Re: [keycloak-user] User rights after logout

Wednesday, 28 January 2015

Hi,

I've just tried with latest Keycloak on Wildfly but did not see same 
behaviour. Do you have admin URL set in Keycloak admin console for your 
application? How are you doing logout in your application? Are you using 
httpServletRequest.logout() or are you directly logout by access to 
logoutURL like our demo example applications are doing?

Marek

On 28.1.2015 10:38, Christoph Machnik wrote:
...
 Hi all,

 I have a web-application with keycloak. When a user have to log in 
 this user becomes the rights to see the following pages or not. When 
 this user loggs out an a other user loggs in with other rights to see 
 the following pages or not, he becomes the same rights as the first 
 user that logged in.
 In the example i log in with support and just can see the support page 
 in the application, when i logg out an log in with admin i just can 
 see the support page and not the admin page, even though i have the 
 admin role. When i restart the server and first log in as admin i can 
 see the admin- and the support page. When i log out and now log in 
 with support i have the support rule, but nevertheless i can see the 
 admin- and support page.

 Is there any mistake in int web.xml file ? (following):

 <?xml version="1.0" encoding="UTF-8"?>
 <web-app xmlns="http://java.sun.com/xml/ns/javaee"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
 http://java.sun.com/xml/ns/javaee/web-app_3_0.xml"
          version="3.0">

     <module-name>TestWebApp</module-name>

     <security-constraint>
         <web-resource-collection>
 <web-resource-name>Admins</web-resource-name>
 <url-pattern>/views/admin/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
         </auth-constraint>
     </security-constraint>
     <security-constraint>
         <web-resource-collection>
 <web-resource-name>Support</web-resource-name>
 <url-pattern>/views/support/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
             <role-name>support</role-name>
         </auth-constraint>
     </security-constraint>

     <login-config>
         <auth-method>KEYCLOAK</auth-method>
         <realm-name>test</realm-name>
     </login-config>

     <security-role>
         <role-name>admin</role-name>
     </security-role>
     <security-role>
         <role-name>support</role-name>
     </security-role>

 </web-app>

 _______________________________________________
 keycloak-user mailing list
 keycloak-user(a)lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-user 

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Re: [keycloak-user] User rights after logout