<div dir="ltr"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><span style="font-size:12.8px">The amount of effort on application side is even less than with picketlink. <b><font color="#ff0000">The thing is that you need keycloak server</font></b>. It can be executed either in same JVM ( Wildfly/EAP instance) like your application or on completely different server. </span><br style="font-size:12.8px"></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><span style="font-size:12.8px">The best is to start with keycloak documentation and possibly screencasts and try examples.</span></blockquote><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">This is the "problem". Think about it:</span></div><div><span style="font-size:12.8px"><br></span></div><div><div><span style="font-size:12.8px">I develop an open source system that uses a secure system and in theory, can run on any application server compatible with JEE7+</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">My "users" will download the war, put on WF them still have to make a number of settings on the server to be able to type username and password, login, make control access, create groups, give permission ... Anyway, unnecessary for this scenario.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">What I know is that KC is a more business world, where we have a more robust infrastructure. PL can be used in that case or something heavier integrated with KC.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Well, what I am saying since I wrote my first e-mail is that technology does not replace the other, but can complement each other...</span></div></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">But okay. For now, I would just someone could generate versions of PL, snapshots, see and apply PR, make snapshots and publish to the maven, this would be a great help.</span><br></div><div><span style="font-size:12.8px"><br></span></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><b>Arthur P. Gregório</b><br><i>+55 45 9958-0302</i><br>@gregorioarthur<br><a href="http://www.arthurgregorio.eti.br" target="_blank">www.arthurgregorio.eti.br</a><br></div></div>
<br><div class="gmail_quote">2015-11-25 8:29 GMT-02:00 Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<div>On 24/11/15 11:50, Arthur Gregório
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I only use JPA/LDAP authentication, simple and not
need to mess with XML and have only a single Jar in my classpath
without relying on my aplication server or something.</div>
</blockquote></span>
With Keycloak, you also don't need to mess with any XML. The idea
is, that there is minimal code needed on application side. All the
work like authentication, identity management, LDAP integration,
social integration etc is done on Keycloak server. Your application
just needs to know how to talk to Keycloak server, so you need to
add keycloak.json file with some "adapter configuration", which
points how your application can talk to Keycloak server (it uses
OpenID Connect or SAML2 protocols for communication with server) .
The amount of dependencies on application side is also quite
minimal.<span class=""><br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
<div>In short, KC can be very good at it, but for those who
already have something done and solid in the PL, it is
impossible to migrate.</div>
</div>
<div><br>
</div>
<div>Until someone says I can use the KC to do this [1] with the
same effort that I have with the PL, I will continue thinking
that the framework should receive attention again.<br>
</div>
<div><br>
</div>
<div>[1] <a href="https://github.com/jboss-developer/jboss-picketlink-quickstarts/tree/master/picketlink-authentication-form-with-jsf" target="_blank">https://github.com/jboss-developer/jboss-picketlink-quickstarts/tree/master/picketlink-authentication-form-with-jsf</a></div>
</div>
</blockquote></span>
The amount of effort on application side is even less than with
picketlink. The thing is that you need keycloak server. It can be
executed either in same JVM ( Wildfly/EAP instance) like your
application or on completely different server. <br>
<br>
The best is to start with keycloak documentation and possibly
screencasts and try examples.<span class="HOEnZb"><font color="#888888"><br>
<br>
Marek</font></span><div><div class="h5"><br>
<blockquote type="cite">
<div class="gmail_extra"><br clear="all">
<div>
<div><b>Arthur P. Gregório</b><br>
<i><a href="tel:%2B55%2045%209958-0302" value="+554599580302" target="_blank">+55 45 9958-0302</a></i><br>
@gregorioarthur<br>
<a href="http://www.arthurgregorio.eti.br" target="_blank">www.arthurgregorio.eti.br</a><br>
</div>
</div>
<br>
<div class="gmail_quote">2015-11-24 5:46 GMT-02:00 Marek Posolda
<span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Keycloak now supports SAML SP implementation, which
doesn't require KC server. It can talk to any other SAML
Idp. The docs is here <a href="http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html" target="_blank">http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html</a>
. For the future, we will mainly focus on
improve/maintain the Keycloak SAML SP rather than
Picketlink.<br>
<br>
Also there is no need to fork the Picketlink project to
your own, you can still propose and send PR to
Picketlink . This will allow that more people from the
community can suffer from your work.<span><font color="#888888"><br>
<br>
Marek</font></span>
<div>
<div><br>
<br>
<br>
On 23/11/15 23:40, larry mccay wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">This is a disappointing situation.
