[keycloak-user] Http Session is not invalidated
Marek Posolda
mposolda at redhat.com
Tue Apr 7 04:47:22 EDT 2015
Nope, it's using the proper picketlink binding adapters
(ServiceProviderAuthenticator valve on EAP6 and SPServletExtension on
Wildfly). If you have opportunity to use those instead of SPFilter, it
may be better though. I am not sure if Picketlink SPFilter is not
deprecated (or if it supports all the features like binding adapters).
Maybe Bill or Pedro knows more.
Marek
On 7.4.2015 10:41, Chen Keong Yap wrote:
>
>
> <?xml version="1.0" encoding="ISO-8859-1"?>
>
> Hi,
>
> I cannot find the spfilter definition in web.xml of the sample demo.
> Just wondering is the demo running on SP filter?
>
> <!DOCTYPE web-app
> PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> "http://java.sun.com/dtd/web-app_2_3.dtd">
>
> <web-app>
>
> <welcome-file-list>
> <filter>
> <filter-name>SPFilter</filter-name>
> <filter-class>org.picketlink.identity.federation.web.filters.SPFilter</filter-class>
> <init-param>
> <param-name>IGNORE_SIGNATURES</param-name>
> <param-value>true</param-value>
> </init-param>
> <init-param>
> <param-name>ROLES</param-name>
> <param-value>PRUONE</param-value>
> </init-param>
> <init-param>
> <param-name>LOGOUT_PAGE</param-name>
> <param-value>/logout1.jsp</param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>SPFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> </web-app>
>
> On Tue, Apr 7, 2015 at 3:20 PM, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> The demo is bundled in keycloak-appliance-dist ZIP in directory
> examples/saml .
>
> The demo sources are here:
> https://github.com/keycloak/keycloak/tree/master/examples/saml
>
> Marek
>
>
> On 7.4.2015 02:37, Chen Keong Yap wrote:
>>
>> Hi bill,
>>
>> Can you give me the link or path for the demo? Not sure if you
>> are using keycloak or picketlink demo for testing?
>>
>> On Apr 6, 2015 9:20 PM, "Bill Burke" <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>> Demos work fine for me, but I'm using the wildfly Picketlink
>> SP adapter. I am able to have an SSO session with all the
>> examples, then I am able to logout and have all sessions
>> invalidated.
>>
>> On 4/6/2015 9:01 AM, Chen Keong Yap wrote:
>>
>> Hi bill,
>>
>> Are you using 2 applications for testing?
>>
>> If yes, need to know have you logged out the first
>> application then
>> redirect to keycloak login page? After that refresh the
>> second
>> application then redirect to keycloak login page?
>>
>> Can i know which version of picketlink federation lib are
>> you using?
>>
>> On Apr 6, 2015 8:56 PM, "Bill Burke" <bburke at redhat.com
>> <mailto:bburke at redhat.com>
>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>
>> I tried out the saml demo app and logout works just
>> fine, so I'm
>> guessing this is a bug in the PL SP Filter.
>>
>> On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
>>
>> Hi bill,
>>
>> Global logout only removed sp sessions but not
>> web application
>> sessions
>> and this created security loopholes.
>>
>> Please advise
>>
>> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap
>> <chenkeong.yap at izeno.com
>> <mailto:chenkeong.yap at izeno.com>
>> <mailto:chenkeong.yap at izeno.com
>> <mailto:chenkeong.yap at izeno.com>>
>> <mailto:chenkeong.yap at izeno.
>> <mailto:chenkeong.yap at izeno.>__com
>> <mailto:chenkeong.yap at izeno.com
>> <mailto:chenkeong.yap at izeno.com>>>> wrote:
>>
>> Guys,
>>
>> Can share your ideas why global logout is
>> not working?
>>
>> On Apr 3, 2015 3:47 PM, "Chen Keong Yap"
>> <chenkeong.yap at izeno.com
>> <mailto:chenkeong.yap at izeno.com>
>> <mailto:chenkeong.yap at izeno.com
>> <mailto:chenkeong.yap at izeno.com>>
>> <mailto:chenkeong.yap at izeno.
>> <mailto:chenkeong.yap at izeno.>__com
>> <mailto:chenkeong.yap at izeno.com
>> <mailto:chenkeong.yap at izeno.com>>>> wrote:
>>
>> Hi Marek,
>>
>> I've just tested backchannel logout and
>> it's showing
>> same issue.
