<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">So you're using spring security? This
is quite an important detail, which you didn't mention before...<br>
<br>
Yeah, it depends on the behaviour what Spring security is doing
regarding sessions. You can try our demo applications
customer-portal + product-portal. Those are simple servlet
applications. If you're not seeing issues with them, but still
seeing issue with your spring security app, then we know that the
issue might be related to spring security.<br>
<br>
If you manage to have it working with Spring security, it would be
cool if you can share the details here. We had some questions
related to spring security in the past. If you manage to secure
Spring Security with our adapter, it could be good reference for
the future.<br>
<br>
Thanks,<br>
Marek<br>
<br>
On 3.4.2015 22:22, Scott Rossillo wrote:<br>
</div>
<blockquote
cite="mid:CALAqdu8B+6FheoQnkTKb1MM+ko_4CKrY=B3ymS7_yOZZ2R4pFg@mail.gmail.com"
type="cite">
<div dir="ltr">Update on issue 1, <span style="font-size:13px">Log
user out from KC console:</span>
<div>It appears this is due to Spring security creating a new
session and migrating data into it but KC knows nothing
about this. There’s a way to disable this behavior in Spring
Security and I’m going to take that path. This should be a
non-issue.</div>
<div><br>
</div>
<div>~ Scott</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Apr 3, 2015 at 3:21 PM, Scott
Rossillo <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Ok, so a few followups. Just to be clear,
here’s what I’m trying to do and the outcomes of each
against 1.2.0.Beta1:
<div><br>
</div>
<div>1. (Original scenario) Log user out from KC console
(Users > [user] Sessions). </div>
<div>Result: This still fails with the exception,
"org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.logoutSession
Session not present or already invalidated.”</div>
<div><br>
</div>
<div>The exception thrown here is an NPE
as manager.findSession(httpSessionId) failed to find the
session. Interestingly, the session is still valid and
the ID passed into the manager is correct. Furthermore,
while debugging I can see that manager.findSession()
looks up the session in a hash map. Interestingly, the
session id (key) is there, but the value (session) is
null. Maybe this is a Tomcat bug. Using Tomcat 8.0.18,
will test with <span
style="color:rgb(0,0,0);white-space:pre-wrap">8.0.21.</span></div>
<div><span style="color:rgb(0,0,0);white-space:pre-wrap"><br>
</span></div>
<div><span style="color:rgb(0,0,0);white-space:pre-wrap">2.
(Second scenario) Application logout.</span></div>
<div><span style="color:rgb(0,0,0);white-space:pre-wrap">Documentation
</span><font color="#000000"><span
style="white-space:pre-wrap">8.10. Logout (</span></font><a
moz-do-not-send="true"
href="http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152"
target="_blank">http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152</a>)
say you can either call HttpServletRequest.logout() or
redirect
tohttp://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri.</div>
<div><br>
</div>
<div>However, you have to do both. </div>
<div><br>
</div>
<div>Call only .logout() and the KC token is still valid
and user can access app with a new session (it will just
redirect to KC, see KC session is valid and grant
access).</div>
<div><br>
</div>
<div>Call only auth-server/…/logout and the Tomcat session
remains valid. I would have thought that calling the
auth-server’s logout endpoint would broadcast logout
events to logged in applications, but it doesn’t.</div>
<div><br>
</div>
<div>I’ll file a JIRA for the second case and continue
investigating the first scenario with a newer Tomcat
release.</div>
<div><br>
</div>
<div>Best,</div>
<div>Scott</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Apr 3, 2015 at 1:42
AM, Marek Posolda <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Sure, maybe even easier alternative is to
try debugger. You can add this to the
beginning of $TOMCAT_HOME/bin/catalina.sh:<br>
<br>
JAVA_OPTS="$JAVA_OPTS
-agentlib:jdwp=transport=dt_socket,address=5005,server=y,suspend=n"<br>
<br>
then start tomcat and then remotely connect to
it from your IDE. You will need opened IDE
with keycloak sources though. <br>
<br>
I've changed the code to display the exception
stacktrace, but it will be available in next
release (not yet in 1.2.0.Beta1 released
yesterday)<span><font color="#888888"><br>
<br>
Marek</font></span>
<div>
<div><br>
<br>
On 3.4.2015 01:30, Scott Rossillo wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">Still no luck using
Tomcat 8 and Keycloak 1.2.0.Beta1.
