<div dir="ltr">Marek, yes, I should have mentioned I was using Spring Security, sorry about that. We will have some code I can share shortly on how to integrate Spring Security with the adapter.<div><br></div><div>That being said, we solved the issue at hand by modifying the Spring Security configuration. If anyone else is having problems with single sign-out, the key part to change in the Spring Security configuration is to disable Spring’s session fixation protection.</div><div><br></div><div>This is something that’s on by default in many Spring Security installs and according to the Spring docs it’s intended to:</div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div>&quot;Create a new session for the newly authenticated user if they already have a session (as a defence against session-fixation protection attacks), and copies their session attributes across to the new session.&quot;</div></div></blockquote><div><div><br></div></div><div>So in Spring Security config, &quot;sessionFixation().none()” must be set:</div><div><br></div><div><div>protected void configure(HttpSecurity http) throws Exception {</div><div>        http.sessionFixation().none();</div></div><div>}</div><div><br></div><div>Here’s the flow if you don’t disable this:</div><div>1. User access Resource Server (Spring Secured)</div><div>2. User redirected by Keycloak agent to Keycloak auth server</div><div>3. Successful login redirects back to Resource Server</div><div>4. Agent creates a session</div><div>5. Spring authentication invoked (how depends on integration method but irrelevant here)</div><div>6. Spring - to prevent session fixation - creates a new session, copying all attributes from Keycloak created session</div><div><br></div><div>Because of this, the authentication continues to function. However, on single sign-out, the Keycloak agent tries to invalidate the wrong session (Spring deleted it).</div><div><br></div><div>Hope that helps. Will be happy to share a full set of findings and a working Spring configuration once we get things all worked out.</div><div><br></div><div>Best,</div><div>Scott</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 7, 2015 at 3:38 AM, Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>So you&#39;re using spring security? This
      is quite an important detail, which you didn&#39;t mention before...<br>
      <br>
      Yeah, it depends on the behaviour what Spring security is doing
      regarding sessions. You can try our demo applications
      customer-portal + product-portal. Those are simple servlet
      applications. If you&#39;re not seeing issues with them, but still
      seeing issue with your spring security app, then we know that the
      issue might be related to spring security.<br>
      <br>
      If you manage to have it working with Spring security, it would be
      cool if you can share the details here. We had some questions
      related to spring security in the past. If you manage to secure
      Spring Security with our adapter, it could be good reference for
      the future.<br>
      <br>
      Thanks,<br>
      Marek<div><div class="h5"><br>
      <br>
      On 3.4.2015 22:22, Scott Rossillo wrote:<br>
    </div></div></div><div><div class="h5">
    <blockquote type="cite">
      <div dir="ltr">Update on issue 1, <span style="font-size:13px">Log
          user out from KC console:</span>
        <div>It appears this is due to Spring security creating a new
          session and migrating data into it but KC knows nothing
          about this. There’s a way to disable this behavior in Spring
          Security and I’m going to take that path.  This should be a
          non-issue.</div>
        <div><br>
        </div>
        <div>~ Scott</div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Fri, Apr 3, 2015 at 3:21 PM, Scott
          Rossillo <span dir="ltr">&lt;<a href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">Ok, so a few followups. Just to be clear,
              here’s what I’m trying to do and the outcomes of each
              against 1.2.0.Beta1:
              <div><br>
              </div>
              <div>1. (Original scenario) Log user out from KC console
                (Users &gt; [user] Sessions). </div>
              <div>Result: This still fails with the exception,
                &quot;org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.logoutSession
                Session not present or already invalidated.”</div>
              <div><br>
              </div>
              <div>The exception thrown here is an NPE
                as manager.findSession(httpSessionId) failed to find the
                session. Interestingly, the session is still valid and
                the ID passed into the manager is correct. Furthermore,
                while debugging I can see that manager.findSession()
                looks up the session in a hash map. Interestingly, the
                session id (key) is there, but the value (session) is
                null.  Maybe this is a Tomcat bug.  Using Tomcat 8.0.18,
                will test with <span style="color:rgb(0,0,0);white-space:pre-wrap">8.0.21.</span></div>
              <div><span style="color:rgb(0,0,0);white-space:pre-wrap"><br>
                </span></div>
              <div><span style="color:rgb(0,0,0);white-space:pre-wrap">2.
