[keycloak-user] CatalinaUserSessionManagement: Session not present or already invalidated

Marek Posolda mposolda at redhat.com
Tue Apr 7 03:33:05 EDT 2015


On 3.4.2015 21:21, Scott Rossillo wrote:
> Ok, so a few followups. Just to be clear, here’s what I’m trying to do 
> and the outcomes of each against 1.2.0.Beta1:
>
> 1. (Original scenario) Log user out from KC console (Users > [user] 
> Sessions).
> Result: This still fails with the exception, 
> "org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.logoutSession 
> Session not present or already invalidated.”
>
> The exception thrown here is an NPE 
> as manager.findSession(httpSessionId) failed to find the session. 
> Interestingly, the session is still valid and the ID passed into the 
> manager is correct. Furthermore, while debugging I can see that 
> manager.findSession() looks up the session in a hash map. 
> Interestingly, the session id (key) is there, but the value (session) 
> is null.  Maybe this is a Tomcat bug.  Using Tomcat 8.0.18, will test 
> with 8.0.21.
>
> 2. (Second scenario) Application logout.
> Documentation 8.10. Logout 
> (http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152) 
> say you can either call HttpServletRequest.logout() or redirect 
> tohttp://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri.
>
> However, you have to do both.
>
> Call only .logout() and the KC token is still valid and user can 
> access app with a new session (it will just redirect to KC, see KC 
> session is valid and grant access).
>
> Call only auth-server/…/logout and the Tomcat session remains valid. I 
> would have thought that calling the auth-server’s logout endpoint 
> would broadcast logout events to logged in applications, but it doesn’t.
Actually auth-server logout should broadcast the logout to all logged-in 
applications. Auth-server will do it if you have configured "admin URL" 
for your application in Keycloak admin console. Do you have it configured?

Calling to .logout() should ensure redirecting to auth-server, which 
will logout Keycloak user session and then broadcast to logged applications.

In summary, both .logout() and redirection to auth-server/.../logout 
should invalidate both Keycloak UserSession and all logged application 
sessions (As long as you have admin URL configured for the 
applications). If something of it doesn't work, it may be a bug.

Marek
>
> I’ll file a JIRA for the second case and continue investigating the 
> first scenario with a newer Tomcat release.
>
> Best,
> Scott
>
>
>
>
>
>
>
>
>
> On Fri, Apr 3, 2015 at 1:42 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Sure, maybe even easier alternative is to try debugger. You can
>     add this to the beginning of $TOMCAT_HOME/bin/catalina.sh:
>
>     JAVA_OPTS="$JAVA_OPTS
>     -agentlib:jdwp=transport=dt_socket,address=5005,server=y,suspend=n"
>
>     then start tomcat and then remotely connect to it from your IDE.
>     You will need opened IDE with keycloak sources though.
>
>     I've changed the code to display the exception stacktrace, but it
>     will be available in next release (not yet in 1.2.0.Beta1 released
>     yesterday)
>
>     Marek
>
>
>     On 3.4.2015 01:30, Scott Rossillo wrote:
>>     Still no luck using Tomcat 8 and Keycloak 1.2.0.Beta1.
>>
>>     I will install a custom built agent tomorrow to catch the actual
>>     exception to see what's up.
>>
>>
>>     On Thursday, April 2, 2015, Scott Rossillo
>>     <srossillo at smartling.com <mailto:srossillo at smartling.com>> wrote:
>>
>>         Hi,
>>
>>         Thanks for the reply.
>>
>>         I was trying to log a user out from the Keycloak admin
>>         console. I will try the redirect method and see if it works.
>>
>>         Also, I’m using 1.1.0.Final. I will upgrade to 1.2.0.Beta1
>>         and report if the issue is still occurring.
>>
>>         Best,
>>         Scott
>>
>>         On Thu, Apr 2, 2015 at 10:23 AM, Marek Posolda
>>         <mposolda at redhat.com> wrote:
>>
>>             Hi,
>>
>>             I've tried with Apache Tomcat 6.0.35 but wasn't able to
>>             reproduce with latest Keycloak 1.2.0.Beta1. Logout works
>>             fine for me.
>>
>>             How are you doing logout? From the application or from KC
>>             admin console? For the tomcat6, the
>>             httpServletRequest.logout() method is not yet available,
>>             so best for logout from the application is redirecting to
>>             Keycloak logout URL similarly like in our demo example:
>>             https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14
>>
>>             You can also enable debug logging, which should show some
>>             additional messages in the log by adding this line into
>>             $TOMCAT_HOME/conf/logging.properties:
>>
>>             org.keycloak.level = FINE
>>
>>             Marek
>>
>>
>>
>>             On 2.4.2015 01:37, Scott Rossillo wrote:
>>>             Hi all,
>>>
>>>             I’m running Keycloak 1.1.0-Final in standalone mode and
>>>             using Keycloak agents on Tomcat 6 and Tomcat 8.
>>>
>>>             With both agents, whenever I try to log a user out via
>>>             the Keycloak server, I see this in the Tomcat server’s log:
>>>
>>>             Apr 01, 2015 7:27:47 PM
>>>             org.keycloak.adapters.tomcat.CatalinaUserSessionManagement
>>>             logoutSession
>>>             WARN: Session not present or already invalidated.
>>>
>>>             The session is still valid and continues to be valid for
>>>             some period of time in each of the Tomcat instances.
>>>             Anyone know how to fix?
>>>
>>>             I was looking at the source and I see this method:
>>>
>>>              *
>>>
>>>
>>>               * org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.
>>>
>>>             logoutSession()
>>>
>>>             I may test loging the actual exception tomorrow if no
>>>             one has a clue, but I think it’s probably the exception
>>>             is being thrown for some reason other than the session
>>>             no longer existing (it definitely still does).
>>>
>>>             Best,
>>>             Scott
>>>
>>>
>>>
>>>             _______________________________________________
>>>             keycloak-user mailing list
>>>             keycloak-user at lists.jboss.org
>>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150407/792500a2/attachment.html 


More information about the keycloak-user mailing list