[keycloak-user] where does the tomcat client adapter save the session

Marek Posolda mposolda at redhat.com
Wed Jul 19 03:42:05 EDT 2017 

On 19/07/17 07:07, Yizhou Jiang(Yizhou) wrote:
> Hi,
>        I have two questions:
>
>
> 1      Where does the tomcat client  adapter store  the user  session ?
>
>
>        when a user logged into a application procted by a tomcat client adapter . there is only  “JSESSIONID=E1EAC81E52C97DD64FFB4C13A1231996” in the cookie。
> But when I restart the tomcat , the user use the  cookie still can login into the application.  obviously , the session isn’t store in the memory of tomcat , Where does the tomcat client adapter store the  user session?
It's saved in the HTTP Session and AFAIK HTTP sessions are not persisted 
by Tomcat and are cleared after restart.

But I guess that when you restarted Tomcat, you didnn't restarted the 
Keycloak server, right? So you still have SSO cookie KEYCLOAK_IDENTITY 
on keycloak server. So what happens for you is that after restart of 
Tomcat and open the URL of your Tomcat application, user is redirected 
to Keycloak, here he is automatically authenticated due to SSO and hence 
in Tomcat is automatically authenticated too.

>
> 2     Is there any settings about policy enforcer that can  make unauthenticated  user  access some resources in a application protected by a tomcat client adapter?
>
> Set the enforcement-mode  with value “DISABLED” still require the user be authenticated.
>
>    "policy-enforcer": {
>          "enforcement-mode": "PERMISSIVE",
>          "paths": [
>              {
>                  "path": "/public/*",
>                  "enforcement-mode": "DISABLED"
>              }
>          ]
>      }
Yes, true. There are security constraints declared in web.xml of your 
web application. And adapter always require user to be authenticated 
(and redirects to login screen) once user enters some "secured" URL from 
there. So you may need to rather change your security constraints in 
web.xml to ensure some URL is public.

Also I am not sure at 100%, but I think that those "public" URLs 
declared in web.xml will be just ignored by Keycloak adapter at all. 
Which means that declared "policy-enforcer" will be ignored too. In 
other words, the "policy-enforcer" is applied just for authenticated 
requests and it's done after user was authenticated (again not sure at 
100%, but rather something like 95% :)

Marek
>
>
>
> thanks ,
> yizhou
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list