[keycloak-dev] Spring Security adapter

Д Михаил mmihaylovich at outlook.com
Sat Mar 17 14:06:03 EDT 2018


Hello,

I'm going to use Spring Session to substitute container specific session managment and clustering session purposes.
KeycloakSecurityContext also will be stored in HTTP session. It means that KeycloakPrincipal with KeycloakSecurityContext wil be serialized and deserialized between requests.

In this case I faced with the following situation:

After successfull authentication

2018-02-14 01:02:52.672 DEBUG 14424 --- [nio-8080-exec-6] f.KeycloakAuthenticationProcessingFilter : Auth outcome: AUTHENTICATED

2018-02-14 01:02:52.672 DEBUG 14424 --- [nio-8080-exec-6] o.s.s.authentication.ProviderManager? ? ?: Authentication attempt using org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider
2018-02-14 01:02:52.672 DEBUG 14424 --- [nio-8080-exec-6] f.KeycloakAuthenticationProcessingFilter : Authentication success. Updating SecurityContextHolder to contain: org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken at b78d8e87: Principal: user1; Credentials: [PROTECTED]; Authenticated: true; Details: org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount at 1906910f; Granted Authorities: ROLE_user, ROLE_uma_authorization

-?KeycloakSecurityContextRequestFilter clear?SecurityContextHolder .
2018-02-14 01:02:52.715 DEBUG 14424 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy? ? ? ? : /customers at position 11 of 15 in additional filter chain; firing Filter: 'KeycloakSecurityContextRequestFilter'
2018-02-14 01:02:52.715 DEBUG 14424 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy? ? ? ? : /customers at position 12 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2018-02-14 01:02:52.716 DEBUG 14424 --- [nio-8080-exec-7] o.s.s.w.a.AnonymousAuthenticationFilter? : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken at 6fabe8e0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails at fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 06690a32-ab3f-48d6-8776-de16f5d1ad05; Granted Authorities: ROLE_ANONYMOUS'


As a result I had infinite loop of redirection between my webapp and Keycloak server.

After some investigation I have found why it happend. 
When KeycloakSecurityContextRequestFilter  check refreshableSecurityContext.isActive() refreshableSecurityContext do not contain KeycloakDeployment  ( = null). Thus refreshableSecurityContext.isActive() always false.

public boolean isActive() {
        return token != null && this.token.isActive() && deployment!=null && this.token.getIssuedAt() > deployment.getNotBefore();
 }

The cause of this situation that RefreshableKeycloakSecurityContext created via deserialization and deployment not reassigned.

I have patch to fix it if you agree with that issue.



More information about the keycloak-dev mailing list