<div dir="ltr">Oki, so sounds like what you proposed is the way to go. I'm not to keen on option 2 or 3 as they seem a bit artificial. Why do they not need auth-server-url though?</div><div class="gmail_extra"><br><div class="gmail_quote">On 29 September 2016 at 08:18, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 28/09/16 10:58, Stian Thorgersen
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Not sure even using "<span style="font-size:12.8px"><secure-deployment...>"
makes sense at all in this case. If there's keycloak.json the
subsystem still injects the dependencies, but doesn't do any
configuration. Why can't it just rely on that? <br>
</span></div>
</blockquote></span>
Without "secure-deployment", you also need the KEYCLOAK in
login-config in web.xml in addition to keycloak.json. <br>
<br>
Anyway, regarding usability, I suspect it's not an option to require
people to crack inside hawtio.war and change the things in the WAR
directly? Otherwise they can just add jboss-deployment-structure.xml
into the hawtio.war and I don't need to care about subsystem at all.<span class="HOEnZb"><font color="#888888"><br>
<br>
Marek</font></span><div><div class="h5"><br>
<br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 26 September 2016 at 16:39, Marek
Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I've did
some testing with hawtio on EAP 7. It works fine, however
there<br>
is one thing in our subsystem, which may improve integration
a bit.<br>
<br>
Hawtio doesn't use servlet security ( security-constraints
in web.xml )<br>
but they rely on JAAS, which is needed for JMX calls to be
performed on<br>
behalf of JAAS Subject. Hawtio WAR needs to have access to<br>
keycloak-adapter classes (as it needs login modules for
JAAS), however<br>
it doesn't need subsystem to configure adapter. This is all
handled by<br>
JAAS login module.<br>
<br>
In other words, it will be nice if subsystem can just inject<br>
dependencies ( KeycloakDependencyProcessor ), but ignore
adding<br>
subsystem configuration ( KeycloakAdapterConfigDeploymen<wbr>tProcessor
).<br>
<br>
The workaround I used was to add secure-deployment section
to<br>
standalone.xml with some dummy values, which are mandatory
for<br>
subsystem. It works, but it's really not too pretty IMO.
Something like:<br>
<br>
<secure-deployment name="hawtio.war"><br>
<resource>does-not-matter</re<wbr>source><br>
<auth-server-url>does-not-matt<wbr>er</auth-server-url><br>
</secure-deployment><br>
<br>
What will be nice is to have some of those possibilities:<br>
<br>
1) Have subsystem to use some default values like
"undefined" instead of<br>
null . This is more a workaround as subsystem will still
process the<br>
KeycloakAdapterConfigDeploymen<wbr>tProcessor. However it's
less work and it<br>
will improve usability, so this will work just fine:<br>
<br>
<secure-deployment name="hawtio.war" /><br>
<br>
<br>
2) Tell the subsystem to ignore<br>
KeycloakAdapterConfigDeploymen<wbr>tProcessor. Looks like
more work, but<br>
seems to be more proper solution than (1). I can think of:<br>
<br>
2.a) some flag like:<br>
<br>
<secure-deployment name="hawtio.war"
ignore-deployment-config="true<wbr>" /><br>
<br>
2.b) Use different element like "deployment" instead of<br>
"secure-deployment" . The "deployment" will inject
dependencies, but<br>
won't handle adapter configuration. So something like this
will work:<br>
<br>
<deployment name="hawtio.war" /><br>
<br>
<br>
WDYT?<br>
Marek<br>
<br>
<br>
<br>
______________________________<wbr>_________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<p><br>
</p>
</div></div></div>
</blockquote></div><br></div>