[keycloak-user] Logout issue: UT000021: Session already invalidated with EAP7/WF10 adapter
Petr Široký
psiroky at redhat.com
Fri Feb 3 11:50:01 EST 2017
Hello everyone,
I am having a logout issue when using the EAP7/WF10 adapter
(2.5.1.Final) with EAP 7.0.0.GA. The server is RH-SSO 7.0.0.GA (but I
also tried the upstream Keycloak 2.5.1.Final).
This is a simplified version of the code (full reproducer here
https://github.com/psiroky/servlet-app-keycloak-reproducer):
public void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
....
request.logout();
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
}
...
}
The code first calls request.logout() and then session.invalidate().
This works OK when we are _not_ using the Keycloak adapter. However,
once we switch to Keycloak adapter we end up with
"java.lang.IllegalStateException:UT000021: Session already invalidated".
I've been debugging the calls and it happens, because the
request.logout() bubbles down to the Keycloak adapter code which calls
session.invalidate() as well. For some reason (bug in Undertow/EAP?) the
request.getSession(false) then returns what it seems to be a valid
session (the invalidated flag=false). The session.invalidate() call
happens again, but the session was in fact already invalidated and thus
Undertow throws that IllegalStateException.
Please note that exactly the same code works on EAP 6 (+ EAP6 adapter).
The session also gets invalidated as part of logout(), but then the
request.getSession(false) returns null, so the second call to
invalidate() does not happen (this kind of points to Undertow as the
culprit).
I am trying to figure out what the root cause is:
1) Our application should _not_ call both request.logout() and then
session.invalidate() (even though it works for EAP6 and also with e.g.
basic auth without the Keycloak integration)
2) Keycloak adapter should not call session.invalidate() as part of
request.logout()
3) Undertow does not properly propagate the invalidate() call by the
Keycloak adapter.
4) Something completely different?
Thanks,
Petr
More information about the keycloak-user
mailing list