<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi,<br>
<br>
<div class="moz-cite-prefix">On 26.2.2016 09:33, Stian Thorgersen
wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAfMygGmHBasg1nHdNHhzxwMooZt+BtY5dH5MWBey4+new@mail.gmail.com"
type="cite">
<div dir="ltr">This should work just fine without sticky sessions.</div>
</blockquote>
<br>
Sure, but there may be latencies or so between nodes which may bring
problems, and it is always hard to troubleshoot this kind of
problems. Sticky session generally lowers probability of this kind
of operational problems, this is why I like them and use them ;-)
But correctly configured replication is necessary even in case of
sticky sessions to have failover.<br>
<br>
<blockquote
cite="mid:CAJgngAfMygGmHBasg1nHdNHhzxwMooZt+BtY5dH5MWBey4+new@mail.gmail.com"
type="cite">
<div dir="ltr"> We also don't support sticky sessions at the
moment as there's no cookie to stick on. We're going to look
into supporting sticky sessions soon.</div>
</blockquote>
<br>
Some loadbalancers are able to make sticky session on his owns, even
if application itself do not provide any cookie. We use this on RHD
website, we have F5 loadbalancer which handles sticky sessions for
us (I think it creates his own cookie), and is able correctly
failover when keycloak node dies. <br>
<br>
So don't tell your users that Keycloak doesn't support sticky
sessions at all, it works with sticky sessions correctly if provided
by loadbalancer by some way not relying on cookie provided by
Keycloak itself. ;-)<br>
<br>
Vlastimil<br>
<br>
<blockquote
cite="mid:CAJgngAfMygGmHBasg1nHdNHhzxwMooZt+BtY5dH5MWBey4+new@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 26 February 2016 at 09:29, Vlastimil
Elias <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> What about
configuring <span lang="EN-US">Loadbalancer to use sticky
sessions?<br>
<br>
Vlastimil<br>
</span>
<div>
<div class="h5"><br>
<div>On 25.2.2016 16:10, Peter Krivansky wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div>
<p class="MsoNormal">Hello,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span lang="EN-US">I have a
Keycloak cluster with two servers, in front of
each Keaycloak is Apache running.</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal" style="text-indent:35.4pt"><span
lang="EN-US">LB</span></p>
<p class="MsoNormal" style="text-indent:35.4pt"><span
lang="EN-US">/\</span></p>
<p class="MsoNormal"><span lang="EN-US"> Host A
Host B</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">Now,
Host-A and Host-B are in different subnets,
due to this design we are running jGroups via
TCP. </span></p>
<p class="MsoNormal"><span lang="EN-US">Now
everything is working fine, except for the
Keycloak Admin console, once a user tries to
log in, they get for a milisecond in to the
Admin console, but then they get redirected to
the login page immediately.</span></p>
<p class="MsoNormal"><span lang="EN-US">When I
disable Host-A or Host-B on the Loadbalancer,
(new sessions will land only on Hst-A or
Host-B) the Login to Keycloak Admin Console
will work normally.</span></p>
<p class="MsoNormal"><span lang="EN-US">During the
immediate redirection there is only this one
WARNING in the Server.log:</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">15:41:42,886
WARN
[org.jboss.resteasy.core.ExceptionHandler]
(default task-10) Failed executing GET
/admin/serverinfo:
org.jboss.resteasy.spi.UnauthorizedException:
Bearer</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:156)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.keycloak.services.resources.admin.AdminRoot.getServerInfo(AdminRoot.java:209)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
java.lang.reflect.Method.invoke(Method.java:498)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:81)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:60)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:102)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at java.lang.Thread.run(Thread.java:745)</span></p>
<p class="MsoNormal"><span lang="EN-US"></span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">I attached
my domain.xml</span></p>
<p class="MsoNormal"><span lang="EN-US">Have I
missed something, or what did I wrong? </span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">With Kind
regards Peter</span></p>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<span class="">
<pre>_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</span></blockquote>
<span class="HOEnZb"><font color="#888888"> <br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</font></span></div>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</body>
</html>