[keycloak-user] Http Session is not invalidated
Chen Keong Yap
chenkeong.yap at izeno.com
Tue Apr 7 04:52:26 EDT 2015
Hi,
Unfortunately i cannot use picketlink binding adapters because my
application is running on websphere and we are not allowed to use keycloak
proxy. I guess the only way is to use SP Filter. Can someone advise the
alternative/solution to clear web application session after global logout
is performed?
On Tue, Apr 7, 2015 at 4:47 PM, Marek Posolda <mposolda at redhat.com> wrote:
> Nope, it's using the proper picketlink binding adapters
> (ServiceProviderAuthenticator valve on EAP6 and SPServletExtension on
> Wildfly). If you have opportunity to use those instead of SPFilter, it may
> be better though. I am not sure if Picketlink SPFilter is not deprecated
> (or if it supports all the features like binding adapters). Maybe Bill or
> Pedro knows more.
>
> Marek
>
>
>
> On 7.4.2015 10:41, Chen Keong Yap wrote:
>
>
>
> <?xml version="1.0" encoding="ISO-8859-1"?>
>
> Hi,
>
> I cannot find the spfilter definition in web.xml of the sample demo.
> Just wondering is the demo running on SP filter?
>
> <!DOCTYPE web-app
> PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> "http://java.sun.com/dtd/web-app_2_3.dtd">
>
> <web-app>
>
> <welcome-file-list>
> <filter>
> <filter-name>SPFilter</filter-name>
>
> <filter-class>org.picketlink.identity.federation.web.filters.SPFilter</filter-class>
> <init-param>
> <param-name>IGNORE_SIGNATURES</param-name>
> <param-value>true</param-value>
> </init-param>
> <init-param>
> <param-name>ROLES</param-name>
> <param-value>PRUONE</param-value>
> </init-param>
> <init-param>
> <param-name>LOGOUT_PAGE</param-name>
> <param-value>/logout1.jsp</param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>SPFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> </web-app>
>
> On Tue, Apr 7, 2015 at 3:20 PM, Marek Posolda <mposolda at redhat.com> wrote:
>
>> The demo is bundled in keycloak-appliance-dist ZIP in directory
>> examples/saml .
>>
>> The demo sources are here:
>> https://github.com/keycloak/keycloak/tree/master/examples/saml
>>
>> Marek
>>
>>
>> On 7.4.2015 02:37, Chen Keong Yap wrote:
>>
>> Hi bill,
>>
>> Can you give me the link or path for the demo? Not sure if you are using
>> keycloak or picketlink demo for testing?
>> On Apr 6, 2015 9:20 PM, "Bill Burke" <bburke at redhat.com> wrote:
>>
>>> Demos work fine for me, but I'm using the wildfly Picketlink SP
>>> adapter. I am able to have an SSO session with all the examples, then I am
>>> able to logout and have all sessions invalidated.
>>>
>>> On 4/6/2015 9:01 AM, Chen Keong Yap wrote:
>>>
>>>> Hi bill,
>>>>
>>>> Are you using 2 applications for testing?
>>>>
>>>> If yes, need to know have you logged out the first application then
>>>> redirect to keycloak login page? After that refresh the second
>>>> application then redirect to keycloak login page?
>>>>
>>>> Can i know which version of picketlink federation lib are you using?
>>>>
>>>> On Apr 6, 2015 8:56 PM, "Bill Burke" <bburke at redhat.com
>>>> <mailto:bburke at redhat.com>> wrote:
>>>>
>>>> I tried out the saml demo app and logout works just fine, so I'm
>>>> guessing this is a bug in the PL SP Filter.
>>>>
>>>> On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
>>>>
>>>> Hi bill,
>>>>
>>>> Global logout only removed sp sessions but not web application
>>>> sessions
>>>> and this created security loopholes.
>>>>
>>>> Please advise
>>>>
>>>> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap
>>>> <chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>
>>>> <mailto:chenkeong.yap at izeno.__com
>>>> <mailto:chenkeong.yap at izeno.com>>> wrote:
>>>>
>>>> Guys,
>>>>
>>>> Can share your ideas why global logout is not working?
>>>>
>>>> On Apr 3, 2015 3:47 PM, "Chen Keong Yap"
>>>> <chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>
>>>> <mailto:chenkeong.yap at izeno.__com
>>>> <mailto:chenkeong.yap at izeno.com>>> wrote:
>>>>
>>>> Hi Marek,
>>>>
>>>> I've just tested backchannel logout and it's showing
>>>> same issue.
