[keycloak-user] CatalinaUserSessionManagement: Session not present or already invalidated
Scott Rossillo
srossillo at smartling.com
Fri Apr 3 16:22:24 EDT 2015
Update on issue 1, Log user out from KC console:
It appears this is due to Spring security creating a new session and
migrating data into it but KC knows nothing about this. There’s a way to
disable this behavior in Spring Security and I’m going to take that path.
This should be a non-issue.
~ Scott
On Fri, Apr 3, 2015 at 3:21 PM, Scott Rossillo <srossillo at smartling.com>
wrote:
> Ok, so a few followups. Just to be clear, here’s what I’m trying to do and
> the outcomes of each against 1.2.0.Beta1:
>
> 1. (Original scenario) Log user out from KC console (Users > [user]
> Sessions).
> Result: This still fails with the exception,
> "org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.logoutSession
> Session not present or already invalidated.”
>
> The exception thrown here is an NPE as manager.findSession(httpSessionId)
> failed to find the session. Interestingly, the session is still valid and
> the ID passed into the manager is correct. Furthermore, while debugging I
> can see that manager.findSession() looks up the session in a hash map.
> Interestingly, the session id (key) is there, but the value (session) is
> null. Maybe this is a Tomcat bug. Using Tomcat 8.0.18, will test with
> 8.0.21.
>
> 2. (Second scenario) Application logout.
> Documentation 8.10. Logout (
> http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152)
> say you can either call HttpServletRequest.logout() or redirect
> tohttp://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri.
>
> However, you have to do both.
>
> Call only .logout() and the KC token is still valid and user can access
> app with a new session (it will just redirect to KC, see KC session is
> valid and grant access).
>
> Call only auth-server/…/logout and the Tomcat session remains valid. I
> would have thought that calling the auth-server’s logout endpoint would
> broadcast logout events to logged in applications, but it doesn’t.
>
> I’ll file a JIRA for the second case and continue investigating the first
> scenario with a newer Tomcat release.
>
> Best,
> Scott
>
>
>
>
>
>
>
>
>
> On Fri, Apr 3, 2015 at 1:42 AM, Marek Posolda <mposolda at redhat.com> wrote:
>
>> Sure, maybe even easier alternative is to try debugger. You can add
>> this to the beginning of $TOMCAT_HOME/bin/catalina.sh:
>>
>> JAVA_OPTS="$JAVA_OPTS
>> -agentlib:jdwp=transport=dt_socket,address=5005,server=y,suspend=n"
>>
>> then start tomcat and then remotely connect to it from your IDE. You will
>> need opened IDE with keycloak sources though.
>>
>> I've changed the code to display the exception stacktrace, but it will be
>> available in next release (not yet in 1.2.0.Beta1 released yesterday)
>>
>> Marek
>>
>>
>> On 3.4.2015 01:30, Scott Rossillo wrote:
>>
>> Still no luck using Tomcat 8 and Keycloak 1.2.0.Beta1.
>>
>> I will install a custom built agent tomorrow to catch the actual
>> exception to see what's up.
>>
>>
>> On Thursday, April 2, 2015, Scott Rossillo <srossillo at smartling.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Thanks for the reply.
>>>
>>> I was trying to log a user out from the Keycloak admin console. I will
>>> try the redirect method and see if it works.
>>>
>>> Also, I’m using 1.1.0.Final. I will upgrade to 1.2.0.Beta1 and report
>>> if the issue is still occurring.
>>>
>>> Best,
>>> Scott
>>>
>>>
>>> On Thu, Apr 2, 2015 at 10:23 AM, Marek Posolda <mposolda at redhat.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I've tried with Apache Tomcat 6.0.35 but wasn't able to reproduce with
>>>> latest Keycloak 1.2.0.Beta1. Logout works fine for me.
>>>>
>>>> How are you doing logout? From the application or from KC admin
>>>> console? For the tomcat6, the httpServletRequest.logout() method is not yet
>>>> available, so best for logout from the application is redirecting to
>>>> Keycloak logout URL similarly like in our demo example:
>>>> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14
>>>>
>>>> You can also enable debug logging, which should show some additional
>>>> messages in the log by adding this line into
>>>> $TOMCAT_HOME/conf/logging.properties:
>>>>
>>>> org.keycloak.level = FINE
>>>>
>>>> Marek
>>>>
>>>>
>>>>
>>>> On 2.4.2015 01:37, Scott Rossillo wrote:
>>>>
>>>> Hi all,
>>>>
>>>> I’m running Keycloak 1.1.0-Final in standalone mode and using
>>>> Keycloak agents on Tomcat 6 and Tomcat 8.
>>>>
>>>> With both agents, whenever I try to log a user out via the Keycloak
>>>> server, I see this in the Tomcat server’s log:
>>>>
>>>> Apr 01, 2015 7:27:47 PM
>>>> org.keycloak.adapters.tomcat.CatalinaUserSessionManagement logoutSession
>>>> WARN: Session not present or already invalidated.
>>>>
>>>> The session is still valid and continues to be valid for some period
>>>> of time in each of the Tomcat instances. Anyone know how to fix?
>>>>
>>>> I was looking at the source and I see this method:
>>>>
>>>> -
>>>>
>>>>
>>>> - org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.
>>>>
>>>> logoutSession()
>>>>
>>>> I may test loging the actual exception tomorrow if no one has a clue,
>>>> but I think it’s probably the exception is being thrown for some reason
>>>> other than the session no longer existing (it definitely still does).
>>>>
>>>> Best,
>>>> Scott
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150403/b82ee157/attachment.html
More information about the keycloak-user
mailing list