<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix"><a id="stateless-token-store"></a>It
looks there might be issue with session replication in your
environment. <br>
<a id="stateless-token-store">
<pre xmlns="" xmlns:d="http://docbook.org/ns/docbook" xmlns:rf="java:org.jboss.highlight.XhtmlRendererFactory" class="">
When you bootstrap your domain with cluster nodes, are you seeing message in the log similar to:
<a id="d4e1917"><pre xmlns="" xmlns:d="http://docbook.org/ns/docbook" xmlns:rf="java:org.jboss.highlight.XhtmlRendererFactory" class="">INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-10,shared=udp)
ISPN000094: Received new cluster view: [node1/web|1] (2) [node1/web, node2/web]
</pre></a>
Does it help if you try to switch to <a id="stateless-token-store"><pre xmlns="" xmlns:d="http://docbook.org/ns/docbook" xmlns:rf="java:org.jboss.highlight.XhtmlRendererFactory" class="">"token-store": "cookie"
in the adapter configuration of your application?
</pre></a>
Thanks,
Marek
</pre>
</a><br>
On 5.2.2015 06:45, Bappaditya Gorai (bgorai) wrote:<br>
</div>
<blockquote
cite="mid:C5AF53298BAB5F4A88B28966E43B40AD0565C4BB@xmb-aln-x12.cisco.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
<font face="Calibri" size="2"><span style="font-size:11pt;">
<div><font color="#1F497D">Please find my response inline for
your queries.</font></div>
<div><font color="#1F497D"> </font></div>
<div><font color="#1F497D">Thanks</font></div>
<div><font color="#1F497D">Bappaditya Gorai</font></div>
<div><font color="#1F497D" face="Times New Roman" size="3"><span
style="font-size:12pt;"> </span></font></div>
<div><font face="Tahoma" size="2"><span
style="font-size:10pt;"><b>From:</b> Marek Posolda [<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com">mailto:mposolda@redhat.com</a>]
<br>
<b>Sent:</b> Wednesday, February 04, 2015 8:06 PM<br>
<b>To:</b> Bappaditya Gorai (bgorai); Stian Thorgersen<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<b>Subject:</b> Re: [keycloak-dev] Facing Issue with
Resource Server in Clustered Environment</span></font></div>
<div><font face="Times New Roman" size="3"><span
style="font-size:12pt;"> </span></font></div>
<div><font face="Times New Roman" size="3"><span
style="font-size:12pt;">Hi,<br>
<br>
I am not sure about the details of your environment. You
mentioned that you're not interested in clustering of
keycloak server. </span></font></div>
<div><font color="#1F497D" face="Times New Roman" size="3"><span
style="font-size:12pt;"> </span></font></div>
<div><font face="Times New Roman" size="3"><span
style="font-size:12pt;">So am I understand correctly
that you have just 1 node as keycloak server and 2 nodes
with your application deployed? </span></font></div>
<div><font color="#1F497D"><b>[[Bappaditya]]</b> Yes, only one
instance of keycloak Server (Running in standalone mode).
