Spring typically registers any beans implementing HttpSessionListener with the servlet container. This may be an application server specific issue. What application server are you using?


Scott Rossillo
Smartling | Senior Software Engineer
srossillo@smartling.com

Powered by Sigstr

On Dec 16, 2015, at 6:40 AM, Andy Yar <andyyar66@gmail.com> wrote:

Hello,
I'm using 1.7.0 final integrated with Spring Security (which itself is integrated into Grails) using OpenID Connect method. I've been kind of stuck with single (back-channel, k_logout) logout for a while.

It seems it's handled by the preAuthActions filter which simply invalidates local sessions via a call to an injected HttpSessionManager. This manager stores active sessions in its instance and puts/removes them as a reaction on HttpSessionEvent.

It looks like the HttpSessionManager has to be registered as JEE Listener in order to receive HttpSessionEvents. However, then you end up with two different instances - the listener and the bean in preAuthActions. Thus invalidation process can't reach the sessions stored in listener's instance and can't invalidate them at all.

A big sorry if I miss something very obvious.

Andy
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user