<div>PL should have been continued and then
consumed by KC.</div>
<div>I will not be pulling in KC in its entirely
in order to do SAML SP implementations - we will
need to move to something else.</div>
<div><br>
</div>
<div>I suggest that a PL module be published from
KC that has minimal dependencies.</div>
<div>You can migrate the PL functionality to KC
this way but not force all of the new
dependencies on consumers.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Nov 23, 2015 at
11:19 AM, Arthur Gregório <span dir="ltr"><<a href="mailto:arthurshakal@gmail.com" target="_blank"></a><a href="mailto:arthurshakal@gmail.com" target="_blank">arthurshakal@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I see this post, and i know
what KC do..
<div><br>
</div>
<div>
<div>What I mean is that I do not need all
the things that KC does, I want simple
with the something like PL.</div>
<div><br>
</div>
<div>I posted in a thread about it on the
same topic "continuity of PL" on the dev
list of KC and the same answer was
given.</div>
<div><br>
</div>
<div>PL is such a cool framework, I refuse
to believe that only I use it or only I
noticed this deep sleep that the project
came...</div>
<div><br>
</div>
<div>Finally, the fact is that PL is like
Spring Security, a swatter convenient
and fast flies. KC is already like a
cannon, large and meaningless to the
context of solving a simple problem like
killing a single mosquito.</div>
<div><br>
</div>
<div>But if so, the business is to make a
project fork and working on my own
version.</div>
</div>
<div><br>
</div>
<div>at.,</div>
</div>
<div class="gmail_extra"><span><br clear="all">
<div>
<div><b>Arthur P. Gregório</b><br>
<i><a href="tel:%2B55%2045%209958-0302" value="+554599580302" target="_blank">+55 45 9958-0302</a></i><br>
@gregorioarthur<br>
<a href="http://www.arthurgregorio.eti.br" target="_blank">www.arthurgregorio.eti.br</a><br>
</div>
</div>
<br>
</span>
<div>
<div>
<div class="gmail_quote">2015-11-23
13:07 GMT-02:00 Bruno Oliveira <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank"></a><a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Please take a look
at <a href="http://picketlink.org/news/2015/03/10/PicketLink-and-Keycloak-project-merge/" target="_blank">http://picketlink.org/news/2015/03/10/PicketLink-and-Keycloak-project-merge/</a>
<div><br>
</div>
<div>I think this post answers
your question.</div>
</div>
<div>
<div><br>
<div class="gmail_quote">
<div dir="ltr">On Mon, Nov 23,
2015 at 1:05 PM Stephen
Agneta <<a href="mailto:sagneta@gmail.com" target="_blank"></a><a href="mailto:sagneta@gmail.com" target="_blank">sagneta@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>I'll share what I
know with you in the
hopes that it will help
somehow. </div>
<div><br>
</div>
Well KC (keycloak) is a
super-set of the PL
(PicketLink) functionality
thus in theory it ought to
work fine once it is ready
and once some sort of
migration path is known.
You may not wish to move
to KC due to the
additional functionality
which may be off-putting
for lite applications but
KC will perform everything
PL did and more and will
do so in VM memory if you
so choose.
<div><br>
</div>
<div>Essentially KC is a
real federated
authentication and
authorization service
with identity management
that can run standalone
or in-VM within a
WildFly cluster.
Although a Java
implementation it works
with other systems and
languages out of
process. It does
integrate with Spring
which may interest you.</div>
<div><br>
</div>
<div>The following link
provides information for
Wildfly 9 clustered
installation:</div>
<div><a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#overlay_install" target="_blank"></a><a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#overlay_install" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#overlay_install</a><br>
</div>
<div><br>
</div>
<div>Thus you should be
able to have your
authorization demands
met _in VM_ as opposed
to over-the-wire for
performance reasons if
necessary.</div>
<div><br>
</div>
<div>IMOP I think the KC
project is the right
move. They are fixing
the big issue which is
the lack of an
opensource Federated
Identity Management
System. They also fixed
little things such as
Composite Roles which
are missing from PL.</div>
<div><br>
</div>
<div> I merely disliked
the abrupt change-over.
