[Hawkular-dev] Keycloak integration

[Juraci Paixão Kröhling]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/21/2015 12:20 PM, Thomas Segismont wrote:
> Le 21/01/2015 08:24, Juraci Paixão Kröhling a écrit :
>>> Is there a way to easily disable the
>>> authentication/authorization?
>>>> While it is not critical, I am thinking it might be nice if
>>>> we could do that in situations where we are debugging test
>>>> failures for instance.
>> Yes: just remove the authentication parts on the web.xml .
>> Everything should work fine. Not sure, though, what would happen
>> if you try to call a resource that is protected by the container
>> via @RolesAllowed.
> 
> What does the KC team recommend to do for such problems (which are
> most probably shared across users)?

Just had a quick chat with Marek about it and he suggested something
similar: to disable it via web.xml . There's no flag or special setup
that would allow an application otherwise protected by Keycloak to
bypass it, as it could be viewed as an attack vector.

One interesting thought that he shared was: if the application were to
be protected by any other JAAS provider, the auth would also have to
be disabled on web.xml . In that sense, I think that auth could be
counted on something that is part of the environment, like the
application server itself.

If we face a situation where disabling the auth is indeed valuable,
I'll try to come up with the flag that would accomplish that and see
if the Keycloak team would accept a PR.

- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUv6pTAAoJECKM1e+fkPrXUxUH/1i0naSA6XfYavsCyINLlfR4
C3vB3IWpDtMkEX4lsbt6J7EI0EKpZty7Up5OeaQhngHueIUyVqPRVBUn/PZmCdqD
PdmraLzv9+3aPtcPavT3uVZqpMgeJ9l+BjQW+z/ouj/VMwTkz/X6u2/Eim6ZzX4B
364R5KWxnZkLIftgOreACqTRlVLn5ErPTP1jSE58o7cXjbAb5EARXareXVWHOtdE
2SjtBBdO9xYVfPm37+CD7FnRl/s00e+DHFaDHWDqHm1D+uuCTR6zm81KO8Dcg855
e5hFtybRYaSStmjwOJFDJ+D7wtPJXzjgtpjAoM3PhDx6VjslVXoJJjkfVJPft20=
=fKcB
-----END PGP SIGNATURE-----