Re: [keycloak-user] where does the tomcat client adapter save the session

Dear Marek Posolda, Thanks for your kindly help. I understand the second question now. but the first question still confuse me. > But I guess that when you restarted Tomcat, you didnn't restarted the Keycloak server, right? Yes,I didn't restart the keycloak server and there is a SSO cookie on keycloak server. After I restart the tomcat, the user isn't redirect to keyclaok but login in derectly. I have checked it in the firebug, there is really no redirect. So, I guess the user session with the cookie of the application is still Exist, not cleared.

thanks , yizhou -----Original Message----- From: Marek Posolda [mailto:mposolda@redhat.com] Sent: Wednesday, July 19, 2017 3:42 PM To: Yizhou Jiang(Yizhou); keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] where does the tomcat client adapter save the session On 19/07/17 07:07, Yizhou Jiang(Yizhou) wrote: > Hi, > I have two questions: > > > 1 Where does the tomcat client adapter store the user session ? > > > when a user logged into a application procted by a tomcat > client adapter . there is only > “JSESSIONID=E1EAC81E52C97DD64FFB4C13A1231996” in the cookie。 > But when I restart the tomcat , the user use the cookie still can login into the application. obviously , the session isn’t store in the memory of tomcat , Where does the tomcat client adapter store the user session? It's saved in the HTTP Session and AFAIK HTTP sessions are not persisted by Tomcat and are cleared after restart. But I guess that when you restarted Tomcat, you didnn't restarted the Keycloak server, right? So you still have SSO cookie KEYCLOAK_IDENTITY on keycloak server. So what happens for you is that after restart of Tomcat and open the URL of your Tomcat application, user is redirected to Keycloak, here he is automatically authenticated due to SSO and hence in Tomcat is automatically authenticated too. > 2 Is there any settings about policy enforcer that can make unauthenticated user access some resources in a application protected by a tomcat client adapter? > > Set the enforcement-mode with value “DISABLED” still require the user be authenticated. > > "policy-enforcer": { > "enforcement-mode": "PERMISSIVE", > "paths": [ > { > "path": "/public/*", > "enforcement-mode": "DISABLED" > } > ] > } Yes, true. There are security constraints declared in web.xml of your web application. And adapter always require user to be authenticated (and redirects to login screen) once user enters some "secured" URL from there. So you may need to rather change your security constraints in web.xml to ensure some URL is public. Also I am not sure at 100%, but I think that those "public" URLs declared in web.xml will be just ignored by Keycloak adapter at all. Which means that declared "policy-enforcer" will be ignored too. In other words, the "policy-enforcer" is applied just for authenticated requests and it's done after user was authenticated (again not sure at 100%, but rather something like 95% :) Marek > > > thanks , > yizhou > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user