[keycloak-dev] Keycloak spring security adapter - possible to set http / pool timeouts for outgoing connections?

Christian Schwarz christian at datek.no
Tue Jul 12 07:24:25 EDT 2016


Hello!

I’m using the Keycloak spring security adapter. My clients are using HTTP Basic Authentication, which will then result in a HTTP request to validate those credentials (from the adapter to the keycloak server).

The problem is that the adapter does not have a timeout on these remote invocations towards the keycloak server.

It only allows configuring the connection pool size, which is default = 100.

I have on multiple occations had my main application exhausted of HTTP serving threads because all of them are waiting for keycloak adapter credentials validation (remote invocations). (why the server does not respond is another matter :)

I.e. all my HTTP serving threads are stuck in this state:

 java.lang.Thread.State: WAITING (parking)
        at sun.misc.Unsafe.park(Native Method)
        - parking to wait for  <0x00000000f15cd418> (a java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)
        at java.util.concurrent.locks.LockSupport.park(LockSupport.java:175)
        at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2039)
        at org.apache.http.impl.conn.tsccm.WaitingThread.await(WaitingThread.java:162)
        at org.apache.http.impl.conn.tsccm.ConnPoolByRoute.getEntryBlocking(ConnPoolByRoute.java:400)
        at org.apache.http.impl.conn.tsccm.ConnPoolByRoute$1.getPoolEntry(ConnPoolByRoute.java:300)
        at org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager$1.getConnection(ThreadSafeClientConnManager.java:242)
        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:424)
        at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:884)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
        at org.keycloak.adapters.BasicAuthRequestAuthenticator.getToken(BasicAuthRequestAuthenticator.java:103)
        at org.keycloak.adapters.BasicAuthRequestAuthenticator.authenticate(BasicAuthRequestAuthenticator.java:75)
        at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:83)
        at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:137)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at no.datek.iot.home.security.InternalClientAuthenticationFilter.doFilterInternal(InternalClientAuthenticationFilter.java:38)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:84)

Is it possible to set a timeout (both for TCP connect and for socket read) on these keycloak adapter outgoing connections? (to prevent the connection pool from blocking)
It would also be really nice to be able to set the timeout on getting connections from that pool ("connection manager timeout"), to prevent connections from queueing up even if the other timeouts are set (important if there are lots of connections coming in).

I know apache http client has settings for all these three values.

Keep up the good work!

Best regards,

Christian Schwarz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160712/71298d76/attachment-0001.html 


More information about the keycloak-dev mailing list