[keycloak-user] security context cleared in KeycloakAuthenticationProcessingFilter

[Дмитрий Шохов]

Hi!

I have a question regarding spring security adapter.

I have an angularjs app which opens websocket using sockjs and a backend
using java and spring. I added authentication to the client and wanted to
check authorization token when client sends websocket handshake to the
server. Unfortunately sockjs doesn't allow to send additional headers
because of some security concern. So I decided that I will do REST request
before opening websocket with Authorization header and then websocket would
be authorized because it would be the same http session.

This works fine. Now the interesting part. When I do open the app first
time websocket opens fine, but if I refresh the page websocket handshake
returns the 401 code. I spent some time to find the reason for this and
this is what I found:

After the reload
1. I send the REST request and spring starts its filter chain
2. SecurityContextPersistenceFilter loads stored in http session security
context and sets it to thread
local SecurityContextHolder.setContext(contextBeforeChainExecution)
3. Down the filter chain KeycloakAuthenticationProcessingFilter starts and
does the authorization, which is successfull and
in successfulAuthentication method it continues the chain
with chain.doFilter(request, response)
4. KeycloakAuthenticationProcessingFilter continues chain in try-finally
block and after chain finishes it does clear the context
with SecurityContextHolder.clearContext();
5. SecurityContextPersistenceFilter in its finally block saves the security
context back to http session repository which
is HttpSessionSecurityContextRepository. Repository sees that there was
authenticated security context before the chain started and now its is
unauthenticated because keycloak filter cleared it and it clears it from
http session.
6. Websocket handshake fails because there is no more authenticated
security context in http session.

After another reload or during the first load it works, because security
context is eagerly saved from SessionManagementFilter, but
SecurityContextPersistenceFilter sees that there was no context before
chain started and no context after chain finished, so it does nothing and
eagerly saved context survives in http session.

It looks to me like KeycloakAuthenticationProcessingFilter should not clear
context and if I remove that line in locally built version everything
starts to work as I expect. But maybe I don't understand something, I'm
pretty new to spring security.

Waiting for your clarifications.
keycloak-spring-security-adapter version 3.2.1.Final
spring-security-web version 4.2.2.RELEASE

Thanks,
Dmitry