My Application is deployed in 2 nodes (cluster) and
running in domain mode. </font></div>
<div><font color="#1F497D" face="Times New Roman" size="3"><span
style="font-size:12pt;"> </span></font></div>
<div><font face="Times New Roman" size="3"><span
style="font-size:12pt;">Are you using "distributable"
tag in web.xml of your app on both nodes to ensure
session replication? </span></font></div>
<div><font color="#1F497D"><b>[[Bappaditya]]</b> Yes,
Application is using <font color="black" face="Times New
Roman" size="3"><span style="font-size:12pt;"> “</span></font>distributable”
tag in web.xml. </font></div>
<div><font color="#1F497D" face="Times New Roman" size="3"><span
style="font-size:12pt;"> </span></font></div>
<div><font face="Times New Roman" size="3"><span
style="font-size:12pt;">Are you using loadbalancer? </span></font></div>
<div><font color="#1F497D"><b>[[Bappaditya]] </b> We are
using mod_cluster & httpd. Sticky sessions disabled.</font></div>
<div><font face="Times New Roman" size="3"><span
style="font-size:12pt;"><br>
<br>
Marek<br>
<br>
On 4.2.2015 13:37, Bappaditya Gorai (bgorai) wrote:</span></font></div>
<div>Thanks for the detailed description. Still, It seems in
case of Clustered Resource environment (distributable
without Sticky sessions) we are relying on session
replication to happen immediately between CODE_TO_TOKEN and
Resource Hit(302), which may or
may not happen. We are now facing the same issue where After
CODE_TO_TOKEN client is redirected to Login URL again. </div>
<div> </div>
<div>Are we addressing this scenario with 1.1.0 Final ? </div>
<div> </div>
<div> </div>
<div>Thanks</div>
<div>Bappaditya Gorai</div>
<div> </div>
<div>-----Original Message-----<br>
From: Marek Posolda [<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com"><font color="blue"><u>mailto:mposolda@redhat.com</u></font></a>]
<br>
Sent: Monday, February 02, 2015 2:00 PM<br>
To: Bappaditya Gorai (bgorai); Stian Thorgersen<br>
Cc: <a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"><font
color="blue"><u>keycloak-dev@lists.jboss.org</u></font></a><br>
Subject: Re: [keycloak-dev] Facing Issue with Resource
Server in Clustered Environment</div>
<div> </div>
<div>Hi,</div>
<div> </div>
<div>it's not stateless by default. Data about keycloak
authenticated principal are saved in HTTP session by default
and can be replicated across cluster nodes (replication
works as long as your application is marked as
"distributable" in web.xml).</div>
<div> </div>
<div>However we support stateless adapter, which won't save
anything in HTTP Session and won't create HTTP session and
JSESSIONID cookie at all (unless you're calling
httpRequest.getSession() in your own application). Instead
all the data are saved in cookie.</div>
<div> </div>
<div>Some more info in docs: </div>
<div><font face="Times New Roman" size="3"><span
style="font-size:12pt;"><a moz-do-not-send="true"
href="http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/applicationClustering.html"><font
color="blue" face="Calibri" size="2"><span
style="font-size:11pt;"><u>http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/applicationClustering.html#stateless-token-store</u></span></font></a></span></font></div>
<div> </div>
<div>Marek</div>
<div> </div>
<div>On 30.1.2015 11:26, Bappaditya Gorai (bgorai) wrote:</div>
<div>> Thanks for clarifying. So, I think adapter has
become stateless in 1.1.0.Final. Is my understanding
correct?</div>
<div>></div>
<div>></div>
<div>> -----Original Message-----</div>
<div>> From: Stian Thorgersen [<a moz-do-not-send="true"
href="mailto:stian@redhat.com"><font color="blue"><u>mailto:stian@redhat.com</u></font></a>]</div>
<div>> Sent: Friday, January 30, 2015 1:18 PM</div>
<div>> To: Bappaditya Gorai (bgorai)</div>
<div>> Cc: <a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"><font
color="blue"><u>keycloak-dev@lists.jboss.org</u></font></a></div>
<div>> Subject: Re: [keycloak-dev] Facing Issue with
Resource Server in </div>
<div>> Clustered Environment</div>
<div>></div>
<div>></div>
<div>></div>
<div>> ----- Original Message -----</div>
<div>>> From: "Bappaditya Gorai (bgorai)" <<a
moz-do-not-send="true" href="mailto:bgorai@cisco.com"><font
color="blue"><u>bgorai@cisco.com</u></font></a>></div>
<div>>> To: "Stian Thorgersen" <<a
moz-do-not-send="true" href="mailto:stian@redhat.com"><font
color="blue"><u>stian@redhat.com</u></font></a>></div>
<div>>> Cc: <a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"><font
color="blue"><u>keycloak-dev@lists.jboss.org</u></font></a></div>
<div>>> Sent: Friday, 30 January, 2015 8:38:49 AM</div>
<div>>> Subject: RE: [keycloak-dev] Facing Issue with
