<div dir="ltr">Marek, yes, I should have mentioned I was using Spring Security, sorry about that. We will have some code I can share shortly on how to integrate Spring Security with the adapter.<div><br></div><div>That being said, we solved the issue at hand by modifying the Spring Security configuration. If anyone else is having problems with single sign-out, the key part to change in the Spring Security configuration is to disable Spring’s session fixation protection.</div><div><br></div><div>This is something that’s on by default in many Spring Security installs and according to the Spring docs it’s intended to:</div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div>"Create a new session for the newly authenticated user if they already have a session (as a defence against session-fixation protection attacks), and copies their session attributes across to the new session."</div></div></blockquote><div><div><br></div></div><div>So in Spring Security config, "sessionFixation().none()” must be set:</div><div><br></div><div><div>protected void configure(HttpSecurity http) throws Exception {</div><div> http.sessionFixation().none();</div></div><div>}</div><div><br></div><div>Here’s the flow if you don’t disable this:</div><div>1. User access Resource Server (Spring Secured)</div><div>2. User redirected by Keycloak agent to Keycloak auth server</div><div>3. Successful login redirects back to Resource Server</div><div>4. Agent creates a session</div><div>5. Spring authentication invoked (how depends on integration method but irrelevant here)</div><div>6. Spring - to prevent session fixation - creates a new session, copying all attributes from Keycloak created session</div><div><br></div><div>Because of this, the authentication continues to function. However, on single sign-out, the Keycloak agent tries to invalidate the wrong session (Spring deleted it).</div><div><br></div><div>Hope that helps. Will be happy to share a full set of findings and a working Spring configuration once we get things all worked out.</div><div><br></div><div>Best,</div><div>Scott</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 7, 2015 at 3:38 AM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>So you're using spring security? This
is quite an important detail, which you didn't mention before...<br>
<br>
Yeah, it depends on the behaviour what Spring security is doing
regarding sessions. You can try our demo applications
customer-portal + product-portal. Those are simple servlet
applications. If you're not seeing issues with them, but still
seeing issue with your spring security app, then we know that the
issue might be related to spring security.<br>
<br>
If you manage to have it working with Spring security, it would be
cool if you can share the details here. We had some questions
related to spring security in the past. If you manage to secure
Spring Security with our adapter, it could be good reference for
the future.<br>
<br>
Thanks,<br>
Marek<div><div class="h5"><br>
<br>
On 3.4.2015 22:22, Scott Rossillo wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">Update on issue 1, <span style="font-size:13px">Log
user out from KC console:</span>
<div>It appears this is due to Spring security creating a new
session and migrating data into it but KC knows nothing
about this. There’s a way to disable this behavior in Spring
Security and I’m going to take that path. This should be a
non-issue.</div>
<div><br>
</div>
<div>~ Scott</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Apr 3, 2015 at 3:21 PM, Scott
Rossillo <span dir="ltr"><<a href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Ok, so a few followups. Just to be clear,
here’s what I’m trying to do and the outcomes of each
against 1.2.0.Beta1:
<div><br>
</div>
<div>1. (Original scenario) Log user out from KC console
(Users > [user] Sessions). </div>
<div>Result: This still fails with the exception,
"org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.logoutSession
Session not present or already invalidated.”</div>
<div><br>
</div>
<div>The exception thrown here is an NPE
as manager.findSession(httpSessionId) failed to find the
session. Interestingly, the session is still valid and
the ID passed into the manager is correct. Furthermore,
while debugging I can see that manager.findSession()
looks up the session in a hash map. Interestingly, the
session id (key) is there, but the value (session) is
null. Maybe this is a Tomcat bug. Using Tomcat 8.0.18,
will test with <span style="color:rgb(0,0,0);white-space:pre-wrap">8.0.21.</span></div>
<div><span style="color:rgb(0,0,0);white-space:pre-wrap"><br>
</span></div>
<div><span style="color:rgb(0,0,0);white-space:pre-wrap">2.
