[keycloak-user] Error controller is not invoked if authentication failed
Aliaksei Lahachou
aliaksei.lahachou at gmail.com
Tue Jan 22 10:36:29 EST 2019
Hello,
I'm migrating our application from Spring Boot 1.5.19 / Keycloak 3.4.3 to
Spring Boot 2.1.2 / Keycloak 4.8.3.
I'm currently facing the problem that if authentication fails (invalid
token), the error controller is not invoked (BasicErrorController by
default).
The reason is that when authentication fails, the request is redirected to
error controller, and the security filters are invoked again. Because the
authorization header is still there, KeycloakAuthenticationProcessingFilter
fails again.
In older versions of Spring Boot / Keycloak security filters are not
invoked after request is redirected to error controller. Basic
authentication works as expected in both old and new versions, seemingly
because BasicAuthenticationFilter extends OncePerRequestFilter, which skips
filter for error URI (skipDispatch method).
I created example applications with tests that reproduce the problem, see
[1] and [2]. Am I missing some configuration? Or is this a bug?
[1] https://github.com/htfv/examples/tree/master/spring-boot-1-keycloak
[2] https://github.com/htfv/examples/tree/master/spring-boot-2-keycloak
Regards,
Aliaksei
More information about the keycloak-user
mailing list