6:16 a.m.
I've just tried out deploying the demo manually using the WildFly subsystem. It's
very cool and I really like how the WildFly subsystem has made things so much simpler.
Some comments though on my "experience" trying this out.
1. Having to edit standalone.xml to add secure-deployment requires restarting the server.
In installation tab we could have an additional option that lists the jboss-cli command to
add this at runtime
2. Customer portal error messages are horrible at best. First I forgot to deploy the
database services, which caused the exception "Unexpected character ('<'
(code 60)): expected a valid value (number, String, array, object, 'true',
'false' or 'null')". This should have probably been something like
"Database services not found". Then I deployed database services, but used the
wrong WAR name in the secure-deployment and the error message was the same, but should
have been "Unauthorized".
3. Finally, it's not clear enough in the log output when the Keycloak sub-system acts
on a deployment and when it doesn't. We definitively need something along the lines
of:
INFO [org.keycloak.wildfly] Keycloak configured for 'customer-portal.war'
Could also be an idea to add (not sure if it should be info or debug):
DEBUG [org.keycloak.wildfly] Ignoring 'customer-portal.war'
6:44 a.m.
On 2/18/2014 7:16 AM, Stian Thorgersen wrote:
I've just tried out deploying the demo manually using the WildFly
subsystem. It's very cool and I really like how the WildFly subsystem has made things
so much simpler. Some comments though on my "experience" trying this out.
1. Having to edit standalone.xml to add secure-deployment requires restarting the server.
In installation tab we could have an additional option that lists the jboss-cli command to
add this at runtime
Yes, it's usually easier and more accurate to run a CLI
script instead
of editing standalone.xml by hand. Using CLI also allows you to make
the update remotely when you might not have access to the remote file
system.
When we get everything integrated a little tighter then the admin
console will be able to make the changes directly to WildFly without
involving standalone.xml or CLI.
2. Customer portal error messages are horrible at best. First I forgot to deploy the
database services, which caused the exception "Unexpected character ('<'
(code 60)): expected a valid value (number, String, array, object, 'true',
'false' or 'null')". This should have probably been something like
"Database services not found". Then I deployed database services, but used the
wrong WAR name in the secure-deployment and the error message was the same, but should
have been "Unauthorized".
3. Finally, it's not clear enough in the log output when the Keycloak sub-system acts
on a deployment and when it doesn't. We definitively need something along the lines
of:
INFO [org.keycloak.wildfly] Keycloak configured for 'customer-portal.war'
+1
Could also be an idea to add (not sure if it should be info or
debug):
DEBUG [org.keycloak.wildfly] Ignoring 'customer-portal.war'
Definitely
DEBUG. Always remember that log messages add to startup time
and certain people on the WildFly team get (understandably) grumpy when
you affect that in any way.
I do think we can justify the "Keycloak configured" message though. That
one seems pretty important.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:45 a.m.
On 2/18/2014 7:44 AM, Stan Silvert wrote:
On 2/18/2014 7:16 AM, Stian Thorgersen wrote:
> I've just tried out deploying the demo manually using the WildFly subsystem.
It's very cool and I really like how the WildFly subsystem has made things so much
simpler. Some comments though on my "experience" trying this out.
>
> 1. Having to edit standalone.xml to add secure-deployment requires restarting the
server. In installation tab we could have an additional option that lists the jboss-cli
command to add this at runtime
Yes, it's usually easier and more accurate to run a CLI script instead
of editing standalone.xml by hand. Using CLI also allows you to make
the update remotely when you might not have access to the remote file
system.
Stan. I actually kinda (not wholeheartedly) disagree. To run the CLI
requires setting up a local user to administrate the server. Its
actually easier to cut, paste, and restart, IMO.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:47 a.m.
On 2/18/2014 9:45 AM, Bill Burke wrote:
On 2/18/2014 7:44 AM, Stan Silvert wrote:
> On 2/18/2014 7:16 AM, Stian Thorgersen wrote:
>> I've just tried out deploying the demo manually using the WildFly subsystem.
