39828b2c94
This is an issue with the Spring Security Keycloak Adapter relating to the way the Authentication is stored in the SecurityContext, causing a race condition in application code using that. It does not seem to affect actual Spring Security operation. We had a pretty strange race condition in our application. When many requests were incoming at the same time, occasionally the old unauthenticated Authentication provided to KeycloakAuthenticationProvider for performing the actual authentication would stay the current authentication, as returned by SecurityContextHolder.getContext().getAuthentication(). That resulted in authenticated users' JavaScript requests occasionally (~1/50 given a large request volume) returning a 403 because the 'old' token was still in the context, causing Spring Security to see them as unauthenticated. This PR resolves this issue by replacing the whole context, as suggested by a Spring Security contributor in jzheaux/spring-security-oauth2-resource-server#48. By default, SecurityContextHolder keeps the actual context object in a ThreadLocal, which should be safe from race-conditions. The actual Authentication object, however, is kept in a mere field, hence the reason for this PR. JIRA issue: https://issues.jboss.org/browse/KEYCLOAK-9539 |
||
|---|---|---|
| .travis | ||
| adapters | ||
| authz | ||
| boms | ||
| common | ||
| core | ||
| dependencies | ||
| distribution | ||
| docs | ||
| examples | ||
| federation | ||
| integration | ||
| misc | ||
| model | ||
| saml-core | ||
| saml-core-api | ||
| server-spi | ||
| server-spi-private | ||
| services | ||
| testsuite | ||
| themes | ||
| util | ||
| wildfly | ||
| .gitattributes | ||
| .gitignore | ||
| .travis.yml | ||
| ADOPTERS.md | ||
| CONTRIBUTING.md | ||
| License.html | ||
| MAINTAINERS.md | ||
| pom.xml | ||
| prod-arguments.json | ||
| README.md | ||
| set-version.sh | ||
| travis-run-tests.sh | ||
Keycloak
Keycloak is an Open Source Identity and Access Management solution for modern Applications and Services.
This repository contains the source code for the Keycloak Server, Java adapters and the JavaScript adapter.
Help and Documentation
- Documentation
- User Mailing List - Mailing list for help and general questions about Keycloak
- JIRA - Issue tracker for bugs and feature requests
Reporting Security Vulnerabilities
If you've found a security vulnerability, please look at the instructions on how to properly report it
Reporting an issue
If you believe you have discovered a defect in Keycloak please open an issue in our Issue Tracker. Please remember to provide a good summary, description as well as steps to reproduce the issue.
Getting started
To run Keycloak download the distribution from our website. Unzip and run:
bin/standalone.[sh|bat]
Alternatively, you can use the Docker image by running:
docker run jboss/keycloak
For more details refer to the Keycloak Documentation.
Building from Source
To build from source refer to the building and working with the code base guide.
Testing
To run tests refer to the running tests guide.
Writing Tests
To write tests refer to the writing tests guide.
Contributing
Before contributing to Keycloak please read our contributing guidelines.
Other Keycloak Projects
- Keycloak - Keycloak Server and Java adapters
- Keycloak Documentation - Documentation for Keycloak
- Keycloak QuickStarts - QuickStarts for getting started with Keycloak
- Keycloak Docker - Docker images for Keycloak
- Keycloak Gatekeeper - Proxy service to secure apps and services with Keycloak
- Keycloak Node.js Connect - Node.js adapter for Keycloak
- Keycloak Node.js Admin Client - Node.js library for Keycloak Admin REST API