Resource Server in Clustered Environment</div>
<div>>></div>
<div>>> We are not talking about clustering for Keycloak
server. The setup is </div>
<div>>> for Resource Server (Keycloak Adapter) in
clustered environment.</div>
<div>> Same answer</div>
<div>></div>
<div>>> Thanks</div>
<div>>> Bappaditya Gorai</div>
<div>>></div>
<div>>> -----Original Message-----</div>
<div>>> From: Stian Thorgersen [<a
moz-do-not-send="true" href="mailto:stian@redhat.com"><font
color="blue"><u>mailto:stian@redhat.com</u></font></a>]</div>
<div>>> Sent: Friday, January 30, 2015 12:57 PM</div>
<div>>> To: Bappaditya Gorai (bgorai)</div>
<div>>> Cc: <a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"><font
color="blue"><u>keycloak-dev@lists.jboss.org</u></font></a></div>
<div>>> Subject: Re: [keycloak-dev] Facing Issue with
Resource Server in </div>
<div>>> Clustered Environment</div>
<div>>></div>
<div>>> 1.0.4.Final had very limited support for
clustering, please upgrade </div>
<div>>> to 1.1.0.Final and refer to chapter 24 and 25 in
the documentation </div>
<div>>> (<a moz-do-not-send="true"
href="http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/clustering.html"><font
color="blue"><u>http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/clustering.html</u></font></a>).</div>
<div>>></div>
<div>>> ----- Original Message -----</div>
<div>>>> From: "Bappaditya Gorai (bgorai)" <<a
moz-do-not-send="true" href="mailto:bgorai@cisco.com"><font
color="blue"><u>bgorai@cisco.com</u></font></a>></div>
<div>>>> To: <a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"><font
color="blue"><u>keycloak-dev@lists.jboss.org</u></font></a></div>
<div>>>> Sent: Friday, 30 January, 2015 8:22:26 AM</div>
<div>>>> Subject: [keycloak-dev] Facing Issue with
Resource Server in Clustered</div>
<div>>>> Environment</div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>> Hi Team,</div>
<div>>>></div>
<div>>>> Please find the details on setup and
observation below. Please </div>
<div>>>> provide your suggestion on how to overcome
this issue. We are using </div>
<div>>>> Keycloak 1.0.4.Final (Adapter & Server).</div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>> Setup:</div>
<div>>>></div>
<div>>>> 1. We have brought up Jboss cluster ( Using
mod_cluster, httpd ) </div>
<div>>>> with</div>
<div>>>> 2 nodes in domain mode and enabled session
replication between these nodes.</div>
<div>>>></div>
<div>>>> 2. Our Recourse server is deployed in this
clustered environment </div>
<div>>>> with distributable and Sticky session Off.</div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>> Behavior observed :</div>
<div>>>></div>
<div>>>> During the Authorization/Authentication
process ,when Initial </div>
<div>>>> call(Resource</div>
<div>>>> Access) lands on master and next redirection
(post Code To token) </div>
<div>>>> falls on slave Adapter is treating it as a
new session and </div>
<div>>>> redirecting to login URL again. So we ended
up with circular redirection error.</div>
<div>>>> After further investigation seems like
session replication delay is </div>
<div>>>> causing adapter to behave this way. As the
redirection call happens </div>
<div>>>> very quickly and this results in circular
redirection error.</div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>> NOTE: Sticky Session in mod_cluster
environment solves the issue but </div>
<div>>>> it does not provide true load balancing.
Therefore we are not </div>
<div>>>> considering Stick session option.</div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>> Thanks</div>
<div>>>></div>
<div>>>> Bappaditya Gorai</div>
<div>>>></div>
<div>>>>
_______________________________________________</div>
<div>>>> keycloak-dev mailing list</div>
<div>>>> <a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"><font
color="blue"><u>keycloak-dev@lists.jboss.org</u></font></a></div>
<div>>>> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"><font
color="blue"><u>https://lists.jboss.org/mailman/listinfo/keycloak-dev</u></font></a></div>
<div>> _______________________________________________</div>
<div>> keycloak-dev mailing list</div>
<div>> <a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"><font
color="blue"><u>keycloak-dev@lists.jboss.org</u></font></a></div>
<div>> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"><font
color="blue"><u>https://lists.jboss.org/mailman/listinfo/keycloak-dev</u></font></a></div>
<div> </div>
<div> </div>
<div><font face="Times New Roman" size="3"><span
style="font-size:12pt;"> </span></font></div>
<div><font face="Times New Roman" size="3"><span
style="font-size:12pt;"> </span></font></div>
</span></font>
</blockquote>
<br>
</body>
</html>