[keycloak-user] Logout at security proxy fails

Marko Strukelj mstrukel at redhat.com
Mon Jul 25 11:16:28 EDT 2016


Ah, I was looking directly at the cause at the bottom, and missed the
UndertowPreAuthActionsHandler at the beginning of stack trace.

No idea then. If it's an out-of-the-box proxy install, and it's supposed to
just work, then maybe it's a bug.

On Mon, Jul 25, 2016 at 4:41 PM, Manfred Duchrow <
manfred.duchrow at caprica.biz> wrote:

> Hi,
>
> thanks for your response.
>
> The UndertowPreAuthActionsHandler actually is in the stacktrace. So I
> don't quite understand what you mean.
>
> The installation is out-of-the-box from the keycloak-proxy-2.0.0.Final.zip.
>
> I was assuming that in UndertowPreAuthActionsHandler#handleRequest()
> somthing like the following must happen,
> in order to execute the logout action handling in a worker thread:
>
>     public void handleRequest(HttpServerExchange exchange) throws
> Exception {
>         UndertowHttpFacade facade = createFacade(exchange);
>         SessionManagementBridge bridge = new
> SessionManagementBridge(userSessionManagement, sessionManager);
>         final PreAuthActionsHandler handler = new
> PreAuthActionsHandler(bridge, deploymentContext, facade);
>         final AtomicBoolean requestHandled = new AtomicBoolean(false);
>         if (exchange.getRequestURI().endsWith(AdapterConstants.K_LOGOUT)) {
>           HttpHandler tmpHandler = new HttpHandler()
>           {
>             @Override
>             public void handleRequest(HttpServerExchange exchange) throws
> Exception
>             {
>               requestHandled.set(handler.handleRequest());
>             }
>           };
>           exchange.dispatch(tmpHandler); // This starts the worker thread
> that allows blocking I/O
>         }
>         else {
>           requestHandled.set(handler.handleRequest());
>         }
>         if(requestHandled.get()) return;
>         next.handleRequest(exchange);
>     }
>
> Any feedback welcome.
>
> Cheers,
>   Manfred
>
> On 25.07.2016 15:35, Marko Strukelj wrote:
>
> Giving a cursory look at KEYCLOAK-3311, and not really knowing this part
> of the code so I hope I'm not giving you a wrong lead here, but it looks
> like UndertowPreAuthActionsHandler should already be present in your
> stacktrace, while currently it is not.
>
> It sounds like Wildfly adapter was not installed correctly.
>
> On Mon, Jul 25, 2016 at 9:26 AM, Manfred Duchrow <
> manfred.duchrow at caprica.biz> wrote:
>
>> Hi,
>>
>> a few days ago I created the Jira issue KEYCLOAK-3311.
>>
>> Its about the following exception when "k_logout" request from the
>> keycloak server is coming in:
>>
>> IllegalStateException: UT000126: Attempted to do blocking IO from the IO
>> thread. This is prohibited as it may result in deadlocks
>>
>> Has anybody experienced the same? Is there a workaround?
>>
>> Currently this error prevents the logout from the secure proxy and
>> therefore the protected
>> application can still be reached (for a while) even if the user's session
>> on the keycloak server
>> has been terminated.
>>
>> Cheers,
>>    Manfred
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160725/a1b2c4e8/attachment.html 


More information about the keycloak-user mailing list