It's very cool and I really like how the WildFly subsystem has made things so much
simpler. Some comments though on my "experience" trying this out.
>>
>> 1. Having to edit standalone.xml to add secure-deployment requires restarting the
server. In installation tab we could have an additional option that lists the jboss-cli
command to add this at runtime
> Yes, it's usually easier and more accurate to run a CLI script instead
> of editing standalone.xml by hand. Using CLI also allows you to make
> the update remotely when you might not have access to the remote file
> system.
>
Stan. I actually kinda (not wholeheartedly) disagree. To run the CLI
requires setting up a local user to administrate the server. Its
actually easier to cut, paste, and restart, IMO.
If you are local then CLI does not
require setting up a user. Web
console requires it, but CLI does not.
If you are remote then I'm sure you agree that CLI is better since it is
that much harder to edit a remote file.
Granted, there is more work to do in this area to make it even easier.
One thing you could do is create a CLI script along with a *.sh or *.bat
file to launch it. Tell the user to save it to JBOSS_HOME/bin. Then
you can update the server quickly and accurately with a single click.
9:53 a.m.
On 2/18/2014 10:47 AM, Stan Silvert wrote:
On 2/18/2014 9:45 AM, Bill Burke wrote:
>
> On 2/18/2014 7:44 AM, Stan Silvert wrote:
>> On 2/18/2014 7:16 AM, Stian Thorgersen wrote:
>>> I've just tried out deploying the demo manually using the WildFly
subsystem. It's very cool and I really like how the WildFly subsystem has made things
so much simpler. Some comments though on my "experience" trying this out.
>>>
>>> 1. Having to edit standalone.xml to add secure-deployment requires restarting
the server. In installation tab we could have an additional option that lists the
jboss-cli command to add this at runtime
>> Yes, it's usually easier and more accurate to run a CLI script instead
>> of editing standalone.xml by hand. Using CLI also allows you to make
>> the update remotely when you might not have access to the remote file
>> system.
>>
> Stan. I actually kinda (not wholeheartedly) disagree. To run the CLI
> requires setting up a local user to administrate the server. Its
> actually easier to cut, paste, and restart, IMO.
If you are local then CLI does not require setting up a user. Web
console requires it, but CLI does not.
If you are remote then I'm sure you agree that CLI is better since it is
that much harder to edit a remote file.
I just can't see (yet) anybody securing a system remotely. Even in the
Openshift case, its a real pain to do anything with a subsystem remotely
as you have to do port mapping to expose the admin HTTP interface, and
also set up a admin user (which I don't think can be done without
hardcoding initial credentials).
Granted, there is more work to do in this area to make it even
easier.
One thing you could do is create a CLI script along with a *.sh or *.bat
file to launch it. Tell the user to save it to JBOSS_HOME/bin. Then
you can update the server quickly and accurately with a single click.
Or, they could just cut and paste the XML from the admin console to
standalone.xml...which is, still...IMO...faster, simpler, and easier?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 18 February, 2014 3:53:38 PM
Subject: Re: [keycloak-dev] WildFly subsystem and demo
On 2/18/2014 10:47 AM, Stan Silvert wrote:
> On 2/18/2014 9:45 AM, Bill Burke wrote:
>>
>> On 2/18/2014 7:44 AM, Stan Silvert wrote:
>>> On 2/18/2014 7:16 AM, Stian Thorgersen wrote:
>>>> I've just tried out deploying the demo manually using the WildFly
>>>> subsystem. It's very cool and I really like how the WildFly
subsystem
>>>> has made things so much simpler. Some comments though on my
>>>> "experience" trying this out.
>>>>
>>>> 1. Having to edit standalone.xml to add secure-deployment requires
>>>> restarting the server. In installation tab we could have an additional
>>>> option that lists the jboss-cli command to add this at runtime
>>> Yes, it's usually easier and more accurate to run a CLI script instead
>>> of editing standalone.xml by hand. Using CLI also allows you to make
>>> the update remotely when you might not have access to the remote file
>>> system.
