[keycloak-user] Spring Security adapter single logout
Scott Rossillo
srossillo at smartling.com
Wed Dec 16 15:28:13 EST 2015
Spring typically registers any beans implementing HttpSessionListener with the servlet container. This may be an application server specific issue. What application server are you using?
Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com
<http://www.sigstr.com/>
> On Dec 16, 2015, at 6:40 AM, Andy Yar <andyyar66 at gmail.com> wrote:
>
> Hello,
> I'm using 1.7.0 final integrated with Spring Security (which itself is integrated into Grails) using OpenID Connect method. I've been kind of stuck with single (back-channel, k_logout) logout for a while.
>
> It seems it's handled by the preAuthActions filter which simply invalidates local sessions via a call to an injected HttpSessionManager. This manager stores active sessions in its instance and puts/removes them as a reaction on HttpSessionEvent.
>
> It looks like the HttpSessionManager has to be registered as JEE Listener in order to receive HttpSessionEvents. However, then you end up with two different instances - the listener and the bean in preAuthActions. Thus invalidation process can't reach the sessions stored in listener's instance and can't invalidate them at all.
>
> A big sorry if I miss something very obvious.
>
> Andy
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/096416f5/attachment.html
More information about the keycloak-user
mailing list