Ah, I was looking directly at the cause at the bottom, and missed the UndertowPreAuthActionsHandler at the beginning of stack trace.

No idea then. If it's an out-of-the-box proxy install, and it's supposed to just work, then maybe it's a bug.

On Mon, Jul 25, 2016 at 4:41 PM, Manfred Duchrow <manfred.duchrow@caprica.biz> wrote:

Hi,

thanks for your response.

The UndertowPreAuthActionsHandler actually is in the stacktrace. So I don't quite understand what you mean.

The installation is out-of-the-box from the keycloak-proxy-2.0.0.Final.zip.

I was assuming that in UndertowPreAuthActionsHandler#handleRequest() somthing like the following must happen,
in order to execute the logout action handling in a worker thread:

    public void handleRequest(HttpServerExchange exchange) throws Exception {
        UndertowHttpFacade facade = createFacade(exchange);
        SessionManagementBridge bridge = new SessionManagementBridge(userSessionManagement, sessionManager);
        final PreAuthActionsHandler handler = new PreAuthActionsHandler(bridge, deploymentContext, facade);
        final AtomicBoolean requestHandled = new AtomicBoolean(false);
        if (exchange.getRequestURI().endsWith(AdapterConstants.K_LOGOUT)) {
          HttpHandler tmpHandler = new HttpHandler()
          {
            @Override
            public void handleRequest(HttpServerExchange exchange) throws Exception
            {
              requestHandled.set(handler.handleRequest());
            }
          };
          exchange.dispatch(tmpHandler); // This starts the worker thread that allows blocking I/O
        }
        else {
          requestHandled.set(handler.handleRequest());         
        }
        if(requestHandled.get()) return;
        next.handleRequest(exchange);
    }

Any feedback welcome.

Cheers,
  Manfred


On 25.07.2016 15:35, Marko Strukelj wrote:
Giving a cursory look at KEYCLOAK-3311, and not really knowing this part of the code so I hope I'm not giving you a wrong lead here, but it looks like UndertowPreAuthActionsHandler should already be present in your stacktrace, while currently it is not.

It sounds like Wildfly adapter was not installed correctly.

On Mon, Jul 25, 2016 at 9:26 AM, Manfred Duchrow <manfred.duchrow@caprica.biz> wrote:

Hi,

a few days ago I created the Jira issue KEYCLOAK-3311.

Its about the following exception when "k_logout" request from the keycloak server is coming in:

IllegalStateException: UT000126: Attempted to do blocking IO from the IO thread. This is prohibited as it may result in deadlocks

Has anybody experienced the same? Is there a workaround?

Currently this error prevents the logout from the secure proxy and therefore the protected
application can still be reached (for a while) even if the user's session on the keycloak server
has been terminated.

Cheers,
   Manfred


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user