>>>
>> Stan. I actually kinda (not wholeheartedly) disagree. To run the CLI
>> requires setting up a local user to administrate the server. Its
>> actually easier to cut, paste, and restart, IMO.
> If you are local then CLI does not require setting up a user. Web
> console requires it, but CLI does not.
>
> If you are remote then I'm sure you agree that CLI is better since it is
> that much harder to edit a remote file.
>
I just can't see (yet) anybody securing a system remotely. Even in the
Openshift case, its a real pain to do anything with a subsystem remotely
as you have to do port mapping to expose the admin HTTP interface, and
also set up a admin user (which I don't think can be done without
hardcoding initial credentials).
The WF cartridge we forked actually creates a admin user and prints out the
username/password when you first create it. Not sure if the "official" WF
cartridge does the same though.
One solution could be to have "deployable" config files in the same way as you
can put "-ds.xml" files in standalone/deployment. That could be simpler for
OpenShift at least. Basically you'd:
1. Create KC cartridge
2. Open admin console, create the app, download a "myapp-keycloak.xml"
3. Add "myapp-keycloak.xml" and your war to deployments and git push to redeploy
it
> Granted, there is more work to do in this area to make it even easier.
> One thing you could do is create a CLI script along with a *.sh or *.bat
> file to launch it. Tell the user to save it to JBOSS_HOME/bin. Then
> you can update the server quickly and accurately with a single click.
Or, they could just cut and paste the XML from the admin console to
standalone.xml...which is, still...IMO...faster, simpler, and easier?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
10:10 a.m.
On 2/18/2014 11:00 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Tuesday, 18 February, 2014 3:53:38 PM
> Subject: Re: [keycloak-dev] WildFly subsystem and demo
>
>
>
> On 2/18/2014 10:47 AM, Stan Silvert wrote:
>> On 2/18/2014 9:45 AM, Bill Burke wrote:
>>>
>>> On 2/18/2014 7:44 AM, Stan Silvert wrote:
>>>> On 2/18/2014 7:16 AM, Stian Thorgersen wrote:
>>>>> I've just tried out deploying the demo manually using the
WildFly
>>>>> subsystem. It's very cool and I really like how the WildFly
subsystem
>>>>> has made things so much simpler. Some comments though on my
>>>>> "experience" trying this out.
>>>>>
>>>>> 1. Having to edit standalone.xml to add secure-deployment requires
>>>>> restarting the server. In installation tab we could have an
additional
>>>>> option that lists the jboss-cli command to add this at runtime
>>>> Yes, it's usually easier and more accurate to run a CLI script
instead
>>>> of editing standalone.xml by hand. Using CLI also allows you to make
>>>> the update remotely when you might not have access to the remote file
>>>> system.
>>>>
>>> Stan. I actually kinda (not wholeheartedly) disagree. To run the CLI
>>> requires setting up a local user to administrate the server. Its
>>> actually easier to cut, paste, and restart, IMO.
>> If you are local then CLI does not require setting up a user. Web
>> console requires it, but CLI does not.
>>
>> If you are remote then I'm sure you agree that CLI is better since it is
>> that much harder to edit a remote file.
>>
>
> I just can't see (yet) anybody securing a system remotely. Even in the
> Openshift case, its a real pain to do anything with a subsystem remotely
> as you have to do port mapping to expose the admin HTTP interface, and
> also set up a admin user (which I don't think can be done without
> hardcoding initial credentials).
The WF cartridge we forked actually creates a admin user and prints out the
username/password when you first create it. Not sure if the "official" WF
cartridge does the same though.
So you can have a custom "install script" for a cartridge that runs?
That makes things easier. But you still have to set up port mapping to
expose the admin ports.
One solution could be to have "deployable" config files in
the same way as you can put "-ds.xml" files in standalone/deployment. That could
be simpler for OpenShift at least. Basically you'd:
1. Create KC cartridge
2. Open admin console, create the app, download a "myapp-keycloak.xml"
3. Add "myapp-keycloak.xml" and your war to deployments and git push to
redeploy it
Why wouldn't you just crack open the war and put in keycloak.json?
