Some good news:
- Keycloak integration is finally working with hawtio on JBoss Fuse,
Apache karaf or standalone Jetty and Tomcat
- Login, logout from hawtio and single-sign-out from different app are
- Added some instructions how to have things working if anyone wants to
take a look:
- I am working with hawtio master and doing changes in my local hawtio
fork. I've squashed all my current changes in last commit of branch
for easier review
- I suppose that keycloak integration is not mandatory and enabled just
on demand. So I still kept hawtio default login mechanism and keycloak
authentication is enabled by config switch.
- As I already mentioned, hawtio is not using servlet authentication.
They have JAAS used to authenticate. So the approach I have for
server-side authentication is based on JAAS BearerTokenLoginModule,
which is able to authenticate user based on KC accessToken, which is
passed to it as password via CallbackHandler.
- The second approach might be to reuse jetty adapter, which would mean
that hawtio.war should be changed to have servlet security enabled and
then there is HttpFilter, which will establish JAAS authenticated
Subject to perform jolokia calls. Which approach is better also depends
on whether keycloak integration will be 1st class citizen in JBoss Fuse
and will be installed by default. If Jetty adapter is going to be
installed by default in fuse, then it's maybe easier to take adapter
approach for hawtio too. But I still don't know how deep is keycloak
integration supposed to be and if it's mandatory for fuse or not...
Things I still need to look at:
- Jolokia and JMX security
- More testing and bugfixing (just figured out during testing before
writing this mail that gogo is not working from hawtio console. There
are likely more minor things, which should be addressed...)
- Look at installing keycloak jetty adapter to fuse