3:20 a.m.
Keycloak team things about removing JaxrsBearerTokenFilter.
Just to add some context, the JaxrsBearerTokenFilter is the "adapter",
which we have in the codebase and which allows to "secure" the JaxRS
Application by adding the JaxrsFilter, which implements our OIDC
adapter.This filter is not documented and we don't have any
examples/quickstarts of it. Hence it is not considered as officially
supported Keycloak feature. And you can probably always secure your
application through some other officially supported way (HTTP Servlet
filter or any of our other built-in adapters).
Anyway, if someone is aware of any reason why to not remove this filter
from Keycloak, please let me know, ideally by the Monday Feb 25th.
See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" .
Thanks,
Marek
7:23 a.m.
Hello,
I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It is indeed
poorly documented, for example I've found no mention that
org.keycloak.adapters.KeycloakConfigResolver must cache
org.keycloak.adapters.KeycloakDeployment, which resulted in public keys being downloaded
from Keycloak Server with every request to our REST channel...
If nobody have time and will to document it and fix bugs, what about moving it to separate
project instead of deleting it? I haven't seen any alternative for securing jaxrs
channels other than writing everything from scratch... Is there any alternative usable
project?
Best regards,
Lukasz Lech
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Marek Posolda
Sent: Donnerstag, 21. Februar 2019 10:21
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Removing JaxrsBearerTokenFilter
Keycloak team things about removing JaxrsBearerTokenFilter.
Just to add some context, the JaxrsBearerTokenFilter is the "adapter", which we
have in the codebase and which allows to "secure" the JaxRS Application by
adding the JaxrsFilter, which implements our OIDC adapter.This filter is not documented
and we don't have any examples/quickstarts of it. Hence it is not considered as
officially supported Keycloak feature. And you can probably always secure your application
through some other officially supported way (HTTP Servlet filter or any of our other
built-in adapters).
Anyway, if someone is aware of any reason why to not remove this filter from Keycloak,
please let me know, ideally by the Monday Feb 25th.
See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" .
Thanks,
Marek
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:36 a.m.
Why not use one of the proper adapters for the container you are deploying
to?
On Thu, 21 Feb 2019, 14:51 Lukasz Lech, <l.lech(a)ringler.ch> wrote:
Hello,
I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It
is indeed poorly documented, for example I've found no mention that
org.keycloak.adapters.KeycloakConfigResolver must cache
org.keycloak.adapters.KeycloakDeployment, which resulted in public keys
being downloaded from Keycloak Server with every request to our REST
channel...
If nobody have time and will to document it and fix bugs, what about
moving it to separate project instead of deleting it? I haven't seen any
alternative for securing jaxrs channels other than writing everything from
scratch... Is there any alternative usable project?
Best regards,
Lukasz Lech
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:
keycloak-user-bounces(a)lists.jboss.org] On Behalf Of Marek Posolda
Sent: Donnerstag, 21. Februar 2019 10:21
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Removing JaxrsBearerTokenFilter
Keycloak team things about removing JaxrsBearerTokenFilter.
Just to add some context, the JaxrsBearerTokenFilter is the "adapter",
which we have in the codebase and which allows to "secure" the JaxRS
Application by adding the JaxrsFilter, which implements our OIDC
adapter.This filter is not documented and we don't have any
examples/quickstarts of it. Hence it is not considered as officially
supported Keycloak feature. And you can probably always secure your
application through some other officially supported way (HTTP Servlet
filter or any of our other built-in adapters).
Anyway, if someone is aware of any reason why to not remove this filter
from Keycloak, please let me know, ideally by the Monday Feb 25th.
See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" .
Thanks,
Marek
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:24 a.m.
Hmm which is a proper adapter for JaxRS then? I’ve found only that one…
From: Stian Thorgersen [mailto:sthorger@redhat.com]
Sent: Freitag, 22. Februar 2019 07:36
To: Lukasz Lech <l.lech(a)ringler.ch>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter
Why not use one of the proper adapters for the container you are deploying to?
On Thu, 21 Feb 2019, 14:51 Lukasz Lech,
<l.lech@ringler.ch<mailto:l.lech@ringler.ch>> wrote:
Hello,
I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It is indeed
poorly documented, for example I've found no mention that
org.keycloak.adapters.KeycloakConfigResolver must cache
org.keycloak.adapters.KeycloakDeployment, which resulted in public keys being downloaded
from Keycloak Server with every request to our REST channel...
If nobody have time and will to document it and fix bugs, what about moving it to separate
project instead of deleting it? I haven't seen any alternative for securing jaxrs
channels other than writing everything from scratch... Is there any alternative usable
project?
Best regards,
Lukasz Lech
-----Original Message-----
From:
keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>
[mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>]
On Behalf Of Marek Posolda
Sent: Donnerstag, 21. Februar 2019 10:21
To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: [keycloak-user] Removing JaxrsBearerTokenFilter
Keycloak team things about removing JaxrsBearerTokenFilter.
Just to add some context, the JaxrsBearerTokenFilter is the "adapter", which we
have in the codebase and which allows to "secure" the JaxRS Application by
adding the JaxrsFilter, which implements our OIDC adapter.This filter is not documented
and we don't have any examples/quickstarts of it. Hence it is not considered as
officially supported Keycloak feature. And you can probably always secure your application
through some other officially supported way (HTTP Servlet filter or any of our other
built-in adapters).
Anyway, if someone is aware of any reason why to not remove this filter from Keycloak,
please let me know, ideally by the Monday Feb 25th.
