[keycloak-user] Servlet Filter Adapter not working with Tomcat/Memcached

Bill Burke bburke at redhat.com
Thu Jul 7 23:19:40 EDT 2016 

I''m looking at the code and there is serialization code to re-create 
the token object from a string in KeycloakSecurityContext.

private void readObject(ObjectInputStream in)throws IOException, ClassNotFoundException {
     in.defaultReadObject();

     token = parseToken(tokenString, AccessToken.class);
     idToken = parseToken(idTokenString, IDToken.class);
}




On 7/7/16 7:05 PM, LEONARDO NUNES wrote:
> Hi everyone,
>
> An application is deployed using Servlet Filter Adapter at 2 Tomcats 
> in which are saving sessions to 1 Memcached. There's a Nginx load 
> balancer with sticky session in front of both Tomcats.
>
> After log in to the application if one Tomcat goes down or is removed 
> from the load balancer we get the exception below. The problem occur 
> using Servlet Filter Adapter, it works with Tomcat Adapter but we 
> can't use it for some of our applications.
>
> java.lang.NullPointerException
> org.keycloak.KeycloakSecurityContext.getRealm(KeycloakSecurityContext.java:73)
> org.keycloak.adapters.RefreshableKeycloakSecurityContext.refreshExpiredToken(RefreshableKeycloakSecurityContext.java:103)
> org.keycloak.adapters.servlet.OIDCFilterSessionStore.checkCurrentToken(OIDCFilterSessionStore.java:87)
> org.keycloak.adapters.servlet.KeycloakOIDCFilter.doFilter(KeycloakOIDCFilter.java:145)
>
>
> 1. Access a restricted page of the application
> 2. Nginx will direct to Tomcat1 (because of sticky session next 
> requests will go to Tomcat1)
> 3. You will be redirected to Keycloak Login page
> 4. After login, Keycloak redirects back to the restricted page
> (Note: this session is already saved to memcached)
> 5. At Nginx disable Tomcat1 server
> 6. At the browser refresh the application page
> 7. Now the request will go to Tomcat2 server
> 8. The session is retrieved from memcached
> 9. An exception is thrown because token is null inside of 
> KeycloakSecurityContext.getRealm()
> (Note: sometimes at this step the restricted page is displayed, but if 
> I refresh the page the exception is thrown)
>
>
> I've opened the issue ticket below:
> https://issues.jboss.org/browse/KEYCLOAK-3288
>
>
> -- 
> Leonardo Nunes
> ------------------------------------------------------------------------
> /Esta mensagem pode conter informação confidencial e/ou privilegiada. 
> Se você não for o destinatário ou a pessoa autorizada a receber esta 
> mensagem, não poderá usar, copiar ou divulgar as informações nela 
> contidas ou tomar qualquer ação baseada nessas informações. Se você 
> recebeu esta mensagem por engano, por favor avise imediatamente o 
> remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua 
> cooperação.
>
> This message may contain confidential and/or privileged information. 
> If you are not the addressee or authorized to receive this for the 
> addressee, you must not use, copy, disclose or take any action based 
> on this message or any information herein. If you have received this 
> message in error, please advise the sender immediately by reply e-mail 
> and delete this message. Thank you for your cooperation/
> ////
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160707/b7190f18/attachment-0001.html

More information about the keycloak-user mailing list