<div dir="ltr">Ok, so a few followups. Just to be clear, here’s what I’m trying to do and the outcomes of each against 1.2.0.Beta1:<div><br></div><div>1. (Original scenario) Log user out from KC console (Users &gt; [user] Sessions). </div><div>Result: This still fails with the exception, &quot;org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.logoutSession Session not present or already invalidated.”</div><div><br></div><div>The exception thrown here is an NPE as manager.findSession(httpSessionId) failed to find the session. Interestingly, the session is still valid and the ID passed into the manager is correct. Furthermore, while debugging I can see that manager.findSession() looks up the session in a hash map. Interestingly, the session id (key) is there, but the value (session) is null.  Maybe this is a Tomcat bug.  Using Tomcat 8.0.18, will test with <span style="color:rgb(0,0,0);white-space:pre-wrap">8.0.21.</span></div><div><span style="color:rgb(0,0,0);white-space:pre-wrap"><br></span></div><div><span style="color:rgb(0,0,0);white-space:pre-wrap">2. (Second scenario) Application logout.</span></div><div><span style="color:rgb(0,0,0);white-space:pre-wrap">Documentation </span><font color="#000000"><span style="white-space:pre-wrap">8.10. Logout (</span></font><a href="http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152">http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152</a>) say you can either call HttpServletRequest.logout() or redirect tohttp://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri.</div><div><br></div><div>However, you have to do both. </div><div><br></div><div>Call only .logout() and the KC token is still valid and user can access app with a new session (it will just redirect to KC, see KC session is valid and grant access).</div><div><br></div><div>Call only auth-server/…/logout and the Tomcat session remains valid. I would have thought that calling the auth-server’s logout endpoint would broadcast logout events to logged in applications, but it doesn’t.</div><div><br></div><div>I’ll file a JIRA for the second case and continue investigating the first scenario with a newer Tomcat release.</div><div><br></div><div>Best,</div><div>Scott</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br><div><br></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 3, 2015 at 1:42 AM, Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>Sure, maybe even easier alternative is
      to try debugger. You can add this to the beginning of
      $TOMCAT_HOME/bin/catalina.sh:<br>
      <br>
      JAVA_OPTS=&quot;$JAVA_OPTS
      -agentlib:jdwp=transport=dt_socket,address=5005,server=y,suspend=n&quot;<br>
      <br>
      then start tomcat and then remotely connect to it from your IDE.
      You will need opened IDE with keycloak sources though. <br>
      <br>
      I&#39;ve changed the code to display the exception stacktrace, but it
      will be available in next release (not yet in 1.2.0.Beta1 released
      yesterday)<span class="HOEnZb"><font color="#888888"><br>
      <br>
      Marek</font></span><div><div class="h5"><br>
      <br>
      On 3.4.2015 01:30, Scott Rossillo wrote:<br>
    </div></div></div><div><div class="h5">
    <blockquote type="cite">Still no luck using Tomcat 8 and Keycloak
      1.2.0.Beta1. 
      <div><br>
      </div>
      <div>I will install a custom built agent tomorrow to catch the
        actual exception to see what&#39;s up.</div>
      <div><br>
      </div>
      <div><br>
        On Thursday, April 2, 2015, Scott Rossillo &lt;<a href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a>&gt;
        wrote:<br>
        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div dir="ltr">Hi,
            <div><br>
            </div>
            <div>Thanks for the reply.<br>
            </div>
            <div><br>
            </div>
            <div>I was trying to log a user out from the Keycloak admin
              console. I will try the redirect method and see if it
              works.</div>
            <div><br>
            </div>
            <div>Also, I’m using 1.1.0.Final. I will upgrade to
              1.2.0.Beta1 and report if the issue is still occurring. </div>
            <div><br>
            </div>
            <div>Best,</div>
            <div>Scott</div>
            <div> </div>
          </div>
          <div class="gmail_extra"><br>
            <div class="gmail_quote">On Thu, Apr 2, 2015 at 10:23 AM,
              Marek Posolda <span dir="ltr">&lt;<a>mposolda@redhat.com</a>&gt;</span>
              wrote:<br>
              <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                <div bgcolor="#FFFFFF" text="#000000">
                  <div>Hi,<br>
                    <br>
                    I&#39;ve tried with Apache Tomcat 6.0.35 but wasn&#39;t able
                    to reproduce with latest Keycloak 1.2.0.Beta1.
                    Logout works fine for me.<br>
                    <br>
                    How are you doing logout? From the application or
                    from KC admin console? For the tomcat6, the
                    httpServletRequest.logout() method is not yet
                    available, so best for logout from the application
                    is redirecting to Keycloak logout URL similarly like
                    in our demo example:
                    <a href="https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14" target="_blank">https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14</a><br>
                    <br>
                    You can also enable debug logging, which should show
                    some additional messages in the log by adding this
                    line into $TOMCAT_HOME/conf/logging.properties:<br>
                    <br>
                    org.keycloak.level = FINE<br>
                    <br>
                    Marek
                    <div>
                      <div><br>
                        <br>
                        <br>
                        On 2.4.2015 01:37, Scott Rossillo wrote:<br>
                      </div>
                    </div>
                  </div>
                  <blockquote type="cite">
                    <div>
                      <div>
                        <div dir="ltr">Hi all,
                          <div><br>
                          </div>
                          <div>I’m running Keycloak 1.1.0-Final in
                            standalone mode and using Keycloak agents on
                            Tomcat 6 and Tomcat 8.<br>
                            <div><br>
                            </div>
                            <div>With both agents, whenever I try to log
                              a user out via the Keycloak server, I see
                              this in the Tomcat server’s log:</div>
                          </div>
                          <div><br>
                          </div>
                          <div>
                            <div>Apr 01, 2015 7:27:47 PM
                              org.keycloak.adapters.tomcat.CatalinaUserSessionManagement
                              logoutSession</div>
                            <div>WARN: Session not present or already
                              invalidated.</div>
                          </div>
                          <div><br>
                          </div>
                          <div>The session is still valid and continues
                            to be valid for some period of time in each
                            of the Tomcat instances. Anyone know how to
                            fix? </div>
                          <div><br>
                          </div>
                          <div>I was looking at the source and I see
                            this method:</div>
                          <div>
                            <ul style="padding-left:1em;margin:0px auto;color:rgb(0,0,0)">
                              <li style="display:inline"><span title="org.keycloak.adapters.tomcat.CatalinaUserSessionManagement"><font face="monospace, monospace"><br>
                                  </font></span></li>
                            </ul>
                            <ul style="padding-left:1em;margin:0px auto;color:rgb(0,0,0)">
                              <li style="display:inline"><span title="org.keycloak.adapters.tomcat.CatalinaUserSessionManagement"><font face="monospace, monospace">org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.</font></span></li>
                            </ul>
                            <font face="monospace, monospace">logoutSession()</font></div>
                          <div><br>
                          </div>
                          <div>I may test loging the actual exception
                            tomorrow if no one has a clue, but I think
                            it’s probably the exception is being thrown
                            for some reason other than the session no
                            longer existing (it definitely still does).</div>
                          <div><br>
                          </div>
                          <div>Best,</div>
                          <div>Scott</div>
                          <div><br>
                          </div>
                        </div>
                        <br>
                        <fieldset></fieldset>
                        <br>
                      </div>
                    </div>
                    <pre>_______________________________________________
keycloak-user mailing list
<a>keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
                  </blockquote>
                  <br>
                </div>
              </blockquote>
            </div>
            <br>
          </div>
        </blockquote>
      </div>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br></div>