Hi, we want to use keycloak in our spring-boot-application. So as a keycloak adapter we are using the keycloak-spring-security-adapter. For using authorization in keycloak-spring-security-adapter we found the following jira enhancement https://issues.jboss.org/browse/KEYCLOAK-3474. So we configured our WebSecurityConfigurationAdapter#configure() like this for using KeycloakAuthenticationProcessingFilter: http .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .sessionAuthenticationStrategy(sessionAuthenticationStrategy()) .and() .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class) .addFilterBefore(keycloakAuthenticationProcessingFilter(), BasicAuthenticationFilter.class) .addFilterAfter(keycloakAuthenticatedActionsFilter(), KeycloakAuthenticationProcessingFilter.class) … The problem is, we are now getting a ClassCastException in SimpleHttpFacade. Stack trace: Caused by: java.lang.ClassCastException: org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount cannot be cast to org.keycloak.KeycloakSecurityContext at org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade.getSecurityContext(SimpleHttpFacade.java:60) ~[keycloak-spring-security-adapter-2.5.4.Final.jar:2.5.4.Final] at org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize(AbstractPolicyEnforcer.java:70) ~[keycloak-adapter-core-2.5.4.Final.jar:2.5.4.Final] at org.keycloak.adapters.authorization.PolicyEnforcer.enforce(PolicyEnforcer.java:79) ~[keycloak-adapter-core-2.5.4.Final.jar:2.5.4.Final] at org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:142) ~[keycloak-adapter-core-2.5.4.Final.jar:2.5.4.Final] ... 56 common frames omitted We could fix this, with the following changes: 1) Override SimpleHttpFacade#getSecurityContext() and changed it as following: Object details = getAuthentication(SecurityContextHolder.getContext()); if (details != null) { if (details instanceof KeycloakSecurityContext) { return (KeycloakSecurityContext) details; } else if (details instanceof OidcKeycloakAccount) { return ((OidcKeycloakAccount) details).getKeycloakSecurityContext(); } } return null; 2) Using our own KeycloakAuthenticatedActionsFilter, which is a copy of the original KeycloakAuthenticatedActionsFilter, except we are then using our own SimpleHttpFacade. So is there a bug in SimpleHttpFacade or is the problem caused by a misconfiguration of ourselves? Regards Jörg Zaunegger