<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 3.4.2015 21:21, Scott Rossillo
wrote:<br>
</div>
<blockquote
cite="mid:CALAqdu9m1dfTvjx9jL8TWEunR=oBsLBv-R5hO5fLs3y3+f9y3g@mail.gmail.com"
type="cite">
<div dir="ltr">Ok, so a few followups. Just to be clear, here’s
what I’m trying to do and the outcomes of each against
1.2.0.Beta1:
<div><br>
</div>
<div>1. (Original scenario) Log user out from KC console (Users
> [user] Sessions). </div>
<div>Result: This still fails with the exception,
"org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.logoutSession
Session not present or already invalidated.”</div>
<div><br>
</div>
<div>The exception thrown here is an NPE
as manager.findSession(httpSessionId) failed to find the
session. Interestingly, the session is still valid and the ID
passed into the manager is correct. Furthermore, while
debugging I can see that manager.findSession() looks up the
session in a hash map. Interestingly, the session id (key) is
there, but the value (session) is null. Maybe this is a
Tomcat bug. Using Tomcat 8.0.18, will test with <span
style="color:rgb(0,0,0);white-space:pre-wrap">8.0.21.</span></div>
<div><span style="color:rgb(0,0,0);white-space:pre-wrap"><br>
</span></div>
<div><span style="color:rgb(0,0,0);white-space:pre-wrap">2.
(Second scenario) Application logout.</span></div>
<div><span style="color:rgb(0,0,0);white-space:pre-wrap">Documentation
</span><font color="#000000"><span
style="white-space:pre-wrap">8.10. Logout (</span></font><a
moz-do-not-send="true"
href="http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152">http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152</a>)
say you can either call HttpServletRequest.logout() or
redirect
tohttp://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri.</div>
<div><br>
</div>
<div>However, you have to do both. </div>
<div><br>
</div>
<div>Call only .logout() and the KC token is still valid and
user can access app with a new session (it will just redirect
to KC, see KC session is valid and grant access).</div>
<div><br>
</div>
<div>Call only auth-server/…/logout and the Tomcat session
remains valid. I would have thought that calling the
auth-server’s logout endpoint would broadcast logout events to
logged in applications, but it doesn’t.</div>
</div>
</blockquote>
Actually auth-server logout should broadcast the logout to all
logged-in applications. Auth-server will do it if you have
configured "admin URL" for your application in Keycloak admin
console. Do you have it configured?<br>
<br>
Calling to .logout() should ensure redirecting to auth-server, which
will logout Keycloak user session and then broadcast to logged
applications.<br>
<br>
In summary, both .logout() and redirection to auth-server/.../logout
should invalidate both Keycloak UserSession and all logged
application sessions (As long as you have admin URL configured for
the applications). If something of it doesn't work, it may be a bug.<br>
<br>
Marek<br>
<blockquote
cite="mid:CALAqdu9m1dfTvjx9jL8TWEunR=oBsLBv-R5hO5fLs3y3+f9y3g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>I’ll file a JIRA for the second case and continue
investigating the first scenario with a newer Tomcat release.</div>
<div><br>
</div>
<div>Best,</div>
<div>Scott</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Apr 3, 2015 at 1:42 AM, Marek
Posolda <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Sure, maybe even easier alternative is to try
debugger. You can add this to the beginning of
$TOMCAT_HOME/bin/catalina.sh:<br>
<br>
JAVA_OPTS="$JAVA_OPTS
-agentlib:jdwp=transport=dt_socket,address=5005,server=y,suspend=n"<br>
<br>
then start tomcat and then remotely connect to it from
your IDE. You will need opened IDE with keycloak sources
though. <br>
<br>
I've changed the code to display the exception
stacktrace, but it will be available in next release
(not yet in 1.2.0.Beta1 released yesterday)<span
class="HOEnZb"><font color="#888888"><br>
<br>
Marek</font></span>
<div>
<div class="h5"><br>
<br>
On 3.4.2015 01:30, Scott Rossillo wrote:<br>
</div>
</div>
</div>
<div>
<div class="h5">
<blockquote type="cite">Still no luck using Tomcat 8
and Keycloak 1.2.0.Beta1.
<div><br>
</div>
<div>I will install a custom built agent tomorrow to
catch the actual exception to see what's up.</div>
<div><br>
</div>
<div><br>
On Thursday, April 2, 2015, Scott Rossillo <<a
moz-do-not-send="true"
href="mailto:srossillo@smartling.com"
target="_blank">srossillo@smartling.com</a>>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">Hi,
<div><br>
</div>
<div>Thanks for the reply.<br>
</div>
<div><br>
</div>
<div>I was trying to log a user out from the
Keycloak admin console. I will try the
redirect method and see if it works.</div>
<div><br>
</div>
<div>Also, I’m using 1.1.0.Final. I will
upgrade to 1.2.0.Beta1 and report if the
issue is still occurring. </div>
<div><br>
</div>
<div>Best,</div>
<div>Scott</div>
<div> </div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Apr 2, 2015
at 10:23 AM, Marek Posolda <span dir="ltr"><<a
moz-do-not-send="true">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi,<br>
<br>
I've tried with Apache Tomcat 6.0.35
but wasn't able to reproduce with
latest Keycloak 1.2.0.Beta1. Logout
works fine for me.<br>
<br>
How are you doing logout? From the
application or from KC admin console?
For the tomcat6, the
httpServletRequest.logout() method is
not yet available, so best for logout
from the application is redirecting to
Keycloak logout URL similarly like in
our demo example: <a
moz-do-not-send="true"
href="https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14"
target="_blank">https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14</a><br>
<br>
You can also enable debug logging,
which should show some additional
messages in the log by adding this
line into
$TOMCAT_HOME/conf/logging.properties:<br>
<br>
org.keycloak.level = FINE<br>
<br>
Marek
<div>
<div><br>
<br>
<br>
On 2.4.2015 01:37, Scott Rossillo
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Hi all,
<div><br>
</div>
<div>I’m running Keycloak
1.1.0-Final in standalone mode
and using Keycloak agents on
Tomcat 6 and Tomcat 8.<br>
<div><br>
</div>
<div>With both agents,
whenever I try to log a user
out via the Keycloak server,
I see this in the Tomcat
server’s log:</div>
</div>
<div><br>
</div>
<div>
<div>Apr 01, 2015 7:27:47 PM
org.keycloak.adapters.tomcat.CatalinaUserSessionManagement
logoutSession</div>
<div>WARN: Session not present
or already invalidated.</div>
</div>
<div><br>
</div>
<div>The session is still valid
and continues to be valid for
some period of time in each of
the Tomcat instances. Anyone
know how to fix? </div>
<div><br>
</div>
<div>I was looking at the source
and I see this method:</div>
<div>
<ul
style="padding-left:1em;margin:0px
auto;color:rgb(0,0,0)">
<li style="display:inline"><span
title="org.keycloak.adapters.tomcat.CatalinaUserSessionManagement"><font
face="monospace,
monospace"><br>
</font></span></li>
</ul>
<ul
style="padding-left:1em;margin:0px
auto;color:rgb(0,0,0)">
<li style="display:inline"><span
title="org.keycloak.adapters.tomcat.CatalinaUserSessionManagement"><font
face="monospace,
monospace">org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.</font></span></li>
</ul>
<font face="monospace,
monospace">logoutSession()</font></div>
<div><br>
</div>
<div>I may test loging the
actual exception tomorrow if
no one has a clue, but I think
it’s probably the exception is
being thrown for some reason
other than the session no
longer existing (it definitely
still does).</div>
<div><br>
</div>
<div>Best,</div>
<div>Scott</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>