<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Thanks for the info. So we can actually
do either:<br>
- Disable sessionFixation in spring security<br>
- Provide an endpoint (or reuse existing refresh token endpoint),
which will allow to send changed HttpSession ID to keycloak
server. There was very similar request from someone else couple of
days before, so probably it's something we should consider to
support.<br>
<br>
Anyway, it could be cool if you can share instructions and/or
example on how to integrate Keycloak with Spring security. It's
good that it works with our adapters without need to change
something in them.<br>
<br>
Thanks!<br>
Marek<br>
<br>
On 8.4.2015 01:29, Scott Rossillo wrote:<br>
</div>
<blockquote
cite="mid:CALAqdu9FSg228uGWPY7H1zo=jKN9UREn3MdG=+A1+CBZB8R4CQ@mail.gmail.com"
type="cite">
<div dir="ltr">Marek, yes, I should have mentioned I was using
Spring Security, sorry about that. We will have some code I can
share shortly on how to integrate Spring Security with the
adapter.
<div><br>
</div>
<div>That being said, we solved the issue at hand by modifying
the Spring Security configuration. If anyone else is having
problems with single sign-out, the key part to change in the
Spring Security configuration is to disable Spring’s session
fixation protection.</div>
<div><br>
</div>
<div>This is something that’s on by default in many Spring
Security installs and according to the Spring docs it’s
intended to:</div>
<div><br>
</div>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div>
<div>"Create a new session for the newly authenticated user
if they already have a session (as a defence against
session-fixation protection attacks), and copies their
session attributes across to the new session."</div>
</div>
</blockquote>
<div>
<div><br>
</div>
</div>
<div>So in Spring Security config, "sessionFixation().none()”
must be set:</div>
<div><br>
</div>
<div>
<div>protected void configure(HttpSecurity http) throws
Exception {</div>
<div> http.sessionFixation().none();</div>
</div>
<div>}</div>
<div><br>
</div>
<div>Here’s the flow if you don’t disable this:</div>
<div>1. User access Resource Server (Spring Secured)</div>
<div>2. User redirected by Keycloak agent to Keycloak auth
server</div>
<div>3. Successful login redirects back to Resource Server</div>
<div>4. Agent creates a session</div>
<div>5. Spring authentication invoked (how depends on
integration method but irrelevant here)</div>
<div>6. Spring - to prevent session fixation - creates a new
session, copying all attributes from Keycloak created session</div>
<div><br>
</div>
<div>Because of this, the authentication continues to function.
However, on single sign-out, the Keycloak agent tries to
invalidate the wrong session (Spring deleted it).</div>
<div><br>
</div>
<div>Hope that helps. Will be happy to share a full set of
findings and a working Spring configuration once we get things
all worked out.</div>
<div><br>
</div>
<div>Best,</div>
<div>Scott</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Apr 7, 2015 at 3:38 AM, Marek
Posolda <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>So you're using spring security? This is quite an
important detail, which you didn't mention before...<br>
<br>
Yeah, it depends on the behaviour what Spring security
is doing regarding sessions. You can try our demo
applications customer-portal + product-portal. Those are
simple servlet applications. If you're not seeing issues
with them, but still seeing issue with your spring
security app, then we know that the issue might be
related to spring security.<br>
<br>
If you manage to have it working with Spring security,
it would be cool if you can share the details here. We
had some questions related to spring security in the
past. If you manage to secure Spring Security with our
adapter, it could be good reference for the future.<br>
<br>
Thanks,<br>
Marek
<div>
<div class="h5"><br>
<br>
On 3.4.2015 22:22, Scott Rossillo wrote:<br>
</div>
</div>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">Update on issue 1, <span
style="font-size:13px">Log user out from KC
console:</span>
<div>It appears this is due to Spring security
creating a new session and migrating data into
it but KC knows nothing about this. There’s a
way to disable this behavior in Spring Security
and I’m going to take that path. This should be
a non-issue.</div>
<div><br>
</div>
<div>~ Scott</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Apr 3, 2015 at
3:21 PM, Scott Rossillo <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:srossillo@smartling.com"
target="_blank">srossillo@smartling.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">Ok, so a few followups. Just to
be clear, here’s what I’m trying to do and
the outcomes of each against 1.2.0.Beta1:
<div><br>
</div>
<div>1. (Original scenario) Log user out
from KC console (Users > [user]
Sessions). </div>
<div>Result: This still fails with the
exception,
"org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.logoutSession
Session not present or already
invalidated.”</div>
<div><br>
</div>
<div>The exception thrown here is an NPE
as manager.findSession(httpSessionId)
failed to find the session. Interestingly,
the session is still valid and the ID
passed into the manager is correct.
Furthermore, while debugging I can see
that manager.findSession() looks up the
session in a hash map. Interestingly, the
session id (key) is there, but the value
(session) is null. Maybe this is a Tomcat
bug. Using Tomcat 8.0.18, will test with <span
style="color:rgb(0,0,0);white-space:pre-wrap">8.0.21.</span></div>
<div><span
style="color:rgb(0,0,0);white-space:pre-wrap"><br>
</span></div>
<div><span
style="color:rgb(0,0,0);white-space:pre-wrap">2.
(Second scenario) Application logout.</span></div>
<div><span
style="color:rgb(0,0,0);white-space:pre-wrap">Documentation
</span><font color="#000000"><span
style="white-space:pre-wrap">8.10.
