[keycloak-dev] Application Clustering problems
Stian Thorgersen
sthorger at redhat.com
Mon Jan 25 13:04:34 EST 2016
Try google for wildfly replicate http sessions
On 25 January 2016 at 15:53, Christian Beikov <christian.beikov at gmail.com>
wrote:
> I just wrote that I configured clustering for my application just like in
> the standlone-ha.xml of my Wildfly 10 CR4.
> I configured the jgroups subsystem and the distributed caches for web
> sessions as it is done in standalone-ha.xml of Wildfly.
> If there is anything else that should be configured, can you please point
> me to that configuration option?
>
> Regards,
> Christian
>
>
> Am 25.01.2016 um 15:45 schrieb Stian Thorgersen:
>
> HTTP session replicate is not enabled by default. You need to enable it
> for your application.
>
> On 25 January 2016 at 14:39, Christian Beikov <christian.beikov at gmail.com>
> wrote:
>
>> The documentation states, that the default token-store is "session" and
>> as I wrote before, I have setup clustering on my Wildfly 10 CR4 like in
>> standalone-ha.xml, so the session should already be replicated.
>>
>> Regards,
>> Christian
>>
>>
>> Am 25.01.2016 um 14:20 schrieb Stian Thorgersen:
>>
>> Your issue doesn't have anything to do with the Keycloak server side user
>> sessions, they don't require sticky sessions.
>>
>> Your issue is down to the http session on the adapter side not being
>> replicated by default. For the adapter you've got 3 choices: sticky
>> session, replicated session or stateless. Which is best depends on your
>> application.
>>
>>
>> On 25 January 2016 at 14:05, Christian Beikov <
>> <christian.beikov at gmail.com>christian.beikov at gmail.com> wrote:
>>
>>> I don't have a problem with sticky sessions and I will definitively
>>> configure them, but I am curious. What is the reason for the problems with
>>> round robin in this test scenario? Are the infinispan caches not replicated
>>> fast enough or is there an implementation limitation in the adapters?
>>>
>>
>>> Regards,
>>> Christian
>>>
>>>
>>> Am 25.01.2016 um 08:58 schrieb Stian Thorgersen:
>>>
>>> By default the adapters will require sticky sessions, please refer to
>>> <http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html>
>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html
>>> for more information
>>>
>>> On 22 January 2016 at 12:48, Christian Beikov <
>>> <christian.beikov at gmail.com>christian.beikov at gmail.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> I am running some tests with my application cluster being secured by a
>>>> single keycloak server instance and I encountered problems with the
>>>> adapter.
>>>>
>>>> My application cluster contains 2 nodes and is load balanced by nginx.
>>>> For testing purposes, I enabled round robin load balancing which is
>>>> probably the "cause" for my issues.
>>>>
>>>> When I access a secured page, I get redirected to keycloak and
>>>> everything is fine. When I then login, and keycloak redirects me back to
>>>> the application, I get to a different application cluster node because
>>>> of round robin. On that node, apparently the initial information of the
>>>> client session is not available and I get redirected to keycloak login
>>>> page again. Then keycloak redirects me back to the application, this
>>>> time to the original node, and says that access is forbidden.
>>>>
>>>> I suppose the web session caches are not in sync but I just used the
>>>> default cache containers as they are defined in standalone-ha.xml of my
>>>> Wildlfy 10 CR4. Clustering with jgroups works, as I use other
>>>> distributed caches too which work just fine.
>>>>
>>>> We are using Keycloak 1.8.0.CR2 on a Wildfly 10 CR4
>>>>
>>>> Regards,
>>>> Christian
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> <keycloak-dev at lists.jboss.org>keycloak-dev at lists.jboss.org
>>>> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160125/796e806e/attachment-0001.html
More information about the keycloak-dev
mailing list