We need to figure out bootstrapping for Aerogear. That is a separate
email thread I started a week or so ago. This is a case where the app
being secured by keycloak is based on Wildfly, but you don't want to
require the admins to actually know it is based on wildfly.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:24 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 18 February, 2014 4:10:12 PM
Subject: Re: [keycloak-dev] WildFly subsystem and demo
On 2/18/2014 11:00 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Tuesday, 18 February, 2014 3:53:38 PM
>> Subject: Re: [keycloak-dev] WildFly subsystem and demo
>>
>>
>>
>> On 2/18/2014 10:47 AM, Stan Silvert wrote:
>>> On 2/18/2014 9:45 AM, Bill Burke wrote:
>>>>
>>>> On 2/18/2014 7:44 AM, Stan Silvert wrote:
>>>>> On 2/18/2014 7:16 AM, Stian Thorgersen wrote:
>>>>>> I've just tried out deploying the demo manually using the
WildFly
>>>>>> subsystem. It's very cool and I really like how the WildFly
subsystem
>>>>>> has made things so much simpler. Some comments though on my
>>>>>> "experience" trying this out.
>>>>>>
>>>>>> 1. Having to edit standalone.xml to add secure-deployment
requires
>>>>>> restarting the server. In installation tab we could have an
additional
>>>>>> option that lists the jboss-cli command to add this at runtime
>>>>> Yes, it's usually easier and more accurate to run a CLI script
instead
>>>>> of editing standalone.xml by hand. Using CLI also allows you to
make
>>>>> the update remotely when you might not have access to the remote
file
>>>>> system.
>>>>>
>>>> Stan. I actually kinda (not wholeheartedly) disagree. To run the CLI
>>>> requires setting up a local user to administrate the server. Its
>>>> actually easier to cut, paste, and restart, IMO.
>>> If you are local then CLI does not require setting up a user. Web
>>> console requires it, but CLI does not.
>>>
>>> If you are remote then I'm sure you agree that CLI is better since it
is
>>> that much harder to edit a remote file.
>>>
>>
>> I just can't see (yet) anybody securing a system remotely. Even in the
>> Openshift case, its a real pain to do anything with a subsystem remotely
>> as you have to do port mapping to expose the admin HTTP interface, and
>> also set up a admin user (which I don't think can be done without
>> hardcoding initial credentials).
>
> The WF cartridge we forked actually creates a admin user and prints out the
> username/password when you first create it. Not sure if the "official" WF
> cartridge does the same though.
>
So you can have a custom "install script" for a cartridge that runs?
That makes things easier. But you still have to set up port mapping to
expose the admin ports.
Yes, it's just a bunch of bash scripts. I was going to use this as a way of
automatically configuring the db. When you create KC you can choose to add the MySQL or
PostgreSQL add-on cartridges, and on first startup it would detect if one is available and
automatically re-configure the db.
> One solution could be to have "deployable" config files in the same way
as
> you can put "-ds.xml" files in standalone/deployment. That could be
> simpler for OpenShift at least. Basically you'd:
>
> 1. Create KC cartridge
> 2. Open admin console, create the app, download a "myapp-keycloak.xml"
> 3. Add "myapp-keycloak.xml" and your war to deployments and git push to
> redeploy it
>
Why wouldn't you just crack open the war and put in keycloak.json?
Because you need to crack it open. Also, for the future if you change the config in KC, or
you make some updates to your war, you're required to do it again.
IMO config should never ever be inside a WAR ;)
We need to figure out bootstrapping for Aerogear. That is a separate
email thread I started a week or so ago. This is a case where the app
being secured by keycloak is based on Wildfly, but you don't want to
require the admins to actually know it is based on wildfly.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8:32 a.m.
Sorry, took a vacation day yesterday. had some friends from Denmark
here in the US and we went skiing locally...
