[keycloak-user] Http Session is not invalidated
Chen Keong Yap
chenkeong.yap at izeno.com
Tue Apr 7 04:41:15 EDT 2015
<?xml version="1.0" encoding="ISO-8859-1"?>
Hi,
I cannot find the spfilter definition in web.xml of the sample demo. Just
wondering is the demo running on SP filter?
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<welcome-file-list>
<filter>
<filter-name>SPFilter</filter-name>
<filter-class>org.picketlink.identity.federation.web.filters.SPFilter</filter-class>
<init-param>
<param-name>IGNORE_SIGNATURES</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>ROLES</param-name>
<param-value>PRUONE</param-value>
</init-param>
<init-param>
<param-name>LOGOUT_PAGE</param-name>
<param-value>/logout1.jsp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SPFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
On Tue, Apr 7, 2015 at 3:20 PM, Marek Posolda <mposolda at redhat.com> wrote:
> The demo is bundled in keycloak-appliance-dist ZIP in directory
> examples/saml .
>
> The demo sources are here:
> https://github.com/keycloak/keycloak/tree/master/examples/saml
>
> Marek
>
>
> On 7.4.2015 02:37, Chen Keong Yap wrote:
>
> Hi bill,
>
> Can you give me the link or path for the demo? Not sure if you are using
> keycloak or picketlink demo for testing?
> On Apr 6, 2015 9:20 PM, "Bill Burke" <bburke at redhat.com> wrote:
>
>> Demos work fine for me, but I'm using the wildfly Picketlink SP adapter.
>> I am able to have an SSO session with all the examples, then I am able to
>> logout and have all sessions invalidated.
>>
>> On 4/6/2015 9:01 AM, Chen Keong Yap wrote:
>>
>>> Hi bill,
>>>
>>> Are you using 2 applications for testing?
>>>
>>> If yes, need to know have you logged out the first application then
>>> redirect to keycloak login page? After that refresh the second
>>> application then redirect to keycloak login page?
>>>
>>> Can i know which version of picketlink federation lib are you using?
>>>
>>> On Apr 6, 2015 8:56 PM, "Bill Burke" <bburke at redhat.com
>>> <mailto:bburke at redhat.com>> wrote:
>>>
>>> I tried out the saml demo app and logout works just fine, so I'm
>>> guessing this is a bug in the PL SP Filter.
>>>
>>> On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
>>>
>>> Hi bill,
>>>
>>> Global logout only removed sp sessions but not web application
>>> sessions
>>> and this created security loopholes.
>>>
>>> Please advise
>>>
>>> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap
>>> <chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>
>>> <mailto:chenkeong.yap at izeno.__com
>>> <mailto:chenkeong.yap at izeno.com>>> wrote:
>>>
>>> Guys,
>>>
>>> Can share your ideas why global logout is not working?
>>>
>>> On Apr 3, 2015 3:47 PM, "Chen Keong Yap"
>>> <chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>
>>> <mailto:chenkeong.yap at izeno.__com
>>> <mailto:chenkeong.yap at izeno.com>>> wrote:
>>>
>>> Hi Marek,
>>>
>>> I've just tested backchannel logout and it's showing
>>> same issue.
>>> Both applications are using PL SP Filter and the steps
>>> below are
>>> used for testing.
>>>
>>> 1. Open https://localhost:8443/__employee/
>>> <https://localhost:8443/employee/> and http request is
>>> redirected to
>>> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>>> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>>>
>>> 2. Enter username and password into keycloak login page
>>> and
>>> redirected to employee landing page
>>>
>>> 3. Open https://localhost:8443/sales-__post/
>>> <https://localhost:8443/sales-post/> and redirected to
>>> sales-post landing page without login
>>>
>>> 4. Logon to keycloak admin console and noticed there
>>> are 2
>>> active sessions
>>>
>>> 5. Perform global logout from employee landing page
>>> (https://localhost:8443/__employee/?GLO=true
>>> <https://localhost:8443/employee/?GLO=true>) and http request is
>>> redirected to
>>> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>>> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>>>
>>> 6. Logon to keycloak admin console and noticed all
>>> sessions are gone
>>>
>>> 7. Refresh sales-post landing page and it's not
>>> redirected to
>>> keycloak login page. sales-post session still active.
>>>
>>> Kindly advise why GLO is performed but the second
>>> application
>>> (sales-post) session still active?
>>>
>>> On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
>>> <mposolda at redhat.com <mailto:mposolda at redhat.com>
>>> <mailto:mposolda at redhat.com <mailto:mposolda at redhat.com>>>
>>> wrote:
>>>
>>> Switch the "Front channel logout" to off. In this
>>> case it
>>> should use backchannel (not redirecting through
>>> browser, but
>>> sending logout requests from Keycloak in background)
>>>
>>> Marek
>>>
>>>
>>>
>>> On 3.4.2015 08:28, Chen Keong Yap wrote:
>>>
>>>
>>> Hi Merek,
>>>
>>> I've tried frontChannel logout in 1.2.0.Beta1
>>> and it's
>>> giving me the same issues, please refer to the
>>> settings
>>> shown in the screen shot.
>>>
>>> Can you please advise how to test backchannel
>>> logout?
>>>
>>>
>>> Inline image 1
>>>
>>>
>>>
>>> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda
>>> <mposolda at redhat.com
>>> <mailto:mposolda at redhat.com> <mailto:mposolda at redhat.com
>>> <mailto:mposolda at redhat.com>>> wrote:
>>>
>>> I would try to upgrade to latest
>>> 1.2.0.Beta1 as it has
>>> some related fixes AFAIK.
>>>
>>> In this version, you have also possibility
>>> to setup
>>> either frontChannel logout or backchannel
>>> logout for
>>> the application. It could be set in
>>> Keycloak admin
>>> console. I think that at least one of them
>>> will work
>>> with SP filter in latest version (if not
>>> both).
>>>
>>> Marek
>>>
>>>
>>> On 3.4.2015 01:44, Chen Keong Yap wrote:
>>>
>>> Hi,
>>>
>>> I've 2 applications installed with
>>> Picketlink
>>> SPFilter to authenticate with keycloak
>>> 1.1.0 beta 2.
>>>
>>> When i perform global logout, first
>>> application was
>>> logged out successfully because
>>> SP/keycloak session
>>> and application http session are
>>> removed but the
>>> problem is second
>>> application SP/keycloak session is
>>> removed but
>>> application http session is still
>>> remained. I've set
>>> admin url for these 2 applications in
>>> keycloak admin
>>> console. Kindly share your ideas.
>>>
>>>
>>>
>>>
>>> _________________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> <mailto:keycloak-user at lists.jboss.org>
>>> <mailto:keycloak-user at lists.__jboss.org
>>> <mailto:keycloak-user at lists.jboss.org>>
>>> https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>>
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150407/18c48e77/attachment-0001.html
More information about the keycloak-user
mailing list