.
Ticket-Granting Ticket Policies
TGT
expiration policy governs the time span during which an authenticated user may grant STs with a valid (non-expired) TGT
without
having to re-authenticate. An attempt to grant an ST with an expired TGT
would require the user to re-authenticate
to obtain a new (valid) TGT
.
Default
This is the default option, which provides a hard-time out as well as a sliding window.
Ticket expiration policies are activated in the following conditions:
- If the timeout values for the default policy are all set to zero or less, CAS shall ensure tickets are never considered expired.
- Disabling a policy requires that all its timeout settings be set to a value equal or less than zero.
- If not ticket expiration policy is determined, CAS shall ensure the ticket are always considered expired.
You are encouraged to only keep and maintain properties and settings needed for a particular policy. It is UNNECESSARY to grab a copy of all fields or keeping a copy as a reference while leaving them commented out. This strategy would ultimately lead to poor upgrades increasing chances of breaking changes and a messy deployment at that.
Ticket expiration policies are activated in the following order:
- Tickets are never expired, if and when settings for the default policy are configured accordingly.
- Timeout
- Default
- Throttled Timeout
- Hard Timeout
- Tickets always expire immediately.
The following settings and properties are available from the CAS configuration catalog: