I''m looking at the code and there is serialization code to re-create the token object from a string in KeycloakSecurityContext.

private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
    in.defaultReadObject();

    token = parseToken(tokenString, AccessToken.class);
    idToken = parseToken(idTokenString, IDToken.class);
}



On 7/7/16 7:05 PM, LEONARDO NUNES wrote:
Hi everyone, 

An application is deployed using Servlet Filter Adapter at 2 Tomcats in which are saving sessions to 1 Memcached. There's a Nginx load balancer with sticky session in front of both Tomcats.

After log in to the application if one Tomcat goes down or is removed from the load balancer we get the exception below. The problem occur using Servlet Filter Adapter, it works with Tomcat Adapter but we can't use it for some of our applications.

java.lang.NullPointerException
org.keycloak.KeycloakSecurityContext.getRealm(KeycloakSecurityContext.java:73)
org.keycloak.adapters.RefreshableKeycloakSecurityContext.refreshExpiredToken(RefreshableKeycloakSecurityContext.java:103)
org.keycloak.adapters.servlet.OIDCFilterSessionStore.checkCurrentToken(OIDCFilterSessionStore.java:87)
org.keycloak.adapters.servlet.KeycloakOIDCFilter.doFilter(KeycloakOIDCFilter.java:145)


1. Access a restricted page of the application
2. Nginx will direct to Tomcat1 (because of sticky session next requests will go to Tomcat1)
3. You will be redirected to Keycloak Login page
4. After login, Keycloak redirects back to the restricted page
(Note: this session is already saved to memcached)
5. At Nginx disable Tomcat1 server
6. At the browser refresh the application page
7. Now the request will go to Tomcat2 server
8. The session is retrieved from memcached
9. An exception is thrown because token is null inside of KeycloakSecurityContext.getRealm()
(Note: sometimes at this step the restricted page is displayed, but if I refresh the page the exception is thrown)


I've opened the issue ticket below:
https://issues.jboss.org/browse/KEYCLOAK-3288


-- 
Leonardo Nunes
Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não poderá usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação.

This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user