Hello!
I'm using keycloak-spring-security and I have a question related to
usefulness of sessionAuthenticationStrategy() used twice in
the KeycloakWebSecurityConfigurerAdapter.
1) it's used for
KeycloakAuthenticationProcessingFilter
filter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy());
2) it's passed to httpSecurity
http
.sessionManagement()
.sessionAuthenticationStrategy(sessionAuthenticationStrategy())
While the first usage looks fine and indeed in-use, the second one
intention is unclear.
It has influence on SessionManagementFilter however in keycloak filter
chain the session management filter is not invoked on successful
authentication
(KeycloakAuthenticationProcessingFilter.continueChainBeforeSuccessfulAuthentication
is false).
Are there any real cases when this http session authentication strategy
initialization is useful?
Thanks for your help!
Show replies by date