>>>> Both applications are using PL SP Filter and the steps
>>>> below are
>>>> used for testing.
>>>>
>>>> 1. Open https://localhost:8443/__employee/
>>>> <https://localhost:8443/employee/> and http request is
>>>> redirected to
>>>>
>>>> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>>>> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>>>>
>>>> 2. Enter username and password into keycloak login
>>>> page and
>>>> redirected to employee landing page
>>>>
>>>> 3. Open https://localhost:8443/sales-__post/
>>>> <https://localhost:8443/sales-post/> and redirected to
>>>> sales-post landing page without login
>>>>
>>>> 4. Logon to keycloak admin console and noticed there
>>>> are 2
>>>> active sessions
>>>>
>>>> 5. Perform global logout from employee landing page
>>>> (https://localhost:8443/__employee/?GLO=true
>>>> <https://localhost:8443/employee/?GLO=true>) and http request
>>>> is
>>>> redirected to
>>>>
>>>> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>>>> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>>>>
>>>> 6. Logon to keycloak admin console and noticed all
>>>> sessions are gone
>>>>
>>>> 7. Refresh sales-post landing page and it's not
>>>> redirected to
>>>> keycloak login page. sales-post session still active.
>>>>
>>>> Kindly advise why GLO is performed but the second
>>>> application
>>>> (sales-post) session still active?
>>>>
>>>> On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
>>>> <mposolda at redhat.com <mailto:mposolda at redhat.com>
>>>> <mailto:mposolda at redhat.com <mailto:mposolda at redhat.com>>>
>>>> wrote:
>>>>
>>>> Switch the "Front channel logout" to off. In this
>>>> case it
>>>> should use backchannel (not redirecting through
>>>> browser, but
>>>> sending logout requests from Keycloak in
>>>> background)
>>>>
>>>> Marek
>>>>
>>>>
>>>>
>>>> On 3.4.2015 08:28, Chen Keong Yap wrote:
>>>>
>>>>
>>>> Hi Merek,
>>>>
>>>> I've tried frontChannel logout in 1.2.0.Beta1
>>>> and it's
>>>> giving me the same issues, please refer to the
>>>> settings
>>>> shown in the screen shot.
>>>>
>>>> Can you please advise how to test backchannel
>>>> logout?
>>>>
>>>>
>>>> Inline image 1
>>>>
>>>>
>>>>
>>>> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda
>>>> <mposolda at redhat.com
>>>> <mailto:mposolda at redhat.com> <mailto:mposolda at redhat.com
>>>> <mailto:mposolda at redhat.com>>> wrote:
>>>>
>>>> I would try to upgrade to latest
>>>> 1.2.0.Beta1 as it has
>>>> some related fixes AFAIK.
>>>>
>>>> In this version, you have also possibility
>>>> to setup
>>>> either frontChannel logout or backchannel
>>>> logout for
>>>> the application. It could be set in
>>>> Keycloak admin
>>>> console. I think that at least one of them
>>>> will work
>>>> with SP filter in latest version (if not
>>>> both).
>>>>
>>>> Marek
>>>>
>>>>
>>>> On 3.4.2015 01:44, Chen Keong Yap wrote:
>>>>
>>>> Hi,
>>>>
>>>> I've 2 applications installed with
>>>> Picketlink
>>>> SPFilter to authenticate with keycloak
>>>> 1.1.0 beta 2.
>>>>
>>>> When i perform global logout, first
>>>> application was
>>>> logged out successfully because
>>>> SP/keycloak session
>>>> and application http session are
>>>> removed but the
>>>> problem is second
>>>> application SP/keycloak session is
>>>> removed but
>>>> application http session is still
>>>> remained. I've set
>>>> admin url for these 2 applications in
>>>> keycloak admin
>>>> console. Kindly share your ideas.
>>>>
>>>>
>>>>
>>>>
>>>> _________________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> <mailto:keycloak-user at lists.jboss.org>
>>>> <mailto:keycloak-user at lists.__jboss.org
>>>> <mailto:keycloak-user at lists.jboss.org>>
>>>>
>>>> https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> >
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>>
>>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150407/eb9a2581/attachment-0001.html
More information about the keycloak-user
mailing list