As a proof of concept, I wrapped KeycloakAuthenticationProcessingFilter
with a OncePerRequestFilter implementation and error controller is invoked
as expected.
On Tue, Jan 22, 2019 at 4:36 PM Aliaksei Lahachou <
aliaksei.lahachou(a)gmail.com> wrote:
Hello,
I'm migrating our application from Spring Boot 1.5.19 / Keycloak 3.4.3 to
Spring Boot 2.1.2 / Keycloak 4.8.3.
I'm currently facing the problem that if authentication fails (invalid
token), the error controller is not invoked (BasicErrorController by
default).
The reason is that when authentication fails, the request is redirected to
error controller, and the security filters are invoked again. Because the
authorization header is still there, KeycloakAuthenticationProcessingFilter
fails again.
In older versions of Spring Boot / Keycloak security filters are not
invoked after request is redirected to error controller. Basic
authentication works as expected in both old and new versions, seemingly
because BasicAuthenticationFilter extends OncePerRequestFilter, which skips
filter for error URI (skipDispatch method).
I created example applications with tests that reproduce the problem, see
[1] and [2]. Am I missing some configuration? Or is this a bug?
[1]
https://github.com/htfv/examples/tree/master/spring-boot-1-keycloak
[2]
https://github.com/htfv/examples/tree/master/spring-boot-2-keycloak
Regards,
Aliaksei