<div dir="ltr">Oki, so sounds like what you proposed is the way to go. I&#39;m not to keen on option 2 or 3 as they seem a bit artificial. Why do they not need auth-server-url though?</div><div class="gmail_extra"><br><div class="gmail_quote">On 29 September 2016 at 08:18, Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  <div bgcolor="#FFFFFF" text="#000000"><span class="">

    <div>On 28/09/16 10:58, Stian Thorgersen

      wrote:<br>

    </div>

    <blockquote type="cite">

      <div dir="ltr">Not sure even using &quot;<span style="font-size:12.8px">&lt;secure-deployment...&gt;&quot;

          makes sense at all in this case.  If there&#39;s keycloak.json the

          subsystem still injects the dependencies, but doesn&#39;t do any

          configuration. Why can&#39;t it just rely on that? <br>

        </span></div>

    </blockquote></span>

    Without &quot;secure-deployment&quot;, you also need the KEYCLOAK in

    login-config in web.xml  in addition to keycloak.json. <br>

    <br>

    Anyway, regarding usability, I suspect it&#39;s not an option to require

    people to crack inside hawtio.war and change the things in the WAR

    directly? Otherwise they can just add jboss-deployment-structure.xml

    into the hawtio.war and I don&#39;t need to care about subsystem at all.<span class="HOEnZb"><font color="#888888"><br>

    <br>

    Marek</font></span><div><div class="h5"><br>

    <br>

    <br>

    <blockquote type="cite">

      <div class="gmail_extra"><br>

        <div class="gmail_quote">On 26 September 2016 at 16:39, Marek

          Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span>

          wrote:<br>

          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I&#39;ve did

            some testing with hawtio on EAP 7. It works fine, however

            there<br>

            is one thing in our subsystem, which may improve integration

            a bit.<br>

            <br>

            Hawtio doesn&#39;t use servlet security ( security-constraints

            in web.xml )<br>

            but they rely on JAAS, which is needed for JMX calls to be

            performed on<br>

            behalf of JAAS Subject. Hawtio WAR needs to have access to<br>

            keycloak-adapter classes (as it needs login modules for

            JAAS), however<br>

            it doesn&#39;t need subsystem to configure adapter. This is all

            handled by<br>

            JAAS login module.<br>

            <br>

            In other words, it will be nice if subsystem can just inject<br>

            dependencies ( KeycloakDependencyProcessor ), but ignore

            adding<br>

            subsystem configuration ( KeycloakAdapterConfigDeploymen<wbr>tProcessor

            ).<br>

            <br>

            The workaround I used was to add secure-deployment section

            to<br>

            standalone.xml with some dummy values, which are mandatory

            for<br>

            subsystem. It works, but it&#39;s really not too pretty IMO.

            Something like:<br>

            <br>

                         &lt;secure-deployment name=&quot;hawtio.war&quot;&gt;<br>

                             &lt;resource&gt;does-not-matter&lt;/re<wbr>source&gt;<br>

            &lt;auth-server-url&gt;does-not-matt<wbr>er&lt;/auth-server-url&gt;<br>

                         &lt;/secure-deployment&gt;<br>

            <br>

            What will be nice is to have some of those possibilities:<br>

            <br>

            1) Have subsystem to use some default values like

            &quot;undefined&quot; instead of<br>

            null . This is more a workaround as subsystem will still

            process the<br>

            KeycloakAdapterConfigDeploymen<wbr>tProcessor. However it&#39;s

            less work and it<br>

            will improve usability, so this will work just fine:<br>

            <br>

            &lt;secure-deployment name=&quot;hawtio.war&quot; /&gt;<br>

            <br>

            <br>

            2) Tell the subsystem to ignore<br>

            KeycloakAdapterConfigDeploymen<wbr>tProcessor. Looks like

            more work, but<br>

            seems to be more proper solution than (1). I can think of:<br>

            <br>

            2.a) some flag like:<br>

            <br>

            &lt;secure-deployment name=&quot;hawtio.war&quot;

            ignore-deployment-config=&quot;true<wbr>&quot; /&gt;<br>

            <br>

            2.b) Use different element like &quot;deployment&quot; instead of<br>

            &quot;secure-deployment&quot; . The &quot;deployment&quot; will inject

            dependencies, but<br>

            won&#39;t handle adapter configuration. So something like this

            will work:<br>

            <br>

            &lt;deployment name=&quot;hawtio.war&quot; /&gt;<br>

            <br>

            <br>

            WDYT?<br>

            Marek<br>

            <br>

            <br>

            <br>

            ______________________________<wbr>_________________<br>

            keycloak-dev mailing list<br>

            <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>

            <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br>

          </blockquote>

        </div>

        <br>

      </div>

    </blockquote>

    <p><br>

    </p>

  </div></div></div>

</blockquote></div><br></div>