From a899d86ac001adc3a19fae4cd9fa8b781f2e5ba9 Mon Sep 17 00:00:00 2001
From: Bill Burke <bburke@redhat.com>
Date: Wed, 3 Feb 2016 16:43:29 -0500
Subject: [PATCH 1/2] KEYCLOAK-2444

---
 .../org/keycloak/subsystem/as7/KeycloakSubsystemParser.java     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/adapters/oidc/as7-eap6/as7-subsystem/src/main/java/org/keycloak/subsystem/as7/KeycloakSubsystemParser.java b/adapters/oidc/as7-eap6/as7-subsystem/src/main/java/org/keycloak/subsystem/as7/KeycloakSubsystemParser.java
index 4ed35a687b..c38c6bd94c 100755
--- a/adapters/oidc/as7-eap6/as7-subsystem/src/main/java/org/keycloak/subsystem/as7/KeycloakSubsystemParser.java
+++ b/adapters/oidc/as7-eap6/as7-subsystem/src/main/java/org/keycloak/subsystem/as7/KeycloakSubsystemParser.java
@@ -243,7 +243,7 @@ class KeycloakSubsystemParser implements XMLStreamConstants, XMLElementReader<Li
             String credName = credential.getName();
             String credValue = credential.getValue().get(CredentialDefinition.VALUE.getName()).asString();
 
-            if (credName.contains("")) {
+            if (credName.indexOf('.') > -1) {
                 String[] parts = credName.split("\\.");
                 String provider = parts[0];
                 String propKey = parts[1];

From c4c99d5f81a5d8ffb966872d008dd3dedfb2f840 Mon Sep 17 00:00:00 2001
From: Bill Burke <bburke@redhat.com>
Date: Wed, 3 Feb 2016 17:31:50 -0500
Subject: [PATCH 2/2] KEYCLOAK-2443

---
 .../keycloak/adapters/servlet/KeycloakOIDCFilter.java |  6 ++++++
 .../adapters/servlet/OIDCFilterSessionStore.java      |  2 ++
 .../en/en-US/modules/servlet-filter-adapter.xml       | 11 ++++++++++-
 .../en/en-US/modules/servlet-filter-adapter.xml       |  6 +++++-
 .../src/main/webapp/WEB-INF/web.xml                   |  3 ++-
 examples/demo-template/testrealm.json                 |  2 +-
 6 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/KeycloakOIDCFilter.java b/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/KeycloakOIDCFilter.java
index ddd755234d..dab75015a6 100755
--- a/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/KeycloakOIDCFilter.java
+++ b/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/KeycloakOIDCFilter.java
@@ -102,6 +102,8 @@ public class KeycloakOIDCFilter implements Filter {
 
     @Override
     public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
+        log.fine("Keycloak OIDC Filter");
+        //System.err.println("Keycloak OIDC Filter: " + ((HttpServletRequest)req).getRequestURL().toString());
         HttpServletRequest request = (HttpServletRequest) req;
         HttpServletResponse response = (HttpServletResponse) res;
         OIDCServletHttpFacade facade = new OIDCServletHttpFacade(request, response);
@@ -122,7 +124,10 @@ public class KeycloakOIDCFilter implements Filter {
 
             @Override
             public void logoutHttpSessions(List<String> ids) {
+                log.fine("**************** logoutHttpSessions");
+                //System.err.println("**************** logoutHttpSessions");
                 for (String id : ids) {
+                    log.finest("removed idMapper: " + id);
                     idMapper.removeSession(id);
                 }
 
@@ -130,6 +135,7 @@ public class KeycloakOIDCFilter implements Filter {
         }, deploymentContext, facade);
 
         if (preActions.handleRequest()) {
+            //System.err.println("**************** preActions.handleRequest happened!");
             return;
         }
 
diff --git a/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/OIDCFilterSessionStore.java b/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/OIDCFilterSessionStore.java
index 086ef50d97..8a3010ddd9 100755
--- a/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/OIDCFilterSessionStore.java
+++ b/adapters/oidc/servlet-filter/src/main/java/org/keycloak/adapters/servlet/OIDCFilterSessionStore.java
@@ -112,6 +112,8 @@ public class OIDCFilterSessionStore extends FilterSessionStore implements Adapte
         }
 
