-
Bug
-
Resolution: Done
-
Undefined
-
None
Before reporting an issue
[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
infinispan
Describe the bug
When a user is deleted we are trying to remove the sessions attached to that user. But the session is not really removed. Nevertheless it's quite hard to check the session is still there because the session is auto-removed as soon as it prepared to wrap it.
I think that the reason is that when a user is removed, we are trying to remove the associate sessions:
1. The deletion of the user triggers UserRemovedEvent here.
2. The event is processed by the infinispan here.
3. That method tries to remove the sessions here.
4. Nevertheless the sessions are never retrieved because the getUserSessionsStream method looks up the user to get the sessions and the user is now removed. So it goes to the second if, user is always null when removed, and empty stream is always returned.
So, in the end, no session is really removed. They are removed as soon as they are retrieved (see this line in the wrap method). But for the moment they are in the infinispan cache.
Version
26.4.0
Regression
[ ] The issue is a regression
Expected behavior
Don't really know but I suppose we want them removed as we have calls to delete them.
Actual behavior
The sessions are maintained and deleted when they are used or by expiration.
How to Reproduce?
- Create a user in a realm.
- Perform some logins using different browsers to the account console using the same user.
- Check using statistics that the sessions are there.
curl -sk https://localhost:9000/metrics | grep "cache=\"sessions\""| grep vendor_statistics_approximate_entries - Remove the user.
- Check using the same curl that the sessions are still there.
- Refresh the browser page to force a re-login.
- Check the sessions disappear now with the curl command.
Anything else?
As commented it's hard to check the sessions are not removed, but following the code, you will see the sessions are never deleted, because this line is never executed.
- links to
