[keycloak-user] where does the tomcat client adapter save the session

Marek Posolda mposolda at redhat.com
Wed Jul 19 13:06:54 EDT 2017 

On 19/07/17 10:51, Yizhou Jiang(Yizhou) wrote:
> Dear Marek Posolda,
> 	
> Thanks for your kindly help. I  understand the second question now. but the first question still confuse me.
>
>> But I guess that when you restarted Tomcat, you didnn't restarted the Keycloak server, right?
> Yes,I didn't restart the keycloak server and there is a SSO cookie on keycloak server.
>
> After I restart the tomcat, the user isn't redirect to keyclaok but login in derectly.
> I have checked it in the firebug, there is really no redirect.
> So, I guess the user session with the cookie of the application is still Exist, not cleared.
Maybe yes. I am not 100% sure where Tomcat saves it's HTTP Sessions. 
Maybe there is some file on the disc. If you want those cleared, you can 
maybe delete all those "tmp" and "work" directories? Hopefully Tomcat 
docs have more details around this.

Marek
>
>
> thanks ,
> yizhou
>
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: Wednesday, July 19, 2017 3:42 PM
> To: Yizhou Jiang(Yizhou); keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] where does the tomcat client adapter save the session
>
> On 19/07/17 07:07, Yizhou Jiang(Yizhou) wrote:
>> Hi,
>>         I have two questions:
>>
>>
>> 1      Where does the tomcat client  adapter store  the user  session ?
>>
>>
>>         when a user logged into a application procted by a tomcat
>> client adapter . there is only
>> “JSESSIONID=E1EAC81E52C97DD64FFB4C13A1231996” in the cookie。
>> But when I restart the tomcat , the user use the  cookie still can login into the application.  obviously , the session isn’t store in the memory of tomcat , Where does the tomcat client adapter store the  user session?
> It's saved in the HTTP Session and AFAIK HTTP sessions are not persisted by Tomcat and are cleared after restart.
>
> But I guess that when you restarted Tomcat, you didnn't restarted the Keycloak server, right? So you still have SSO cookie KEYCLOAK_IDENTITY on keycloak server. So what happens for you is that after restart of Tomcat and open the URL of your Tomcat application, user is redirected to Keycloak, here he is automatically authenticated due to SSO and hence in Tomcat is automatically authenticated too.
>
>> 2     Is there any settings about policy enforcer that can  make unauthenticated  user  access some resources in a application protected by a tomcat client adapter?
>>
>> Set the enforcement-mode  with value “DISABLED” still require the user be authenticated.
>>
>>     "policy-enforcer": {
>>           "enforcement-mode": "PERMISSIVE",
>>           "paths": [
>>               {
>>                   "path": "/public/*",
>>                   "enforcement-mode": "DISABLED"
>>               }
>>           ]
>>       }
> Yes, true. There are security constraints declared in web.xml of your web application. And adapter always require user to be authenticated (and redirects to login screen) once user enters some "secured" URL from there. So you may need to rather change your security constraints in web.xml to ensure some URL is public.
>
> Also I am not sure at 100%, but I think that those "public" URLs declared in web.xml will be just ignored by Keycloak adapter at all.
> Which means that declared "policy-enforcer" will be ignored too. In other words, the "policy-enforcer" is applied just for authenticated requests and it's done after user was authenticated (again not sure at 100%, but rather something like 95% :)
>
> Marek
>>
>>
>> thanks ,
>> yizhou
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list