4:24 a.m.
Right now, we always create new instance of Apache HTTP Client per each
request. Like in the quickstarts [1] or in the examples [2] .
This is anti-pattern and not very good usage of Apache HTTP Client,
which is supposed to be application-scoped object though. I know the
point is to have examples as easy as possible. However shouldn't we
avoid anti-patterns? Otherwise there might be possible risk that people
will inspire and use the same pattern in their production apps :-)
[1]
https://github.com/keycloak/keycloak-examples/blob/master/app-jee/src/mai...
[2]
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c...
Marek
6:13 a.m.
I've actually got more of an issue with the fact that it disables SSL:
SSLContext sslContext = new SSLContextBuilder().loadTrustMaterial(null, new
TrustStrategy() {
public boolean isTrusted(X509Certificate[] arg0, String arg1)
throws CertificateException {
return true;
}
}).build();
b.setSslcontext( sslContext);
// don't check Hostnames, either.
// -- use
SSLConnectionSocketFactory.getDefaultHostnameVerifier(), if you don't want
to weaken
HostnameVerifier hostnameVerifier =
SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
On 6 May 2016 at 11:24, Marek Posolda <mposolda(a)redhat.com> wrote:
Right now, we always create new instance of Apache HTTP Client per
each
request. Like in the quickstarts [1] or in the examples [2] .
This is anti-pattern and not very good usage of Apache HTTP Client,
which is supposed to be application-scoped object though. I know the
point is to have examples as easy as possible. However shouldn't we
avoid anti-patterns? Otherwise there might be possible risk that people
will inspire and use the same pattern in their production apps :-)
[1]
https://github.com/keycloak/keycloak-examples/blob/master/app-jee/src/mai...
[2]
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c...
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
1:33 p.m.
Seems that SSL and HostnameVerified disabled is needed just because of
openshift. I wonder if we should have separate version of quickstarts
for openshift. Sent separate mail about it to Bill DeCoste.
Marek
On 06/05/16 13:13, Stian Thorgersen wrote:
I've actually got more of an issue with the fact that it disables
SSL:
SSLContext sslContext = new
SSLContextBuilder().loadTrustMaterial(null, new TrustStrategy() {
public boolean isTrusted(X509Certificate[] arg0, String
arg1) throws CertificateException {
return true;
}
}).build();
b.setSslcontext( sslContext);
// don't check Hostnames, either.
// -- use
SSLConnectionSocketFactory.getDefaultHostnameVerifier(), if you don't
want to weaken
HostnameVerifier hostnameVerifier =
SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
On 6 May 2016 at 11:24, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
Right now, we always create new instance of Apache HTTP Client per
each
request. Like in the quickstarts [1] or in the examples [2] .
This is anti-pattern and not very good usage of Apache HTTP Client,
which is supposed to be application-scoped object though. I know the
point is to have examples as easy as possible. However shouldn't we
avoid anti-patterns? Otherwise there might be possible risk that
people
will inspire and use the same pattern in their production apps :-)
[1]
https://github.com/keycloak/keycloak-examples/blob/master/app-jee/src/mai...
[2]
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c...
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
10:55 p.m.
Not sure why it's even using SSL then. We should find a way to rip out that
code and use SSL properly. This is very very bad IMO.
On 6 May 2016 at 20:33, Marek Posolda <mposolda(a)redhat.com> wrote:
Seems that SSL and HostnameVerified disabled is needed just because
of
openshift. I wonder if we should have separate version of quickstarts for
openshift. Sent separate mail about it to Bill DeCoste.
Marek
On 06/05/16 13:13, Stian Thorgersen wrote:
I've actually got more of an issue with the fact that it disables SSL:
SSLContext sslContext = new SSLContextBuilder().loadTrustMaterial(null,
new TrustStrategy() {
public boolean isTrusted(X509Certificate[] arg0, String arg1)
throws CertificateException {
return true;
}
}).build();
b.setSslcontext( sslContext);
// don't check Hostnames, either.
// -- use
SSLConnectionSocketFactory.getDefaultHostnameVerifier(), if you don't want
to weaken
HostnameVerifier hostnameVerifier =
SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
On 6 May 2016 at 11:24, Marek Posolda <mposolda(a)redhat.com> wrote:
> Right now, we always create new instance of Apache HTTP Client per each
> request. Like in the quickstarts [1] or in the examples [2] .
>
> This is anti-pattern and not very good usage of Apache HTTP Client,
> which is supposed to be application-scoped object though. I know the
> point is to have examples as easy as possible. However shouldn't we
> avoid anti-patterns? Otherwise there might be possible risk that people
> will inspire and use the same pattern in their production apps :-)
>
> [1]
>
>
https://github.com/keycloak/keycloak-examples/blob/master/app-jee/src/mai...
> [2]
>
>
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c...
>
> Marek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
3172
days inactive
3175
days old
3 comments
2 participants
participants (2)
-
Marek Posolda -
Stian Thorgersen