[keycloak-dev] servlet-filter-adapter Principal NPE
Bill Burke
bburke at redhat.com
Tue Feb 2 14:43:02 EST 2016
And FYI...compleOAth and completeBearer should not be identical.
CompleteOAuth stores things in the HttpSession. Bearer tokens should
not be creating an HttpSession.
On 2/2/2016 2:41 PM, Bill Burke wrote:
> This is fixed in master already.
>
> On 2/2/2016 1:38 PM, Harold Campbell wrote:
>> The servlet-filter-adapter causes an NPE when a user authed either
>> through Basic or Bearer attempts to retrieve the Principal from the
>> HttpServletRequest. This is because completeBearerAuthentication,
>> unlike completeOAuthAuthentication, does not add an OidcKeycloakAccount
>> to the session. If a user is authed via OAuth, everything works fine.
>>
>> The attached patch against 1.8.x takes care of the problem. It appears
>> the same problem exists in master, though with files moved around the
>> patch will not apply directly. This patch makes completeBearer...
>> essentially identical to completeOAuth..., so for 1.9.x (or indeed
>> 1.8.x if someone wants to redo this) these might oughta be combined
>> into a single method.
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160202/cc03682e/attachment.html
More information about the keycloak-dev
mailing list