KEYCLOAK-5191 Prevent exception in KeycloakAuthenticationFailureHandler (#4319)

* KEYCLOAK-5191 Don't attempt to send 401 when response is already committed

* KEYCLOAK-5191 Defend against configuration errors by preventing 2xx response after authentication failure

adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationFailureHandler.java

@@ -17,14 +17,13 @@
 
 package org.keycloak.adapters.springsecurity.authentication;
 
-import java.io.IOException;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-
-import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import java.io.IOException;
 
 /**
  * To return the forbidden code with the corresponding message.
@@ -36,6 +35,14 @@ public class KeycloakAuthenticationFailureHandler implements AuthenticationFailu
 
 	@Override
 	public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
-		response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unable to authenticate using the Authorization header");
+		// Check that the response was not committed yet (this may happen when another
+		// part of the Keycloak adapter sends a challenge or a redirect).
+		if (!response.isCommitted()) {
+			response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unable to authenticate using the Authorization header");
+		} else {
+			if (200 <= response.getStatus() && response.getStatus() < 300) {
+				throw new RuntimeException("Success response was committed while authentication failed!", exception);
+			}
+		}
 	}
 }