Ticket Stores¶
Ticket stores in txcas are plugins used to keep track of the various tickets used by the CAS protocol. Ticket stores generate tickets on request. A ticket store must track how long a ticket is valid and expire it appropriately. A ticket store is also responsible for validating tickets, and making Single Log Out (SLO) callbacks to services.
A ticket_store is enabled by setting the ticket_store option of the
PLUGINS section in the main configuration file.
The ticket_store options included in txcas are:
memory_ticket_store: This ticket store manages tickets entirely in the memory allocated to the txcas process. It has the advantage of being quite fast when it comes to ticket creation, modification, or expiration. There is no network latency. However, this ticket store is limited in that it is not persistant. If the process is stopped and restarted, all tickets that were previously in the ticket store are lost. Also, for situations where CAS servers span multiple nodes, this type of ticket store cannot be shared across process or server boundries.couchdb_ticket_store: This ticket store manages tickets in an external CouchDB database. This ticket store may have network latency issues associated with it that are not present in an in-memory ticket store. However, tickets stored “in the couch” are persistant. Because the ticket storage is external, tickets can be shared across multiple nodes. Also, CouchDB’s master-master replication capabilites make this storage worthy of consideration for high availability scenarios. Projects like CouchDB Lounge or Big Couch are certainly worth a look if scalability is a concern.Because CouchDB is written to be operated completely with a RESTful API, no special database drivers are required. It is also a good fit with the Twisted asynchronous I/O model.
The CouchDB options can be configured by appending a colon to this option and providing colon-separated key=value pairs or by configuring options in the CouchDB section of the main config file (the latter method is preferred).
The CouchDB options are:
host: The database server hostname or IP address.port: The port that CouchDB listens on.db: The name of the database (e.g. “cas_tickets”).user: The username to connect to the database as.passwd: The password to use when connecting to the database.https: 1 (True) or 0 (False). When connecting to the database, use HTTPS.verify_cert: 1 (True) or 0 (False). When connecting to the database, verify its X509 cert. It is useful to set this option to False during development if using a self-signed cert.
Options Common to All Ticket Stores¶
All ticket stores must support specific options:
lt_lifespan: The time in seconds before a Login Ticket expires.st_lifespan: The time in seconds before a Service Ticket expires.pt_lifespan: The time in seconds before a Proxy Ticket expires.pgt_lifespan: The time in seconds before a Proxy Granting Ticket expires.tgt_lifespan: The time in seconds before a Ticket Granting Ticket expires.ticket_size: The size of a ticket (in characters) generated by the ticket store.
Interaction With Service Managers¶
If a service manager is enabled in the txcas service, the ticket store will use it to determine if the CAS server will authenticate for a particular service.