         if (idMapper != null && !idMapper.hasSession(httpSession.getId())) {
+            log.fine("idMapper does not have session: " + httpSession.getId());
+            //System.err.println("idMapper does not have session: " + httpSession.getId());
             cleanSession(httpSession);
             return false;
         }
diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/servlet-filter-adapter.xml b/docbook/auth-server-docs/reference/en/en-US/modules/servlet-filter-adapter.xml
index 91425d46eb..45ed993f33 100755
--- a/docbook/auth-server-docs/reference/en/en-US/modules/servlet-filter-adapter.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/servlet-filter-adapter.xml
@@ -46,11 +46,20 @@
     </filter>
     <filter-mapping>
         <filter-name>Keycloak Filter</filter-name>
-        <url-pattern>/*</url-pattern>
+        <url-pattern>/keycloak/*</url-pattern>
+        <url-pattern>/protected/*</url-pattern>
     </filter-mapping>
 </web-app>
 ]]>
     </programlisting>
+    <para>
+        If you notice above, there are two url-patterns.  <literal>/protected/*</literal> are just the files we want protected.
+        <literal>/keycloak/*</literal> url-pattern will handle callback from the keycloak server.
+        Note that you should configure your client in the Keycloak Admin Console
+        with an Admin URL that points to a secured section covered by the filter's url-pattern.
+        The Admin URL will make callbacks to the Admin URL to do things like backchannel logout.  So, the Admin URL in this example should
+        be <literal>http[s]://hostname/{context-root}/keycloak</literal>.  There is an example of this in the distribution.
+    </para>
     <para>
         The Keycloak filter has the same configuration parameters available as the other adapters except you must define
         them as filter init params instead of context params.
diff --git a/docbook/saml-adapter-docs/reference/en/en-US/modules/servlet-filter-adapter.xml b/docbook/saml-adapter-docs/reference/en/en-US/modules/servlet-filter-adapter.xml
index 68b7daa04c..ff6d377353 100755
--- a/docbook/saml-adapter-docs/reference/en/en-US/modules/servlet-filter-adapter.xml
+++ b/docbook/saml-adapter-docs/reference/en/en-US/modules/servlet-filter-adapter.xml
@@ -64,9 +64,13 @@
     </para>
     <warning>
         <para>
-            You must have a filter mapping for <literal>/saml</literal>
+            You must have a filter mapping that covers <literal>/saml</literal>.  This mapping covers all server callbacks.
         </para>
     </warning>
+    <para>
+        When registering SPs with an IDP, you must register <literal>http[s]://hostname/{context-root}/saml</literal> as
+        your Assert Consumer Service URL and Single Logout Service URL.
+    </para>
     <para>
         To use this filter, include this maven artifact in your WAR poms
     </para>
diff --git a/examples/demo-template/customer-app-filter/src/main/webapp/WEB-INF/web.xml b/examples/demo-template/customer-app-filter/src/main/webapp/WEB-INF/web.xml
index d724aa2f8e..b5098acb75 100755
--- a/examples/demo-template/customer-app-filter/src/main/webapp/WEB-INF/web.xml
+++ b/examples/demo-template/customer-app-filter/src/main/webapp/WEB-INF/web.xml
@@ -29,7 +29,8 @@
     </filter>
     <filter-mapping>
         <filter-name>Keycloak Filter</filter-name>
-        <url-pattern>/customers/*</url-pattern>
+        <url-pattern>/keycloak/*</url-pattern> <!-- this is so keycloak server can send events like backchannel logout -->
+        <url-pattern>/customers/*</url-pattern> <!-- this secures things -->
     </filter-mapping>
 
 </web-app>
diff --git a/examples/demo-template/testrealm.json b/examples/demo-template/testrealm.json
index e1d07bab47..20cd6150ed 100755
--- a/examples/demo-template/testrealm.json
+++ b/examples/demo-template/testrealm.json
@@ -123,7 +123,7 @@
         {
             "clientId": "customer-portal-filter",
             "enabled": true,
-            "adminUrl": "/customer-portal-filter",
+            "adminUrl": "/customer-portal-filter/keycloak",
             "baseUrl": "/customer-portal-filter",
             "redirectUris": [
                 "/customer-portal-filter/*"