2 Replies Latest reply on Feb 15, 2017 12:14 PM by Petr Široký

    Is it valid to call session.invalidate() as part of request.logout()? (via custom extension)

    Petr Široký Newbie

      Hello everyone,

      we are facing an issue when using the combo "request.logout() + session.invalidate()" as part of the "logout" servlet. We are using WF 10.1.0.Final / EAP7.


      The code looks like this:

      public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {



              HttpSession session = request.getSession(false);

              if (session != null) {




              // ....



      This works fine without the Keycloak extension (using e.g. the default WF properties files). However, once we enable the Keycloak extension, the call to session.invalidate() throws java.lang.IllegalStateException: UT000021: Session already invalidated. What happens is that the Keycloak extension calls session.invalidate() as part of request.logout(), so the second call to session.invalidate() is then invalid. What is weird is that the request.getSession(false) returns what it appears to be a valid (non-invalidated) session.


      I am trying to figure the root cause of this issue:

      1. Keycloak adapter should not be calling session.invalidate() as part of request.logout()
      2. WF/Undertow should not return what it appears to be a valid session when calling request.getSession(false) since the session was already invalided by the Keycloak extension.
      3. Something completely different


      Please note that the same code works on EAP 6.4.x. The request.getSession(false) returns null and thus the second call to session.invalidate() does not happen.


      Thanks for any help. Petr