On 2/18/2014 7:16 AM, Stian Thorgersen wrote:
I've just tried out deploying the demo manually using the WildFly
subsystem. It's very cool and I really like how the WildFly subsystem has made things
so much simpler. Some comments though on my "experience" trying this out.
1. Having to edit standalone.xml to add secure-deployment requires restarting the server.
In installation tab we could have an additional option that lists the jboss-cli command to
add this at runtime
Ugh, I forgot to mention you needed to restart in the doco.
Also, if you remember, I was going to add an option in keycloak that
allowed the admin console to remotely set up this config. But, on
second thought, this requires setting up an admin on the wildfly
instance. It actually seems easier to just cut and paste from the admin
console window to standalone.xml and restart the server. I don't think
you're going to be securing live systems.
2. Customer portal error messages are horrible at best. First I
forgot to deploy the database services, which caused the exception "Unexpected
character ('<' (code 60)): expected a valid value (number, String, array,
object, 'true', 'false' or 'null')". This should have
probably been something like "Database services not found". Then I deployed
database services, but used the wrong WAR name in the secure-deployment and the error
message was the same, but should have been "Unauthorized".
Long standing issue. I'll fix that.
3. Finally, it's not clear enough in the log output when the
Keycloak sub-system acts on a deployment and when it doesn't. We definitively need
something along the lines of:
Ok, i'll add that.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3:02 a.m.
On 18.2.2014 15:32, Bill Burke wrote:
> Customer portal error messages are horrible at best. First I
forgot to deploy the database services, which caused the exception "Unexpected
character ('<' (code 60)): expected a valid value (number, String, array,
object, 'true', 'false' or 'null')". This should have
probably been something like "Database services not found". Then I deployed
database services, but used the wrong WAR name in the secure-deployment and the error
message was the same, but should have been "Unauthorized".
> >
Long standing issue. I'll fix that.
I've tried distribution yesterday to check it works with databases and 2
more things related to examples:
- There is minor issue that subsystem-config.xml is in the examples ZIP
distribution in directory "preconfigured-demo" but should be in
"unconfigured-demo" IMO because preconfigured-demo already has these
predefined JSON files for adapter configuration and can work with empty
subsystem definition.
- It seems that "third-party" and "third-party-cdi" in
unconfigured-demo
doesn't work. Not sure if subsystem will support configuration of
oauth-clients as well, but right now it doesn't look like that. Now
these examples always assume that you have keycloak.json file available
and read configuration from it.
Marek
8:22 a.m.
On 2/19/2014 4:02 AM, Marek Posolda wrote:
On 18.2.2014 15:32, Bill Burke wrote:
>> Customer portal error messages are horrible at best. First I forgot
>> to deploy the database services, which caused the exception
>> "Unexpected character ('<' (code 60)): expected a valid value
>> (number, String, array, object, 'true', 'false' or
'null')". This
>> should have probably been something like "Database services not
>> found". Then I deployed database services, but used the wrong WAR
>> name in the secure-deployment and the error message was the same, but
>> should have been "Unauthorized".
>> >
> Long standing issue. I'll fix that.
>
I've tried distribution yesterday to check it works with databases and 2
more things related to examples:
- There is minor issue that subsystem-config.xml is in the examples ZIP
distribution in directory "preconfigured-demo" but should be in
"unconfigured-demo" IMO because preconfigured-demo already has these
predefined JSON files for adapter configuration and can work with empty
subsystem definition.
Missed that one. I'll fix it.
- It seems that "third-party" and
"third-party-cdi" in unconfigured-demo
doesn't work. Not sure if subsystem will support configuration of
oauth-clients as well, but right now it doesn't look like that. Now
these examples always assume that you have keycloak.json file available
and read configuration from it.
Yes, they don't work because you have to configure them. The screencast
tutorial walks you through it.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3963
days inactive
3964
days old
10 comments
4 participants
participants (4)
-
Bill Burke -
Marek Posolda -
Stan Silvert -
Stian Thorgersen