diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AdapterDeploymentContext.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AdapterDeploymentContext.java
index 1584c1100a..37fe443ec4 100755
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AdapterDeploymentContext.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AdapterDeploymentContext.java
@@ -33,6 +33,7 @@ import org.keycloak.representations.adapters.config.AdapterConfig;
import java.io.IOException;
import java.net.URI;
import java.util.Map;
+import java.util.concurrent.Callable;
/**
* @author Bill Burke
@@ -469,7 +470,7 @@ public class AdapterDeploymentContext {
}
@Override
- public void setPolicyEnforcer(PolicyEnforcer policyEnforcer) {
+ public void setPolicyEnforcer(Callable policyEnforcer) {
delegate.setPolicyEnforcer(policyEnforcer);
}
diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java
index 6986312bb5..e2bd3d74c0 100755
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java
@@ -89,7 +89,7 @@ public class KeycloakDeployment {
protected int tokenMinimumTimeToLive;
protected int minTimeBetweenJwksRequests;
protected int publicKeyCacheTtl;
- private PolicyEnforcer policyEnforcer;
+ protected Callable policyEnforcer;
// https://tools.ietf.org/html/rfc7636
protected boolean pkce = false;
@@ -464,12 +464,19 @@ public class KeycloakDeployment {
this.publicKeyCacheTtl = publicKeyCacheTtl;
}
- public void setPolicyEnforcer(PolicyEnforcer policyEnforcer) {
+ public void setPolicyEnforcer(Callable policyEnforcer) {
this.policyEnforcer = policyEnforcer;
}
public PolicyEnforcer getPolicyEnforcer() {
- return policyEnforcer;
+ if (policyEnforcer == null) {
+ return null;
+ }
+ try {
+ return policyEnforcer.call();
+ } catch (Exception cause) {
+ throw new RuntimeException("Failed to obtain policy enforcer", cause);
+ }
}
// https://tools.ietf.org/html/rfc7636
diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java
index e26ef89d57..416af5dbb9 100755
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java
@@ -53,7 +53,7 @@ public class KeycloakDeploymentBuilder {
}
- protected KeycloakDeployment internalBuild(AdapterConfig adapterConfig) {
+ protected KeycloakDeployment internalBuild(final AdapterConfig adapterConfig) {
if (adapterConfig.getRealm() == null) throw new RuntimeException("Must set 'realm' in config");
deployment.setRealm(adapterConfig.getRealm());
String resource = adapterConfig.getResource();
@@ -143,10 +143,23 @@ public class KeycloakDeploymentBuilder {
deployment.setTurnOffChangeSessionIdOnLogin(adapterConfig.getTurnOffChangeSessionIdOnLogin());
}
- PolicyEnforcerConfig policyEnforcerConfig = adapterConfig.getPolicyEnforcerConfig();
+ final PolicyEnforcerConfig policyEnforcerConfig = adapterConfig.getPolicyEnforcerConfig();
if (policyEnforcerConfig != null) {
- deployment.setPolicyEnforcer(new PolicyEnforcer(deployment, adapterConfig));
+ deployment.setPolicyEnforcer(new Callable() {
+ PolicyEnforcer policyEnforcer;
+ @Override
+ public PolicyEnforcer call() {
+ if (policyEnforcer == null) {
+ synchronized (deployment) {
+ if (policyEnforcer == null) {
+ policyEnforcer = new PolicyEnforcer(deployment, adapterConfig);
+ }
+ }
+ }
+ return policyEnforcer;
+ }
+ });
}
log.debug("Use authServerUrl: " + deployment.getAuthServerBaseUrl() + ", tokenUrl: " + deployment.getTokenUrl() + ", relativeUrls: " + deployment.getRelativeUrls());