[keycloak-user] Logout issue: UT000021: Session already invalidated with EAP7/WF10 adapter

Petr Široký psiroky at redhat.com
Fri Feb 3 11:50:01 EST 2017 

Hello everyone,

I am having a logout issue when using the EAP7/WF10 adapter 
(2.5.1.Final) with EAP 7.0.0.GA. The server is RH-SSO 7.0.0.GA (but I 
also tried the upstream Keycloak 2.5.1.Final).

This is a simplified version of the code (full reproducer here 
https://github.com/psiroky/servlet-app-keycloak-reproducer):

public void doGet(HttpServletRequest request, HttpServletResponse 
response) throws ServletException, IOException {
         ....
         request.logout();
         HttpSession session = request.getSession(false);
         if (session != null) {
             session.invalidate();
         }
         ...
}

The code first calls request.logout() and then session.invalidate(). 
This works OK when we are _not_ using the Keycloak adapter. However, 
once we switch to Keycloak adapter we end up with 
"java.lang.IllegalStateException:UT000021: Session already invalidated". 
I've been debugging the calls and it happens, because the 
request.logout() bubbles down to the Keycloak adapter code which calls 
session.invalidate() as well. For some reason (bug in Undertow/EAP?) the 
request.getSession(false) then returns what it seems to be a valid 
session (the invalidated flag=false). The session.invalidate() call 
happens again, but the session was in fact already invalidated and thus 
Undertow throws that IllegalStateException.

Please note that exactly the same code works on EAP 6 (+ EAP6 adapter). 
The session also gets invalidated as part of logout(), but then the 
request.getSession(false) returns null, so the second call to 
invalidate() does not happen (this kind of points to Undertow as the 
culprit).

I am trying to figure out what the root cause is:

  1) Our application should _not_ call both request.logout() and then 
session.invalidate() (even though it works for EAP6 and also with e.g. 
basic auth without the Keycloak integration)

  2) Keycloak adapter should not call session.invalidate() as part of 
request.logout()

  3) Undertow does not properly propagate the invalidate() call by the 
Keycloak adapter.

  4) Something completely different?


Thanks,
Petr

More information about the keycloak-user mailing list