Logout (</span></font><a
moz-do-not-send="true"
href="http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152"
target="_blank">http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152</a>)
say you can either call
HttpServletRequest.logout() or redirect
tohttp://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri.</div>
<div><br>
</div>
<div>However, you have to do both. </div>
<div><br>
</div>
<div>Call only .logout() and the KC token is
still valid and user can access app with a
new session (it will just redirect to KC,
see KC session is valid and grant access).</div>
<div><br>
</div>
<div>Call only auth-server/…/logout and the
Tomcat session remains valid. I would have
thought that calling the auth-server’s
logout endpoint would broadcast logout
events to logged in applications, but it
doesn’t.</div>
<div><br>
</div>
<div>I’ll file a JIRA for the second case
and continue investigating the first
scenario with a newer Tomcat release.</div>
<div><br>
</div>
<div>Best,</div>
<div>Scott</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Apr 3,
2015 at 1:42 AM, Marek Posolda <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div>Sure, maybe even easier
alternative is to try debugger.
You can add this to the
beginning of
$TOMCAT_HOME/bin/catalina.sh:<br>
<br>
JAVA_OPTS="$JAVA_OPTS
-agentlib:jdwp=transport=dt_socket,address=5005,server=y,suspend=n"<br>
<br>
then start tomcat and then
remotely connect to it from your
IDE. You will need opened IDE
with keycloak sources though. <br>
<br>
I've changed the code to display
the exception stacktrace, but it
will be available in next
release (not yet in 1.2.0.Beta1
released yesterday)<span><font
color="#888888"><br>
<br>
Marek</font></span>
<div>
<div><br>
<br>
On 3.4.2015 01:30, Scott
Rossillo wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">Still
no luck using Tomcat 8 and
Keycloak 1.2.0.Beta1.
<div><br>
</div>
<div>I will install a custom
built agent tomorrow to
catch the actual exception
to see what's up.</div>
<div><br>
</div>
<div><br>
On Thursday, April 2,
2015, Scott Rossillo <<a
moz-do-not-send="true"
href="mailto:srossillo@smartling.com"
target="_blank">srossillo@smartling.com</a>>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div dir="ltr">Hi,
<div><br>
</div>
<div>Thanks for the
reply.<br>
</div>
<div><br>
</div>
<div>I was trying to
log a user out from
the Keycloak admin
console. I will try
the redirect method
and see if it works.</div>
<div><br>
</div>
<div>Also, I’m using
1.1.0.Final. I will
upgrade to
1.2.0.Beta1 and
report if the issue
is still occurring. </div>
<div><br>
</div>
<div>Best,</div>
<div>Scott</div>
<div> </div>
</div>
<div class="gmail_extra"><br>
<div
class="gmail_quote">On
Thu, Apr 2, 2015 at
10:23 AM, Marek
Posolda <span
dir="ltr"><<a
moz-do-not-send="true">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0
0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div
bgcolor="#FFFFFF"
text="#000000">
<div>Hi,<br>
<br>
I've tried
with Apache
Tomcat 6.0.35
but wasn't
able to
reproduce with
latest
Keycloak
1.2.0.Beta1.
Logout works
fine for me.<br>
<br>
How are you
doing logout?
From the
application or
from KC admin
console? For
the tomcat6,
the
httpServletRequest.logout()
method is not
yet available,
so best for
logout from
the
application is
redirecting to
Keycloak
logout URL
similarly like
in our demo
example: <a
moz-do-not-send="true"
href="https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14"
target="_blank">https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14</a><br>
<br>
You can also
enable debug
logging, which
should show
some
additional
messages in
the log by
adding this
line into
$TOMCAT_HOME/conf/logging.properties:<br>
<br>
org.keycloak.level
= FINE<br>
<br>
Marek
<div>
<div><br>
<br>
<br>
On 2.4.2015
01:37, Scott
Rossillo
wrote:<br>
</div>
</div>
</div>
<blockquote
type="cite">
<div>
<div>
<div dir="ltr">Hi
all,
<div><br>
</div>
<div>I’m
running
Keycloak
1.1.0-Final in
standalone
mode and using
Keycloak
agents on
Tomcat 6 and
Tomcat 8.<br>
<div><br>
</div>
<div>With both
agents,
whenever I try
to log a user
out via the
Keycloak
server, I see
this in the
Tomcat
server’s log:</div>
</div>
<div><br>
</div>
<div>
<div>Apr 01,
2015 7:27:47
PM
org.keycloak.adapters.tomcat.CatalinaUserSessionManagement
logoutSession</div>
<div>WARN:
Session not
present or
already
invalidated.</div>
</div>
<div><br>
</div>
<div>The
session is
still valid
and continues
to be valid
for some
period of time
in each of the
Tomcat
instances.
Anyone know
how to fix? </div>
<div><br>
</div>
<div>I was
looking at the
source and I
see this
method:</div>
<div>
<ul
style="padding-left:1em;margin:0px
auto;color:rgb(0,0,0)">
<li
style="display:inline"><span
title="org.keycloak.adapters.tomcat.CatalinaUserSessionManagement"><font
face="monospace,
monospace"><br>
</font></span></li>
</ul>
<ul
style="padding-left:1em;margin:0px
auto;color:rgb(0,0,0)">
<li
style="display:inline"><span
title="org.keycloak.adapters.tomcat.CatalinaUserSessionManagement"><font
face="monospace,
monospace">org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.</font></span></li>
</ul>
<font
face="monospace,
monospace">logoutSession()</font></div>
<div><br>
</div>
<div>I may
test loging
the actual
exception
tomorrow if no
one has a
clue, but I
think it’s
probably the
exception is
being thrown
for some
reason other
than the
session no
longer
existing (it
definitely
still does).</div>
<div><br>
</div>
<div>Best,</div>
<div>Scott</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>