I also can't move to
keycloak until I have
more of an idea how the
migration would work. </div>
<div>For example, how
different is the default
KC relational schema
from the default basic
PL schema:</div>
<div><br>
</div>
<div><a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136" target="_blank"></a><a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136</a><br>
</div>
<div><br>
</div>
<div>It is also not clear
if keycloak has a CDI
demand system ready like
PicketLink. They only
hint at it. <span style="line-height:1.5"> Also
it runs in-cluster on
Wildfly 9 and I am on
8. Nothing huge but
issues that will need
to be addressed. </span></div>
<div><span style="line-height:1.5"><br>
</span></div>
<div>Hope that helps. </div>
<div><span style="line-height:1.5"><br>
</span></div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Mon, Nov
23, 2015 at 8:54 AM
Arthur Gregório <<a href="mailto:arthurshakal@gmail.com" target="_blank"></a><a href="mailto:arthurshakal@gmail.com" target="_blank">arthurshakal@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>And KC does not
have the same
purpose as the PL.</div>
<div><br>
</div>
<div>In short, I have
no reason to migrate
from one to the
other, I use PL or
go back to Spring
Security.</div>
<div><br>
</div>
<div>But it seems that
there has not been
any development in
PL, at least in
recent months, in
short, it seems that
the project is dying
and all that were
used for its own
account.</div>
<div><br>
</div>
<div>And with bugs
like this <a href="https://developer.jboss.org/thread/266387" target="_blank"></a><a href="https://developer.jboss.org/thread/266387" target="_blank">https://developer.jboss.org/thread/266387</a>,
it's not cool to let
the project
stalled...<br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div><b>Arthur P.
Gregório</b><br>
<i><a href="tel:%2B55%2045%209958-0302" value="+554599580302" target="_blank">+55
45 9958-0302</a></i><br>
@gregorioarthur<br>
<a href="http://www.arthurgregorio.eti.br" target="_blank"></a><a href="http://www.arthurgregorio.eti.br" target="_blank">www.arthurgregorio.eti.br</a><br>
</div>
</div>
<br>
</div>
<div class="gmail_extra">
<div class="gmail_quote">2015-11-23
11:47 GMT-02:00
Stephen Agneta <span dir="ltr"><<a href="mailto:sagneta@gmail.com" target="_blank"></a><a href="mailto:sagneta@gmail.com" target="_blank">sagneta@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><br>
<div>It
certainly
appears that
everything has
moved to
key-cloak but
I am unsure
that keycloak
is ready to
take the
burden of
current
Picketlink
implementations.
Nor am I sure
how the
migration
process would
occur. The
abruptness of
the change is
a bit
disconcerting.
Having said
that
Picketlink is
working fine
save for one
defect that
which I
requested that
is on the git
HEAD but not
in any
particular
release. </div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div>
<div>
<div dir="ltr">On
Mon, Nov 23,
2015 at 8:43
AM Arthur
Gregório <<a href="mailto:arthurshakal@gmail.com" target="_blank"></a><a href="mailto:arthurshakal@gmail.com" target="_blank">arthurshakal@gmail.com</a>>
wrote:<br>
</div>
</div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<div dir="ltr">
<div>Picketlink
is dead? </div>
<div><br>
</div>
<div>The last
commit in the
project repo
was in 9
july.. </div>
<div><br>
</div>
<div>Is there
a schedule for
the new
version or
something like
that?<br>
</div>
<div><br>
</div>
<div>at.,</div>
<br clear="all">
<div>
<div><b>Arthur
P. Gregório</b><br>
<i><a href="tel:%2B55%2045%209958-0302" value="+554599580302" target="_blank">+55
45 9958-0302</a></i><br>
@gregorioarthur<br>
<a href="http://www.arthurgregorio.eti.br" target="_blank"></a><a href="http://www.arthurgregorio.eti.br" target="_blank">www.arthurgregorio.eti.br</a><br>
</div>
</div>
</div>
</div>
</div>
_______________________________________________<br>
security-dev
mailing list<br>
<a href="mailto:security-dev@lists.jboss.org" target="_blank"></a><a href="mailto:security-dev@lists.jboss.org" target="_blank">security-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/security-dev" rel="noreferrer" target="_blank"></a><a href="https://lists.jboss.org/mailman/listinfo/security-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/security-dev</a></blockquote>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
_______________________________________________<br>
security-dev mailing list<br>
<a href="mailto:security-dev@lists.jboss.org" target="_blank">security-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/security-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/security-dev</a></blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
security-dev mailing list<br>
<a href="mailto:security-dev@lists.jboss.org" target="_blank">security-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/security-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/security-dev</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
security-dev mailing list
<a href="mailto:security-dev@lists.jboss.org" target="_blank">security-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/security-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/security-dev</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>