On 11/30/2015 05:24 PM, Bill Burke wrote:
Infinispan (caching), JPA, datasources, servlet, JAX-RS.
Wildfly/JBoss
is also set to run out of the box in a cluster and managable in a domain
( a cluster) out of the box. Not to mention all the classloader
isolation you DO NOT get with Tomcat. Finally all the built in patch
management that comes with Wildfly/JBoss. Then there's developers that
will want to deploy integration/extension plugins. We can also leverage
Wildfly's deployment engine for that too.
Running Keycloak Auth Server in Tomcat/Jetty would actually not be a
very smart thing to do. There are huge advantages to running within
Wildfly/JBoss. The only disadvantage is the size of the distro. There
is no performance penalty.
In order to deploy Keycloak as a partner to FreeIPA, it needs to be
managed in the same manner as FreeIPA.
They are two different deployment strategies, with different management
tooling around each. Dogtag is an example of Tomcat only based
deployment that is managed via RPMs, with a specially hardened Tomcat
container that is necessary to pass Common Criteria and FIPS 140
certifications; making those changes to JBoss would be awesome, but
perhaps far more of an engineering effort than any of us care to make.
I am personally a fan of JBoss based deployments, but a Tomcat only is
more practical from a Fedora and CentOS starting point.
We see this same issue come up with all of the language specific package
and patch managers. We can't deploy Python code from PIP, Ruby via
Gems, or Perl from CPAN; they all get packaged first. The extra work
ensures that nothing binary-only sneaks in, that all licenses get
reviewed, and that someone from outside the team reviews the packaging
to ensure it meets distribution standards.
We have looked into trimming the Wildfly distro, but nixed that because
it puts a huge burden on productization. Its just much easier for them
if we just layer on top of the full app server.