10:51 a.m.
Should KEYCLOAK_APPLICATION or KEYCLOAK_IDENTITY_REQUESTER be visible at all externally
(both in REST endpoints and admin console)?
I was thinking that these roles should be removed from the list of roles returned, and if
anyone tries to delete a role starting with "KEYCLOAK_" a not found should be
returned.
10:53 a.m.
Yeah, I want to remove "*" too altogether. I think I have a JIRA for
"*", but not for the KEYCLOAK_... stuff.
On 11/14/2013 11:51 AM, Stian Thorgersen wrote:
Should KEYCLOAK_APPLICATION or KEYCLOAK_IDENTITY_REQUESTER be visible
at all externally (both in REST endpoints and admin console)?
I was thinking that these roles should be removed from the list of roles returned, and if
anyone tries to delete a role starting with "KEYCLOAK_" a not found should be
returned.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11:02 a.m.
Ok - I can sort these out.
By the way I've updated the dist to WildFly + made it use persistent H2 by default.
Once we've got a release somewhere I can quickly modify my WildFly OpenShift
QuickStart to make it easy to get Keycloak up and running on OpenShift. I haven't
looked at configuring SSL by default yet though, maybe that's something we can push
post-M1?
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 14 November, 2013 4:53:48 PM
Subject: Re: [keycloak-dev] Don't show KEYCLOAK_APPLICATION and
KEYCLOAK_IDENTITY_REQUESTER externally
Yeah, I want to remove "*" too altogether. I think I have a JIRA for
"*", but not for the KEYCLOAK_... stuff.
On 11/14/2013 11:51 AM, Stian Thorgersen wrote:
> Should KEYCLOAK_APPLICATION or KEYCLOAK_IDENTITY_REQUESTER be visible at
> all externally (both in REST endpoints and admin console)?
>
> I was thinking that these roles should be removed from the list of roles
> returned, and if anyone tries to delete a role starting with "KEYCLOAK_"
a
> not found should be returned.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
11:20 a.m.
On 11/14/2013 12:02 PM, Stian Thorgersen wrote:
Ok - I can sort these out.
By the way I've updated the dist to WildFly + made it use persistent H2 by default.
Once we've got a release somewhere I can quickly modify my WildFly OpenShift
QuickStart to make it easy to get Keycloak up and running on OpenShift. I haven't
looked at configuring SSL by default yet though, maybe that's something we can push
post-M1?
Might be as easy as running keytool within run.sh if the appropriate
keystore doesn't exist in the distro. That was my thinking at least.
FYI, there is currently a nasty bug in Undertow/Wildfly where the
JSESSIONID cookie's path is set to '/' and thus sessions (well really 1
session) are shared between deployed WARs :( Sort of makes our demo
undemo-able :)
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11:35 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 14 November, 2013 5:20:10 PM
Subject: Re: [keycloak-dev] Don't show KEYCLOAK_APPLICATION and
KEYCLOAK_IDENTITY_REQUESTER externally
On 11/14/2013 12:02 PM, Stian Thorgersen wrote:
> Ok - I can sort these out.
>
> By the way I've updated the dist to WildFly + made it use persistent H2 by
> default. Once we've got a release somewhere I can quickly modify my
> WildFly OpenShift QuickStart to make it easy to get Keycloak up and
> running on OpenShift. I haven't looked at configuring SSL by default yet
> though, maybe that's something we can push post-M1?
>
Might be as easy as running keytool within run.sh if the appropriate
keystore doesn't exist in the distro. That was my thinking at least.
That's simpler than my pure-java idea ;)
I was going to create the cert from within KeycloakApplicationServer then setup the https
connector at runtime (can be done from a war, but need to find the code for it, had it
somewhere but now it's lost).
My reasoning was that I don't have a Windows machine so couldn't test adding this
to standalone.bat. Whatever you add to standalone.sh needs to be tested with cygwin as
well. In the future we could utilize this to have a required setup page on the admin
console, where the admin needs to either upload his own cert or click the auto-generate
cert.
FYI, there is currently a nasty bug in Undertow/Wildfly where the
JSESSIONID cookie's path is set to '/' and thus sessions (well really 1
session) are shared between deployed WARs :( Sort of makes our demo
undemo-able :)
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11:39 a.m.
On 11/14/2013 12:35 PM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Thursday, 14 November, 2013 5:20:10 PM
> Subject: Re: [keycloak-dev] Don't show KEYCLOAK_APPLICATION and
KEYCLOAK_IDENTITY_REQUESTER externally
>
>
>
> On 11/14/2013 12:02 PM, Stian Thorgersen wrote:
>> Ok - I can sort these out.
>>
>> By the way I've updated the dist to WildFly + made it use persistent H2 by
>> default. Once we've got a release somewhere I can quickly modify my
>> WildFly OpenShift QuickStart to make it easy to get Keycloak up and
>> running on OpenShift. I haven't looked at configuring SSL by default yet
>> though, maybe that's something we can push post-M1?
>>
>
> Might be as easy as running keytool within run.sh if the appropriate
> keystore doesn't exist in the distro. That was my thinking at least.
That's simpler than my pure-java idea ;)
I was going to create the cert from within KeycloakApplicationServer then setup the https
connector at runtime (can be done from a war, but need to find the code for it, had it
somewhere but now it's lost).
My reasoning was that I don't have a Windows machine so couldn't test adding this
to standalone.bat. Whatever you add to standalone.sh needs to be tested with cygwin as
well. In the future we could utilize this to have a required setup page on the admin
console, where the admin needs to either upload his own cert or click the auto-generate
cert.
I work on Windows and can do the Windows part. I miss OSX, but I wanted
a gaming laptop with no Linux headaches, so Windows it is.
Another Wildfly/Undertow bug :( Accessing unprotected areas still
triggers authentication.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
4060
days inactive
4060
days old
5 comments
2 participants
participants (2)
-
Bill Burke -
Stian Thorgersen