>> Both applications are using PL SP Filter
>> and the steps
>> below are
>> used for testing.
>>
>> 1. Open https://localhost:8443/__employee/
>> <https://localhost:8443/employee/> and http
>> request is
>> redirected to
>> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>>
>> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>>
>> 2. Enter username and password into
>> keycloak login page and
>> redirected to employee landing page
>>
>> 3. Open https://localhost:8443/sales-__post/
>> <https://localhost:8443/sales-post/> and
>> redirected to
>> sales-post landing page without login
>>
>> 4. Logon to keycloak admin console and
>> noticed there are 2
>> active sessions
>>
>> 5. Perform global logout from employee
>> landing page
>> (https://localhost:8443/__employee/?GLO=true
>> <https://localhost:8443/employee/?GLO=true>) and
>> http request is
>> redirected to
>> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>>
>> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>>
>> 6. Logon to keycloak admin console and
>> noticed all
>> sessions are gone
>>
>> 7. Refresh sales-post landing page and
>> it's not
>> redirected to
>> keycloak login page. sales-post session
>> still active.
>>
>> Kindly advise why GLO is performed but
>> the second
>> application
>> (sales-post) session still active?
>>
>> On Fri, Apr 3, 2015 at 3:36 PM, Marek
>> Posolda
>> <mposolda at redhat.com
>> <mailto:mposolda at redhat.com> <mailto:mposolda at redhat.com
>> <mailto:mposolda at redhat.com>>
>> <mailto:mposolda at redhat.com
>> <mailto:mposolda at redhat.com> <mailto:mposolda at redhat.com
>> <mailto:mposolda at redhat.com>>>> wrote:
>>
>> Switch the "Front channel logout" to
>> off. In this
>> case it
>> should use backchannel (not
>> redirecting through
>> browser, but
>> sending logout requests from
>> Keycloak in background)
>>
>> Marek
>>
>>
>>
>> On 3.4.2015 08:28, Chen Keong Yap wrote:
>>
>>
>> Hi Merek,
>>
>> I've tried frontChannel logout
>> in 1.2.0.Beta1
>> and it's
>> giving me the same issues,
>> please refer to the
>> settings
>> shown in the screen shot.
>>
>> Can you please advise how to
>> test backchannel
>> logout?
>>
>>
>> Inline image 1
>>
>>
>>
>> On Fri, Apr 3, 2015 at 1:50 PM,
>> Marek Posolda
>> <mposolda at redhat.com
>> <mailto:mposolda at redhat.com>
>> <mailto:mposolda at redhat.com
>> <mailto:mposolda at redhat.com>> <mailto:mposolda at redhat.com
>> <mailto:mposolda at redhat.com>
>> <mailto:mposolda at redhat.com
>> <mailto:mposolda at redhat.com>>>> wrote:
>>
>> I would try to upgrade to latest
>> 1.2.0.Beta1 as it has
>> some related fixes AFAIK.
>>
>> In this version, you have
>> also possibility
>> to setup
>> either frontChannel logout
>> or backchannel
>> logout for
>> the application. It could be
>> set in
>> Keycloak admin
>> console. I think that at
>> least one of them
>> will work
>> with SP filter in latest
>> version (if not both).
>>
>> Marek
>>
>>
>> On 3.4.2015 01:44, Chen
>> Keong Yap wrote:
>>
>> Hi,
>>
>> I've 2 applications
>> installed with
>> Picketlink
>> SPFilter to authenticate
>> with keycloak
>> 1.1.0 beta 2.
>>
>> When i perform global
>> logout, first
>> application was
>> logged out successfully
>> because
>> SP/keycloak session
>> and application http
>> session are
>> removed but the
>> problem is second
>> application SP/keycloak
>> session is
>> removed but
>> application http session
>> is still
>> remained. I've set
>> admin url for these 2
>> applications in
>> keycloak admin
>> console. Kindly share
>> your ideas.
>>
>>
>>
>>
>> _________________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> <mailto:keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>>
>> <mailto:keycloak-user at lists.
>> <mailto:keycloak-user at lists.>__jboss.org <http://jboss.org>
>> <mailto:keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>>>
>> https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>
>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150407/65d1544b/attachment-0001.html
More information about the keycloak-user
mailing list