[keycloak-user] Spring Security Adapter working but no Principal

[Marc Logemann]

Hi,

its even simpler. Hystrix has a config setting for sharing the Spring
Security "SecurityContext". So its seems someone already had the
problem before us and submitted something to the hystrix project. At
the end we can leave it as it is and just put the right config into
place. As always the tough part was debugging the whole mess and
pinpoint the problem. The solution is most of the times easier than
the research before.

But this a little bit off topic at this point because it has nothing
to do with Keycloaks Spring Adapter. But to make this post
interessting for people debugging problems in the space of Spring and
Keycloak Spring Adapter: I highly recommend this:
@EnableWebSecurity(debug = true)

This little debug flag helped us along the way... it really gives some
nice output.

marc

2018-04-04 19:38 GMT+02:00 Dominik Guhr <pinguwien at gmail.com>:
> Hi Marc,
>
> first of all: I've not used kc together with hystrix yet (but just
> building a docker env with spring cloud, kc and ELK, may be part of
> future blog entries) - so, just guessing here.
>
> That said: it may do the trick to use the inheritablethreadlocal
> strategy for your securityconfig (which also gives you the ability to
> use @async) as stated here at line 35:
>
> https://github.com/Pinguwien/guestbook-backend/blob/master/src/main/java/de/codecentric/demo/guestbook/infrastructure/environment/spring/config/SecurityConfig.java
>
> or in my blogentries (german, you know where)
>
> Best regards,
> Dominik
>
> Am 04.04.18 um 17:24 schrieb Marc Logemann:
>> Hi,
>>
>> cant provide that but after extensive debugging we know the problem.
>> Had nothing to do with Keycloak Spring Adapter but a Hystrix
>> Annotation on the Spring Controller. Hystrix dispatches to a whole new
>> thread and this breaks the SecurityContextHolder which is of course
>> ThreadLocal based.
>>
>> We removed the hystrix stuff for now and will investigate that later on.
>>
>> marc
>>
>>
>> 2018-04-04 11:24 GMT+02:00 Sebastien Blanc <sblanc at redhat.com>:
>>> Do you have a sample project shared somewhere to reproduce this ?
>>>
>>> On Wed, Apr 4, 2018 at 11:14 AM, Marc Logemann <marc.logemann at gmail.com>
>>> wrote:
>>>>
>>>> Hi,
>>>>
>>>> i have a weird thing going on. My keycloak Spring Security adapter
>>>> works as expected. But i am unable to retrieve the principal. I am
>>>> requesting a REST service with a valid Bearer Token. In the REST
>>>> controller i want to see the principal via:
>>>>
>>>> Principal userPrincipal = request.getUserPrincipal();
>>>>
>>>> or
>>>>
>>>> Authentication authentication =
>>>> SecurityContextHolder.getContext().getAuthentication();
>>>> String currentPrincipalName = authentication.getName();
>>>>
>>>> But everything is null. Funny thing is, the Keycloak Filter set the
>>>> Authentication correctly but at the end, in my controller, its not
>>>> there anymore.
>>>>
>>>> here is my filter list:
>>>>
>>>> Security filter chain: [
>>>>    WebAsyncManagerIntegrationFilter
>>>>    SecurityContextPersistenceFilter
>>>>    HeaderWriterFilter
>>>>    KeycloakPreAuthActionsFilter
>>>>    LogoutFilter
>>>>    KeycloakAuthenticationProcessingFilter
>>>>    RequestCacheAwareFilter
>>>>    SecurityContextHolderAwareRequestFilter
>>>>    AnonymousAuthenticationFilter
>>>>    SessionManagementFilter
>>>>    ExceptionTranslationFilter
>>>>    FilterSecurityInterceptor
>>>> ]
>>>>
>>>> Has anyone experienced something like this or has an idea?
>>>>
>>>> Thanks
>>>> Marc
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user