keycloak-scim/adapters
Philipp Nowak 39828b2c94 [KEYCLOAK-9539] Race condition SecurityContextHolder.setAuthentication()
This is an issue with the Spring Security Keycloak Adapter relating to
 the way the Authentication is stored in the SecurityContext, causing a
 race condition in application code using that. It does not seem to
 affect actual Spring Security operation.

We had a pretty strange race condition in our application. When many
 requests were incoming at the same time, occasionally the old
 unauthenticated Authentication provided to
 KeycloakAuthenticationProvider for performing the actual authentication
 would stay the current authentication, as returned by
 SecurityContextHolder.getContext().getAuthentication(). That resulted
 in authenticated users' JavaScript requests occasionally (~1/50 given a
 large request volume) returning a 403 because the 'old' token was still
 in the context, causing Spring Security to see them as unauthenticated.

This PR resolves this issue by replacing the whole context, as suggested
 by a Spring Security contributor in jzheaux/spring-security-oauth2-resource-server#48. By default,
 SecurityContextHolder keeps the actual context object in a ThreadLocal,
 which should be safe from race-conditions. The actual Authentication
 object, however, is kept in a mere field, hence the reason for this PR.

JIRA issue: https://issues.jboss.org/browse/KEYCLOAK-9539
2019-02-27 14:58:10 -03:00
..
oidc [KEYCLOAK-9539] Race condition SecurityContextHolder.setAuthentication() 2019-02-27 14:58:10 -03:00
saml Set version 5.0.0 2019-02-21 09:35:14 +01:00
spi Set version 5.0.0 2019-02-21 09:35:14 +01:00
pom.xml Set version 5.0.0 2019-02-21 09:35:14 +01:00