ClassCastException with custom Authentication Filter

jominga · May 5, 2020, 8:00pm

Hello,

I am writing my own Container Based Authentication Filter. I wrote the following java class KeycloakSSOAuthenticationProvider that implements AuthenticationProvider and looks something like this:

package com.somename.sso.camunda;
import org.camunda.bpm.engine.rest.security.auth.AuthenticationProvider;

public class KeycloakSSOAuthenticationProvider implements AuthenticationProvider {

    @Override
    public AuthenticationResult extractAuthenticatedUser(final HttpServletRequest request, final ProcessEngine engine) {
        // Does something
        return authenticationResult;
    }

    private List<String> getUserGroups(final String userId, final ProcessEngine engine) {
        // Does something
        return groupIds;
    }

    public void augmentResponseByAuthenticationChallenge(final HttpServletResponse response,
            final ProcessEngine engine) {
        ;
    }
}

Here ist the filter description from my web.xml file:

<filter>
    <filter-name>Container Based Authentication Filter</filter-name>
    <filter-class>org.camunda.bpm.webapp.impl.security.auth.ContainerBasedAuthenticationFilter</filter-class>
    <init-param>
      <param-name>authentication-provider</param-name>
      <param-value>com.somename.sso.camunda.KeycloakSSOAuthenticationProvider</param-value>
      <!-- <param-value>org.camunda.community.auth.keycloak.sso.KeycloakSSOAuthenticationProvider</param-value> -->
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>Container Based Authentication Filter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
  </filter-mapping>

There is an error at runtime when the filter tries to cast KeycloakSSOAuthenticationProvider to AuthenticationProvider. I would suppose that this casting should not be a problem since the first one implements the second one.

However it appears that KeycloakSSOAuthenticationProvider is loaded by URLClassLoader, while AuthenticationProvider is loaded by ParallelWebappClassLoader and this is creating the error. Here the error log I get when running camunda:

Caused by: java.lang.ClassCastException: class com.somename.sso.camunda.KeycloakSSOAuthenticationProvider cannot be cast to class org.camunda.bpm.engine.rest.security.auth.AuthenticationProvider (com.somename.sso.camunda.KeycloakSSOAuthenticationProvider is in unnamed module of loader java.net.URLClassLoader @6fc6f14e; org.camunda.bpm.engine.rest.security.auth.AuthenticationProvider is in unnamed module of loader org.apache.catalina.loader.ParallelWebappClassLoader @7a498efa)

I´ve been stuck with this for days and any help will be highly appreciated.

VonDerBeck · May 7, 2020, 9:40am

Hi @jominga,

you might want to have a look at https://github.com/camunda/camunda-bpm-identity-keycloak/tree/master/examples/sso-kubernetes - even if the environment is different you’ll find a lot of stuff related to your question.

Furthermore I would strongly encourage you to have a look at https://camunda.com/best-practices/securing-camunda/

The Camunda Samples on Github explain a lot more, e.g. https://github.com/camunda-consulting/code/tree/master/snippets/springboot-security-sso

Hope this helps

jominga · May 7, 2020, 12:00pm

Hello @VonDerBeck, thank you for your answer.

As I understand this solution would work for a Wildfly Server and I am using the Keycloak Identity Provider Plugin with Tomcat.

chaitanyajoshi · May 7, 2020, 2:51pm

Hello @jominga,

Have you tried using this Tomcat SSO Plugin? May be it will work. It is also based upon Camunda Keycloak Identity Provider plugin.

Thanks and Regards,
Chaitanya

jominga · May 7, 2020, 3:21pm

Hello @chaitanyajoshi, yes, that’s exactly the one I’m using!

shan-96 · April 29, 2021, 3:08pm

Hello @jominga were you able to resolve this issue? I am facing the same problem on camunda 7.14.0

VonDerBeck · April 29, 2021, 3:21pm

Hello @shan-96,

in case you’re working with the Tomcat distribution - have you had a look at GitHub - iceman91176/camunda-bpm-auth-keycloak-sso?
The author updated his sample not long ago. This might help you.

shan-96 · April 29, 2021, 4:05pm

Yes, @VonDerBeck I am using tomcat distro. But sadly I have no plans to use Keycloak.

VonDerBeck · April 30, 2021, 7:30am

@shan-96
Anyway - the sample can help you to understand how to implement your filter for Tomcat. At least the basics. In case you do not use the Keycloak Identity Provider just extract all information you need from the token. This will help you to authenticate your user.

theodor · July 1, 2022, 10:02am

Hello, @jominga @shan-96 ! Have you solved the issue? I faced it too.

benjaminzx · July 13, 2022, 5:07pm

The exaception thrown to indicate that your code has attempted to cast an object to a subclass of which it is not an instance. This means that ClassCastException occurs when you try to cast an instance of an Object to a type that it is not. Type Casting 5 only works when the casted object follows an is a relationship to the type you are trying to cast to.

It is good practice to guard any explicit casts with an instanceof check first:

if (myApple instanceof Fruit) {
  Fruit myFruit = (Fruit)myApple;
}

When will be ClassCastException is thrown:

When you try to cast an object of Parent class to its Child class type, this exception will be thrown.
When you try to cast an object of one class into another class type that has not extended the other class or they don’t have any relationship between them.

amd989 · July 18, 2022, 12:23pm

For those still stuck in this problem.

The solution for me was to include the library camunda-bpm-auth-keycloak-sso-1.3.jar inside of /camunda/webapps/camunda/WEB-INF/lib/ rather than the default place: /camunda/lib/ where all other dependencies go.

After that I was finally redirected to keycloak upon opening the camunda website.