[keycloak-user] Spring Security adapter
Д Михаил
mmihaylovich at outlook.com
Thu Feb 15 10:54:22 EST 2018
Hello,
I'm going to use Spring Session to substitute container specific session managment and clustering session purposes.
KeycloakSecurityContext also will be stored in HTTP session. It means that KeycloakPrincipal with KeycloakSecurityContext wil be serialized and deserialized between requests.
In this case I faced with the following situation:
- After successfull authentication
2018-02-14 01:02:52.672 DEBUG 14424 --- [nio-8080-exec-6] f.KeycloakAuthenticationProcessingFilter : Auth outcome: AUTHENTICATED
2018-02-14 01:02:52.672 DEBUG 14424 --- [nio-8080-exec-6] o.s.s.authentication.ProviderManager : Authentication attempt using org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider
2018-02-14 01:02:52.672 DEBUG 14424 --- [nio-8080-exec-6] f.KeycloakAuthenticationProcessingFilter : Authentication success. Updating SecurityContextHolder to contain: org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken at b78d8e87: Principal: user1; Credentials: [PROTECTED]; Authenticated: true; Details: org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount at 1906910f; Granted Authorities: ROLE_user, ROLE_uma_authorization
- KeycloakSecurityContextRequestFilter clear SecurityContextHolder .
2018-02-14 01:02:52.715 DEBUG 14424 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /customers at position 11 of 15 in additional filter chain; firing Filter: 'KeycloakSecurityContextRequestFilter'
2018-02-14 01:02:52.715 DEBUG 14424 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /customers at position 12 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2018-02-14 01:02:52.716 DEBUG 14424 --- [nio-8080-exec-7] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken at 6fabe8e0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails at fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 06690a32-ab3f-48d6-8776-de16f5d1ad05; Granted Authorities: ROLE_ANONYMOUS'
As a result I had infinite loop of redirection between my webapp and Keycloak server.
After some investigation I have found why it happend.
When KeycloakSecurityContextRequestFilter check refreshableSecurityContext.isActive() refreshableSecurityContext do not contain KeycloakDeployment ( = null). Thus refreshableSecurityContext.isActive() always false.
public boolean isActive() {
return token != null && this.token.isActive() && deployment!=null && this.token.getIssuedAt() > deployment.getNotBefore();
}
The cause of this situation that RefreshableKeycloakSecurityContext created via deserialization and deployment not reassigned.
If you agree with that issue I can suggest the solution to set deployment in the doFilter method of the KeycloakSecurityContextRequestFilter.
...
if (keycloakSecurityContext instanceof RefreshableKeycloakSecurityContext) {
RefreshableKeycloakSecurityContext refreshableSecurityContext = (RefreshableKeycloakSecurityContext) keycloakSecurityContext;
KeycloakDeployment deployment = resolveDeployment(request, response);
if (refreshableSecurityContext.getDeployment() == null) {
AdapterTokenStore adapterTokenStore = adapterTokenStoreFactory.createAdapterTokenStore(deployment,(HttpServletRequest)request);
refreshableSecurityContext.setCurrentRequestInfo(deployment,adapterTokenStore);
}
...
More information about the keycloak-user
mailing list