                  (Second scenario) Application logout.</span></div>
              <div><span style="color:rgb(0,0,0);white-space:pre-wrap">Documentation
                </span><font color="#000000"><span style="white-space:pre-wrap">8.10. Logout (</span></font><a href="http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152" target="_blank">http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152</a>)
                say you can either call HttpServletRequest.logout() or
                redirect
tohttp://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri.</div>
              <div><br>
              </div>
              <div>However, you have to do both. </div>
              <div><br>
              </div>
              <div>Call only .logout() and the KC token is still valid
                and user can access app with a new session (it will just
                redirect to KC, see KC session is valid and grant
                access).</div>
              <div><br>
              </div>
              <div>Call only auth-server/…/logout and the Tomcat session
                remains valid. I would have thought that calling the
                auth-server’s logout endpoint would broadcast logout
                events to logged in applications, but it doesn’t.</div>
              <div><br>
              </div>
              <div>I’ll file a JIRA for the second case and continue
                investigating the first scenario with a newer Tomcat
                release.</div>
              <div><br>
              </div>
              <div>Best,</div>
              <div>Scott</div>
              <div><br>
              </div>
              <div><br>
              </div>
              <div><br>
              </div>
              <div><br>
              </div>
              <div><br>
              </div>
              <div><br>
                <div><br>
                </div>
                <div><br>
                </div>
              </div>
            </div>
            <div>
              <div>
                <div class="gmail_extra"><br>
                  <div class="gmail_quote">On Fri, Apr 3, 2015 at 1:42
                    AM, Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div bgcolor="#FFFFFF" text="#000000">
                        <div>Sure, maybe even easier alternative is to
                          try debugger. You can add this to the
                          beginning of $TOMCAT_HOME/bin/catalina.sh:<br>
                          <br>
                          JAVA_OPTS=&quot;$JAVA_OPTS
                          -agentlib:jdwp=transport=dt_socket,address=5005,server=y,suspend=n&quot;<br>
                          <br>
                          then start tomcat and then remotely connect to
                          it from your IDE. You will need opened IDE
                          with keycloak sources though. <br>
                          <br>
                          I&#39;ve changed the code to display the exception
                          stacktrace, but it will be available in next
                          release (not yet in 1.2.0.Beta1 released
                          yesterday)<span><font color="#888888"><br>
                              <br>
                              Marek</font></span>
                          <div>
                            <div><br>
                              <br>
                              On 3.4.2015 01:30, Scott Rossillo wrote:<br>
                            </div>
                          </div>
                        </div>
                        <div>
                          <div>
                            <blockquote type="cite">Still no luck using
                              Tomcat 8 and Keycloak 1.2.0.Beta1. 
                              <div><br>
                              </div>
                              <div>I will install a custom built agent
                                tomorrow to catch the actual exception
                                to see what&#39;s up.</div>
                              <div><br>
                              </div>
                              <div><br>
                                On Thursday, April 2, 2015, Scott
                                Rossillo &lt;<a href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a>&gt;

                                wrote:<br>
                                <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                  <div dir="ltr">Hi,
                                    <div><br>
                                    </div>
                                    <div>Thanks for the reply.<br>
                                    </div>
                                    <div><br>
                                    </div>
                                    <div>I was trying to log a user out
                                      from the Keycloak admin console. I
                                      will try the redirect method and
                                      see if it works.</div>
                                    <div><br>
                                    </div>
                                    <div>Also, I’m using 1.1.0.Final. I
                                      will upgrade to 1.2.0.Beta1 and
                                      report if the issue is still
                                      occurring. </div>
                                    <div><br>
                                    </div>
                                    <div>Best,</div>
                                    <div>Scott</div>
                                    <div> </div>
                                  </div>
                                  <div class="gmail_extra"><br>
                                    <div class="gmail_quote">On Thu, Apr
                                      2, 2015 at 10:23 AM, Marek Posolda
                                      <span dir="ltr">&lt;<a>mposolda@redhat.com</a>&gt;</span>
                                      wrote:<br>
                                      <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                        <div bgcolor="#FFFFFF" text="#000000">
                                          <div>Hi,<br>
                                            <br>
                                            I&#39;ve tried with Apache
                                            Tomcat 6.0.35 but wasn&#39;t
                                            able to reproduce with
                                            latest Keycloak 1.2.0.Beta1.