<div><br>
</div>
<div>I will install a custom built agent
tomorrow to catch the actual exception
to see what's up.</div>
<div><br>
</div>
<div><br>
On Thursday, April 2, 2015, Scott
Rossillo <<a moz-do-not-send="true"
href="mailto:srossillo@smartling.com"
target="_blank">srossillo@smartling.com</a>>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">Hi,
<div><br>
</div>
<div>Thanks for the reply.<br>
</div>
<div><br>
</div>
<div>I was trying to log a user out
from the Keycloak admin console. I
will try the redirect method and
see if it works.</div>
<div><br>
</div>
<div>Also, I’m using 1.1.0.Final. I
will upgrade to 1.2.0.Beta1 and
report if the issue is still
occurring. </div>
<div><br>
</div>
<div>Best,</div>
<div>Scott</div>
<div> </div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Apr
2, 2015 at 10:23 AM, Marek Posolda
<span dir="ltr"><<a
moz-do-not-send="true">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div>Hi,<br>
<br>
I've tried with Apache
Tomcat 6.0.35 but wasn't
able to reproduce with
latest Keycloak 1.2.0.Beta1.
Logout works fine for me.<br>
<br>
How are you doing logout?
From the application or from
KC admin console? For the
tomcat6, the
httpServletRequest.logout()
method is not yet available,
so best for logout from the
application is redirecting
to Keycloak logout URL
similarly like in our demo
example: <a
moz-do-not-send="true"
href="https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14"
target="_blank">https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14</a><br>
<br>
You can also enable debug
logging, which should show
some additional messages in
the log by adding this line
into
$TOMCAT_HOME/conf/logging.properties:<br>
<br>
org.keycloak.level = FINE<br>
<br>
Marek
<div>
<div><br>
<br>
<br>
On 2.4.2015 01:37, Scott
Rossillo wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Hi all,
<div><br>
</div>
<div>I’m running
Keycloak 1.1.0-Final
in standalone mode
and using Keycloak
agents on Tomcat 6
and Tomcat 8.<br>
<div><br>
</div>
<div>With both
agents, whenever I
try to log a user
out via the
Keycloak server, I
see this in the
Tomcat server’s
log:</div>
</div>
<div><br>
</div>
<div>
<div>Apr 01, 2015
7:27:47 PM
org.keycloak.adapters.tomcat.CatalinaUserSessionManagement
logoutSession</div>
<div>WARN: Session
not present or
already
invalidated.</div>
</div>
<div><br>
</div>
<div>The session is
still valid and
continues to be
valid for some
period of time in
each of the Tomcat
instances. Anyone
know how to fix? </div>
<div><br>
</div>
<div>I was looking at
the source and I see
this method:</div>
<div>
<ul
style="padding-left:1em;margin:0px
auto;color:rgb(0,0,0)">
<li
style="display:inline"><span
title="org.keycloak.adapters.tomcat.CatalinaUserSessionManagement"><font
face="monospace,
monospace"><br>
</font></span></li>
</ul>
<ul
style="padding-left:1em;margin:0px
auto;color:rgb(0,0,0)">
<li
style="display:inline"><span
title="org.keycloak.adapters.tomcat.CatalinaUserSessionManagement"><font
face="monospace,
monospace">org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.</font></span></li>
</ul>
<font
face="monospace,
monospace">logoutSession()</font></div>
<div><br>
</div>
<div>I may test loging
the actual exception
tomorrow if no one
has a clue, but I
think it’s probably
the exception is
being thrown for
some reason other
than the session no
longer existing (it
definitely still
does).</div>
<div><br>
</div>
<div>Best,</div>
<div>Scott</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>