ClassCastException with custom Authentication Filter


I am writing my own Container Based Authentication Filter. I wrote the following java class KeycloakSSOAuthenticationProvider that implements AuthenticationProvider and looks something like this:

package com.somename.sso.camunda;

public class KeycloakSSOAuthenticationProvider implements AuthenticationProvider {

    public AuthenticationResult extractAuthenticatedUser(final HttpServletRequest request, final ProcessEngine engine) {
        // Does something
        return authenticationResult;

    private List<String> getUserGroups(final String userId, final ProcessEngine engine) {
        // Does something
        return groupIds;

    public void augmentResponseByAuthenticationChallenge(final HttpServletResponse response,
            final ProcessEngine engine) {

Here ist the filter description from my web.xml file:

    <filter-name>Container Based Authentication Filter</filter-name>
      <!-- <param-value></param-value> -->
    <filter-name>Container Based Authentication Filter</filter-name>

There is an error at runtime when the filter tries to cast KeycloakSSOAuthenticationProvider to AuthenticationProvider. I would suppose that this casting should not be a problem since the first one implements the second one.

However it appears that KeycloakSSOAuthenticationProvider is loaded by URLClassLoader, while AuthenticationProvider is loaded by ParallelWebappClassLoader and this is creating the error. Here the error log I get when running camunda:

Caused by: java.lang.ClassCastException: class com.somename.sso.camunda.KeycloakSSOAuthenticationProvider cannot be cast to class (com.somename.sso.camunda.KeycloakSSOAuthenticationProvider is in unnamed module of loader @6fc6f14e; is in unnamed module of loader org.apache.catalina.loader.ParallelWebappClassLoader @7a498efa)

I´ve been stuck with this for days and any help will be highly appreciated.

Hi @jominga,

you might want to have a look at - even if the environment is different you’ll find a lot of stuff related to your question.

Furthermore I would strongly encourage you to have a look at

The Camunda Samples on Github explain a lot more, e.g.

Hope this helps :slight_smile:

Hello @VonDerBeck, thank you for your answer.

As I understand this solution would work for a Wildfly Server and I am using the Keycloak Identity Provider Plugin with Tomcat.

Hello @jominga,

Have you tried using this Tomcat SSO Plugin? May be it will work. It is also based upon Camunda Keycloak Identity Provider plugin.

Thanks and Regards,

Hello @chaitanyajoshi, yes, that’s exactly the one I’m using!

Hello @jominga were you able to resolve this issue? I am facing the same problem on camunda 7.14.0

Hello @shan-96,

in case you’re working with the Tomcat distribution - have you had a look at GitHub - iceman91176/camunda-bpm-auth-keycloak-sso?
The author updated his sample not long ago. This might help you.

Yes, @VonDerBeck I am using tomcat distro. But sadly I have no plans to use Keycloak.

Anyway - the sample can help you to understand how to implement your filter for Tomcat. At least the basics. In case you do not use the Keycloak Identity Provider just extract all information you need from the token. This will help you to authenticate your user.

Hello, @jominga @shan-96 ! Have you solved the issue? I faced it too.

The exaception thrown to indicate that your code has attempted to cast an object to a subclass of which it is not an instance. This means that ClassCastException occurs when you try to cast an instance of an Object to a type that it is not. Type Casting 5 only works when the casted object follows an is a relationship to the type you are trying to cast to.

It is good practice to guard any explicit casts with an instanceof check first:

if (myApple instanceof Fruit) {
  Fruit myFruit = (Fruit)myApple;

When will be ClassCastException is thrown:

  • When you try to cast an object of Parent class to its Child class type, this exception will be thrown.

  • When you try to cast an object of one class into another class type that has not extended the other class or they don’t have any relationship between them.

For those still stuck in this problem.

The solution for me was to include the library camunda-bpm-auth-keycloak-sso-1.3.jar inside of /camunda/webapps/camunda/WEB-INF/lib/ rather than the default place: /camunda/lib/ where all other dependencies go.

After that I was finally redirected to keycloak upon opening the camunda website.