Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-19837

Double spring security filter registration

    XMLWordPrintable

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 15.0.2
    • None
    • Adapter - Spring
    • Hide

      You can use the basic demo application of Baeldung to see the behaviour: https://github.com/eugenp/tutorials/tree/master/spring-boot-modules/spring-boot-keycloak

       

      Just add a breakpoint in the VirtualFilterChain (inner class of Springs FilterChainProxy) "doFilter" method. Now inspect the "additionalFilters" and "originalChain.filters" variables. Normally, the filters in the "originalChain" should be disjoint from the additionalFilters. Apparently the four Keycloak security filters are present in the "originalChain" as well as in the "additionalFilters" (in contrast to Spring own security filters, which are only present in the "additionalFilters" list).

      Show
      You can use the basic demo application of Baeldung to see the behaviour: https://github.com/eugenp/tutorials/tree/master/spring-boot-modules/spring-boot-keycloak   Just add a breakpoint in the VirtualFilterChain (inner class of Springs FilterChainProxy) "doFilter" method. Now inspect the "additionalFilters" and "originalChain.filters" variables. Normally, the filters in the "originalChain" should be disjoint from the additionalFilters. Apparently the four Keycloak security filters are present in the "originalChain" as well as in the "additionalFilters" (in contrast to Spring own security filters, which are only present in the "additionalFilters" list).
    • NEW
    • NEW

    Description

      I've noticed a bug with the Keycloak Spring Boot Adapter while debugging my application.
      The four Keycloak security filters (namely KeycloakPreAuthActionsFilter, KeycloakAuthenticationProcessingFilter, KeycloakSecurityContextRequestFilter, KeycloakAuthenticatedActionsFilter) will be added twice to the Spring FilterChain.

      To prevent this from happening you should not provide the filters as a bean and at the same time adding them via the "addFilterBefore"/"addFilterAfter" methods to the HttpSecurity object (see KeycloakWebSecurityConfigurerAdapter).

       

      I created a PR that fixes this issue: https://github.com/keycloak/keycloak/pull/8868

      Attachments

        Activity

          People

            Unassigned Unassigned
            sndmn-dev Nkls Sndmn (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: