[keycloak-user] ClassCastException in SimpleHttpFacade - WebAuthenticationDetails cannot be cast to SecurityContext

Zaunegger, Jörg Joerg.Zaunegger at kvbawue.de
Thu Mar 9 04:46:46 EST 2017 

Hi,
we want to use keycloak in our spring-boot-application. So as a keycloak adapter we are using the keycloak-spring-security-adapter. For using authorization in keycloak-spring-security-adapter we found the following jira enhancement https://issues.jboss.org/browse/KEYCLOAK-3474. So we configured our WebSecurityConfigurationAdapter#configure() like this for using KeycloakAuthenticationProcessingFilter:
http
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .sessionAuthenticationStrategy(sessionAuthenticationStrategy())
                .and()
        .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
        .addFilterBefore(keycloakAuthenticationProcessingFilter(), BasicAuthenticationFilter.class)
        .addFilterAfter(keycloakAuthenticatedActionsFilter(), KeycloakAuthenticationProcessingFilter.class)
        …

The problem is, we are now getting a ClassCastException in SimpleHttpFacade. Stack trace:

Caused by: java.lang.ClassCastException: org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount cannot be cast to org.keycloak.KeycloakSecurityContext
        at org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade.getSecurityContext(SimpleHttpFacade.java:60) ~[keycloak-spring-security-adapter-2.5.4.Final.jar:2.5.4.Final]
        at org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize(AbstractPolicyEnforcer.java:70) ~[keycloak-adapter-core-2.5.4.Final.jar:2.5.4.Final]
        at org.keycloak.adapters.authorization.PolicyEnforcer.enforce(PolicyEnforcer.java:79) ~[keycloak-adapter-core-2.5.4.Final.jar:2.5.4.Final]
        at org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:142) ~[keycloak-adapter-core-2.5.4.Final.jar:2.5.4.Final]
        ... 56 common frames omitted

We could fix this, with the following changes:

1) Override SimpleHttpFacade#getSecurityContext() and changed it as following:

Object details = getAuthentication(SecurityContextHolder.getContext());
if (details != null) {
        if (details instanceof KeycloakSecurityContext) {
                return (KeycloakSecurityContext) details;
        }
        else if (details instanceof OidcKeycloakAccount) {
                return ((OidcKeycloakAccount) details).getKeycloakSecurityContext();
        }
}
return null;

2) Using our own KeycloakAuthenticatedActionsFilter, which is a copy of the original KeycloakAuthenticatedActionsFilter, except we are then using our own SimpleHttpFacade.


So is there a bug in SimpleHttpFacade or is the problem caused by a misconfiguration of ourselves?


Regards
Jörg Zaunegger

More information about the keycloak-user mailing list