                                            Logout works fine for me.<br>
                                            <br>
                                            How are you doing logout?
                                            From the application or from
                                            KC admin console? For the
                                            tomcat6, the
                                            httpServletRequest.logout()
                                            method is not yet available,
                                            so best for logout from the
                                            application is redirecting
                                            to Keycloak logout URL
                                            similarly like in our demo
                                            example: <a href="https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14" target="_blank">https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14</a><br>
                                            <br>
                                            You can also enable debug
                                            logging, which should show
                                            some additional messages in
                                            the log by adding this line
                                            into
                                            $TOMCAT_HOME/conf/logging.properties:<br>
                                            <br>
                                            org.keycloak.level = FINE<br>
                                            <br>
                                            Marek
                                            <div>
                                              <div><br>
                                                <br>
                                                <br>
                                                On 2.4.2015 01:37, Scott
                                                Rossillo wrote:<br>
                                              </div>
                                            </div>
                                          </div>
                                          <blockquote type="cite">
                                            <div>
                                              <div>
                                                <div dir="ltr">Hi all,
                                                  <div><br>
                                                  </div>
                                                  <div>I’m running
                                                    Keycloak 1.1.0-Final
                                                    in standalone mode
                                                    and using Keycloak
                                                    agents on Tomcat 6
                                                    and Tomcat 8.<br>
                                                    <div><br>
                                                    </div>
                                                    <div>With both
                                                      agents, whenever I
                                                      try to log a user
                                                      out via the
                                                      Keycloak server, I
                                                      see this in the
                                                      Tomcat server’s
                                                      log:</div>
                                                  </div>
                                                  <div><br>
                                                  </div>
                                                  <div>
                                                    <div>Apr 01, 2015
                                                      7:27:47 PM
                                                      org.keycloak.adapters.tomcat.CatalinaUserSessionManagement
                                                      logoutSession</div>
                                                    <div>WARN: Session
                                                      not present or
                                                      already
                                                      invalidated.</div>
                                                  </div>
                                                  <div><br>
                                                  </div>
                                                  <div>The session is
                                                    still valid and
                                                    continues to be
                                                    valid for some
                                                    period of time in
                                                    each of the Tomcat
                                                    instances. Anyone
                                                    know how to fix? </div>
                                                  <div><br>
                                                  </div>
                                                  <div>I was looking at
                                                    the source and I see
                                                    this method:</div>
                                                  <div>
                                                    <ul style="padding-left:1em;margin:0px auto;color:rgb(0,0,0)">
                                                      <li style="display:inline"><span title="org.keycloak.adapters.tomcat.CatalinaUserSessionManagement"><font face="monospace,
                                                          monospace"><br>
                                                          </font></span></li>
                                                    </ul>
                                                    <ul style="padding-left:1em;margin:0px auto;color:rgb(0,0,0)">
                                                      <li style="display:inline"><span title="org.keycloak.adapters.tomcat.CatalinaUserSessionManagement"><font face="monospace,
                                                          monospace">org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.</font></span></li>
                                                    </ul>
                                                    <font face="monospace,
                                                      monospace">logoutSession()</font></div>
                                                  <div><br>
                                                  </div>
                                                  <div>I may test loging
                                                    the actual exception
                                                    tomorrow if no one
                                                    has a clue, but I
                                                    think it’s probably
                                                    the exception is
                                                    being thrown for
                                                    some reason other
                                                    than the session no
                                                    longer existing (it
                                                    definitely still
                                                    does).</div>
                                                  <div><br>
                                                  </div>
                                                  <div>Best,</div>
                                                  <div>Scott</div>
                                                  <div><br>
                                                  </div>
                                                </div>
                                                <br>
                                                <fieldset></fieldset>
                                                <br>
                                              </div>
                                            </div>
                                            <pre>_______________________________________________
keycloak-user mailing list
<a>keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
                                          </blockquote>
                                          <br>
                                        </div>
                                      </blockquote>
                                    </div>
                                    <br>
                                  </div>
                                </blockquote>
                              </div>
                            </blockquote>
                            <br>
                          </div>
                        </div>
                      </div>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br></div>