(Second scenario) Application logout.</span></div>
<div><span style="color:rgb(0,0,0);white-space:pre-wrap">Documentation
</span><font color="#000000"><span style="white-space:pre-wrap">8.10. Logout (</span></font><a href="http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152" target="_blank">http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152</a>)
say you can either call HttpServletRequest.logout() or
redirect
tohttp://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri.</div>
<div><br>
</div>
<div>However, you have to do both. </div>
<div><br>
</div>
<div>Call only .logout() and the KC token is still valid
and user can access app with a new session (it will just
redirect to KC, see KC session is valid and grant
access).</div>
<div><br>
</div>
<div>Call only auth-server/…/logout and the Tomcat session
remains valid. I would have thought that calling the
auth-server’s logout endpoint would broadcast logout
events to logged in applications, but it doesn’t.</div>
<div><br>
</div>
<div>I’ll file a JIRA for the second case and continue
investigating the first scenario with a newer Tomcat
release.</div>
<div><br>
</div>
<div>Best,</div>
<div>Scott</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Apr 3, 2015 at 1:42
AM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Sure, maybe even easier alternative is to
try debugger. You can add this to the
beginning of $TOMCAT_HOME/bin/catalina.sh:<br>
<br>
JAVA_OPTS="$JAVA_OPTS
-agentlib:jdwp=transport=dt_socket,address=5005,server=y,suspend=n"<br>
<br>
then start tomcat and then remotely connect to
it from your IDE. You will need opened IDE
with keycloak sources though. <br>
<br>
I've changed the code to display the exception
stacktrace, but it will be available in next
release (not yet in 1.2.0.Beta1 released
yesterday)<span><font color="#888888"><br>
<br>
Marek</font></span>
<div>
<div><br>
<br>
On 3.4.2015 01:30, Scott Rossillo wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">Still no luck using
Tomcat 8 and Keycloak 1.2.0.Beta1.
<div><br>
</div>
<div>I will install a custom built agent
tomorrow to catch the actual exception
to see what's up.</div>
<div><br>
</div>
<div><br>
On Thursday, April 2, 2015, Scott
Rossillo <<a href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a>>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi,
<div><br>
</div>
<div>Thanks for the reply.<br>
</div>
<div><br>
</div>
<div>I was trying to log a user out
from the Keycloak admin console. I
will try the redirect method and
see if it works.</div>
<div><br>
</div>
<div>Also, I’m using 1.1.0.Final. I
will upgrade to 1.2.0.Beta1 and
report if the issue is still
occurring. </div>
<div><br>
</div>
<div>Best,</div>
<div>Scott</div>
<div> </div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Apr
2, 2015 at 10:23 AM, Marek Posolda
<span dir="ltr"><<a>mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi,<br>
<br>
I've tried with Apache
Tomcat 6.0.35 but wasn't
able to reproduce with
latest Keycloak 1.2.0.Beta1.
Logout works fine for me.<br>
<br>
How are you doing logout?
From the application or from
KC admin console? For the
tomcat6, the
httpServletRequest.logout()
method is not yet available,
so best for logout from the
application is redirecting
to Keycloak logout URL
similarly like in our demo
example: <a href="https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14" target="_blank">https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14</a><br>
<br>
You can also enable debug
logging, which should show
some additional messages in
the log by adding this line
into
$TOMCAT_HOME/conf/logging.properties:<br>
<br>
org.keycloak.level = FINE<br>
<br>
Marek
<div>
<div><br>
<br>
<br>
On 2.4.2015 01:37, Scott
Rossillo wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Hi all,
<div><br>
</div>
<div>I’m running
Keycloak 1.1.0-Final
in standalone mode
and using Keycloak
agents on Tomcat 6
and Tomcat 8.<br>
<div><br>
</div>
<div>With both
agents, whenever I
try to log a user
out via the
Keycloak server, I
see this in the
Tomcat server’s
log:</div>
</div>
<div><br>
</div>
<div>
<div>Apr 01, 2015
7:27:47 PM
org.keycloak.adapters.tomcat.CatalinaUserSessionManagement
logoutSession</div>
<div>WARN: Session
not present or
already
invalidated.</div>
</div>
<div><br>
</div>
<div>The session is
still valid and
continues to be
valid for some
period of time in
each of the Tomcat
instances. Anyone
know how to fix? </div>
<div><br>
</div>
<div>I was looking at
the source and I see
this method:</div>
<div>
<ul style="padding-left:1em;margin:0px auto;color:rgb(0,0,0)">
<li style="display:inline"><span title="org.keycloak.adapters.tomcat.CatalinaUserSessionManagement"><font face="monospace,
monospace"><br>
</font></span></li>
</ul>
<ul style="padding-left:1em;margin:0px auto;color:rgb(0,0,0)">
<li style="display:inline"><span title="org.keycloak.adapters.tomcat.CatalinaUserSessionManagement"><font face="monospace,
monospace">org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.</font></span></li>
</ul>
<font face="monospace,
monospace">logoutSession()</font></div>
<div><br>
</div>
<div>I may test loging
the actual exception
tomorrow if no one
has a clue, but I
think it’s probably
the exception is
being thrown for
some reason other
than the session no
longer existing (it
definitely still
does).</div>
<div><br>
</div>
<div>Best,</div>
<div>Scott</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-user mailing list
<a>keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>