No description
Find a file
Philipp Nowak 39828b2c94 [KEYCLOAK-9539] Race condition SecurityContextHolder.setAuthentication()
This is an issue with the Spring Security Keycloak Adapter relating to
 the way the Authentication is stored in the SecurityContext, causing a
 race condition in application code using that. It does not seem to
 affect actual Spring Security operation.

We had a pretty strange race condition in our application. When many
 requests were incoming at the same time, occasionally the old
 unauthenticated Authentication provided to
 KeycloakAuthenticationProvider for performing the actual authentication
 would stay the current authentication, as returned by
 SecurityContextHolder.getContext().getAuthentication(). That resulted
 in authenticated users' JavaScript requests occasionally (~1/50 given a
 large request volume) returning a 403 because the 'old' token was still
 in the context, causing Spring Security to see them as unauthenticated.

This PR resolves this issue by replacing the whole context, as suggested
 by a Spring Security contributor in jzheaux/spring-security-oauth2-resource-server#48. By default,
 SecurityContextHolder keeps the actual context object in a ThreadLocal,
 which should be safe from race-conditions. The actual Authentication
 object, however, is kept in a mere field, hence the reason for this PR.

JIRA issue: https://issues.jboss.org/browse/KEYCLOAK-9539
2019-02-27 14:58:10 -03:00
.travis Update triggers for Docker Hub 2018-08-20 20:38:57 +02:00
adapters [KEYCLOAK-9539] Race condition SecurityContextHolder.setAuthentication() 2019-02-27 14:58:10 -03:00
authz Set version 5.0.0 2019-02-21 09:35:14 +01:00
boms Set version 5.0.0 2019-02-21 09:35:14 +01:00
common Added tests for common utilities CollectionUtil & HtmlUtils. 2019-02-21 11:45:17 +01:00
core KEYCLOAK-9116: Fixes JWK serialization of ECDSA public key coordinates. 2019-02-25 09:53:09 -03:00
dependencies Set version 5.0.0 2019-02-21 09:35:14 +01:00
distribution KEYCLOAK-8397 Remove deprecated Keycloak Proxy 2019-02-25 08:23:12 -03:00
docs Update pull_request_template.md 2019-02-21 12:30:16 +01:00
examples Set version 5.0.0 2019-02-21 09:35:14 +01:00
federation Set version 5.0.0 2019-02-21 09:35:14 +01:00
integration KEYCLOAK-9509 Upgrade to Wildfly 15 2019-02-25 08:56:46 +01:00
misc Update to repository documentation, including updated contributors guide 2019-02-21 11:17:57 +01:00
model [KEYCLOAK-9371] Fix premature termination of sessions when remember-me is in use 2019-02-27 15:08:50 +01:00
saml-core Set version 5.0.0 2019-02-21 09:35:14 +01:00
saml-core-api Set version 5.0.0 2019-02-21 09:35:14 +01:00
server-spi KEYCLOAK-8977 Added method to return KeycloakSession from RealmCreationEvent 2019-02-21 11:21:54 +01:00
server-spi-private [KEYCLOAK-9093] - False-Positive UMA Policy Evaluation 2019-02-21 21:47:58 -03:00
services KEYCLOAK-9167 Using kcadm to update an identity-provider instance via a json file does not work without an "internalId" present in the json 2019-02-27 14:56:36 +01:00
testsuite [KEYCLOAK-9371] Fix premature termination of sessions when remember-me is in use 2019-02-27 15:08:50 +01:00
themes KEYCLOAK-8602: PatternFly 4 integration 2019-02-25 08:26:54 -03:00
util Set version 5.0.0 2019-02-21 09:35:14 +01:00
wildfly KEYCLOAK-9509 Upgrade to Wildfly 15 2019-02-25 08:56:46 +01:00
.gitattributes KEYCLOAK-1385 Introduce end-of-line normalization 2015-07-17 13:46:51 +02:00
.gitignore KEYCLOAK-8837 Adapt TS to be able to test migration from 7.2.5.GA (instead from 7.2.0.GA) 2018-11-19 18:06:33 +01:00
.travis.yml KEYCLOAK-8349 KEYCLOAK-8659 Use TLS for all tests in the suite 2019-02-08 08:57:48 -02:00
ADOPTERS.md List of adopters and contributors (#5709) 2018-11-15 08:14:38 +01:00
CONTRIBUTING.md Update CONTRIBUTING.md 2019-02-21 12:28:06 +01:00
License.html distro 2014-01-07 14:37:50 -05:00
MAINTAINERS.md Initial maintainers file 2019-02-15 08:18:09 +01:00
pom.xml KEYCLOAK-8397 Remove deprecated Keycloak Proxy 2019-02-25 08:23:12 -03:00
prod-arguments.json KEYCLOAK-9261 Error when deploying war which uses EAP6 SAML adapter 2019-01-09 15:53:26 +01:00
README.md Update to repository documentation, including updated contributors guide 2019-02-21 11:17:57 +01:00
set-version.sh Bump versions 2017-11-09 15:37:21 +01:00
travis-run-tests.sh KEYCLOAK-8397 Remove deprecated Keycloak Proxy 2019-02-25 08:23:12 -03:00

Keycloak

Keycloak is an Open Source Identity and Access Management solution for modern Applications and Services.

This repository contains the source code for the Keycloak Server, Java adapters and the JavaScript adapter.

Help and Documentation

Reporting Security Vulnerabilities

If you've found a security vulnerability, please look at the instructions on how to properly report it

Reporting an issue

If you believe you have discovered a defect in Keycloak please open an issue in our Issue Tracker. Please remember to provide a good summary, description as well as steps to reproduce the issue.

Getting started

To run Keycloak download the distribution from our website. Unzip and run:

bin/standalone.[sh|bat] 

Alternatively, you can use the Docker image by running:

docker run jboss/keycloak

For more details refer to the Keycloak Documentation.

Building from Source

To build from source refer to the building and working with the code base guide.

Testing

To run tests refer to the running tests guide.

Writing Tests

To write tests refer to the writing tests guide.

Contributing

Before contributing to Keycloak please read our contributing guidelines.

Other Keycloak Projects

License