[keycloak-dev] AS7 subsystem problems Re: release? Stan?

Wed Dec 3 12:30:00 EST 2014

On 12/3/2014 9:07 AM, Bill Burke wrote:
>
> On 12/3/2014 2:43 AM, Stian Thorgersen wrote:
>>
>> ----- Original Message -----
>>> From: "Stan Silvert" <ssilvert at redhat.com>
>>> To: keycloak-dev at lists.jboss.org
>>> Sent: Wednesday, 3 December, 2014 3:56:27 AM
>>> Subject: Re: [keycloak-dev] AS7 subsystem problems Re:  release?  Stan?
>>>
>>> On 12/2/2014 6:18 PM, Stan Silvert wrote:
>>>> On 12/2/2014 4:41 PM, Bill Burke wrote:
>>>>> On 12/2/2014 4:38 PM, Bill Burke wrote:
>>>>>> On 12/2/2014 3:55 PM, Stan Silvert wrote:
>>>>>>> On 12/2/2014 3:36 PM, Marek Posolda wrote:
>>>>>>>> oops, thanks to you for reporting issue to me this time:-)
>>>>>>>>
>>>>>>>> It should be fixed now. Let me know if it helps.
>>>>>>> That fixed it.  Wish mine was that easy.
>>>>>>>
>>>>>>> So much for EAP6 being based on AS7.  The API I'm using doesn't exist on
>>>>>>> AS7.  It does exist on EAP6, WF8, and WF9.
>>>>>>>
>>>>>>> I think our best course right now is to not use the subsystem on AS7.
>>>>>>> You can still deploy the auth-server WAR into the /deployments directory
>>>>>>> if you are dead set on using AS7 that way.
>>>>>>>
>>>>>>> This doesn't affect the AS7 adapter at all.  We just need to remove the
>>>>>>> subsystem module from the dist.
>>>>>>>
>>>>>> Isn't the adapter subsystem and auth-server subsystem in the same
>>>>>> jar/module?
>>>>>>
>>>>>> http://docs.jboss.org/keycloak/docs/1.0.4.Final/userguide/html/ch07.html#jboss-adapter
>>>>>>
>>>>> What I'm saying is...didn't you just totally break the as7 adapter?
>>>>>
>>>>>
>>>> No, they are not in the same module.  But now I do see what you are
>>>> saying.  The subsystem is adding the adapter module, so yes, it's broken
>>>> unless you add the module in jboss-structure.xml.
>>>>
>>>> Need to think on this some more.
>>> So the simplest solution actually is to do what I say above when using
>>> AS7.  That is, you either package the adapter in your WAR or you
>>> reference it in jboss-structure.xml.  That would require no further
>>> changes.  Just merge the PR I sent earlier and I'll change the docs.
>>>
>>> Is that acceptable?  There are some other solutions, but I don't like
>>> them as much.  Anything else we do will require treating the AS7
>>> subsystem as a special case and I just don't see the ROI.  AS7 is (or
>>> should be) a dead platform.
>>>
>>> So what I'm proposing is that we just treat AS7 like Tomcat or Jetty.
>>> We still have the AS7 adapter but you don't use the subsystem.
>> IMO that's a decent solution and better than having a separate subsystem for AS7 (assuming that'd be the only option).
>>
> -20...The subsystem allows you to have specify KEYCLOAK as the
> <auth-method>, as well as to override a WAR's security settings in
> standalone.xml.  Without a subsystem you have to specify a jboss-web.xml
> and a valve.  We need to be as consistent as possible.  If you're not
> going to fix it, let me know and I'll do it.
>
More bad news.  The subsystem simply won't run on AS7 unless it is 
compiled against the AS7 API set.  They've done so much backporting on 
EAP that it looks more like WildFly than the AS7 it was supposed to be 
based on.

I see three choices:

1) Bring back the old code for the AS7 subsystem.
2) Treat AS7 like Tomcat
3) Dump AS7 support altogether.  This is not an entirely radical 
choice.  The last version of AS7 was released almost 3 years ago. It is 
no longer maintained or supported.  It would be interesting to find out 
if anyone is actually using it with Keycloak.