See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" .
Thanks,
Marek
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:32 a.m.
Tomcat if you're using Tomcat, WildFly if you're using WildFly, etc..
On Fri, 22 Feb 2019 at 08:26, Lukasz Lech <l.lech(a)ringler.ch> wrote:
Hmm which is a proper adapter for JaxRS then? I’ve found only that
one…
From: Stian Thorgersen [mailto:sthorger@redhat.com]
Sent: Freitag, 22. Februar 2019 07:36
To: Lukasz Lech <l.lech(a)ringler.ch>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter
Why not use one of the proper adapters for the container you are deploying
to?
On Thu, 21 Feb 2019, 14:51 Lukasz Lech, <l.lech(a)ringler.ch<mailto:
l.lech(a)ringler.ch>> wrote:
Hello,
I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It
is indeed poorly documented, for example I've found no mention that
org.keycloak.adapters.KeycloakConfigResolver must cache
org.keycloak.adapters.KeycloakDeployment, which resulted in public keys
being downloaded from Keycloak Server with every request to our REST
channel...
If nobody have time and will to document it and fix bugs, what about
moving it to separate project instead of deleting it? I haven't seen any
alternative for securing jaxrs channels other than writing everything from
scratch... Is there any alternative usable project?
Best regards,
Lukasz Lech
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org<mailto:
keycloak-user-bounces(a)lists.jboss.org> [mailto:
keycloak-user-bounces(a)lists.jboss.org<mailto:
keycloak-user-bounces(a)lists.jboss.org>] On Behalf Of Marek Posolda
Sent: Donnerstag, 21. Februar 2019 10:21
To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: [keycloak-user] Removing JaxrsBearerTokenFilter
Keycloak team things about removing JaxrsBearerTokenFilter.
Just to add some context, the JaxrsBearerTokenFilter is the "adapter",
which we have in the codebase and which allows to "secure" the JaxRS
Application by adding the JaxrsFilter, which implements our OIDC
adapter.This filter is not documented and we don't have any
examples/quickstarts of it. Hence it is not considered as officially
supported Keycloak feature. And you can probably always secure your
application through some other officially supported way (HTTP Servlet
filter or any of our other built-in adapters).
Anyway, if someone is aware of any reason why to not remove this filter
from Keycloak, please let me know, ideally by the Monday Feb 25th.
See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" .
Thanks,
Marek
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:49 a.m.
I’m using jax-rs connector implementation from Eclipse tema
(https://github.com/hstaudacher/osgi-jax-rs-connector) and it needs to have validation
injected in jax-rs context, and AFAIK this library was the only implementation that
provided that.
But never mind, I assume I can use current version, if it wasn’t maintained anyway…
Best regards,
Lukasz Lech
From: Stian Thorgersen [mailto:sthorger@redhat.com]
Sent: Montag, 25. Februar 2019 15:33
To: Lukasz Lech <l.lech(a)ringler.ch>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter
Tomcat if you're using Tomcat, WildFly if you're using WildFly, etc..
On Fri, 22 Feb 2019 at 08:26, Lukasz Lech
<l.lech@ringler.ch<mailto:l.lech@ringler.ch>> wrote:
Hmm which is a proper adapter for JaxRS then? I’ve found only that one…
From: Stian Thorgersen [mailto:sthorger@redhat.com<mailto:sthorger@redhat.com>]
Sent: Freitag, 22. Februar 2019 07:36
To: Lukasz Lech <l.lech@ringler.ch<mailto:l.lech@ringler.ch>>
Cc: keycloak-user
<keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter
Why not use one of the proper adapters for the container you are deploying to?
On Thu, 21 Feb 2019, 14:51 Lukasz Lech,
<l.lech@ringler.ch<mailto:l.lech@ringler.ch><mailto:l.lech@ringler.ch<mailto:l.lech@ringler.ch>>>
wrote:
Hello,
I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It is indeed
poorly documented, for example I've found no mention that
org.keycloak.adapters.KeycloakConfigResolver must cache
org.keycloak.adapters.KeycloakDeployment, which resulted in public keys being downloaded
from Keycloak Server with every request to our REST channel...
If nobody have time and will to document it and fix bugs, what about moving it to separate
project instead of deleting it? I haven't seen any alternative for securing jaxrs
channels other than writing everything from scratch... Is there any alternative usable
project?
Best regards,
Lukasz Lech
-----Original Message-----
From:
keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org><mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>
[mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org><mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>]
On Behalf Of Marek Posolda
Sent: Donnerstag, 21. Februar 2019 10:21
To:
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: [keycloak-user] Removing JaxrsBearerTokenFilter
Keycloak team things about removing JaxrsBearerTokenFilter.
Just to add some context, the JaxrsBearerTokenFilter is the "adapter", which we
have in the codebase and which allows to "secure" the JaxRS Application by
adding the JaxrsFilter, which implements our OIDC adapter.This filter is not documented
and we don't have any examples/quickstarts of it. Hence it is not considered as
officially supported Keycloak feature. And you can probably always secure your application
through some other officially supported way (HTTP Servlet filter or any of our other
built-in adapters).
Anyway, if someone is aware of any reason why to not remove this filter from Keycloak,
please let me know, ideally by the Monday Feb 25th.
See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" .
Thanks,
Marek
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:22 a.m.
It seems we have 3 options:
1) Keep jaxrs filter adapter in the keycloak codebase and start to
officially support it. In this case, we will need some better docs and
maybe quickstart?
2) Deprecate it in the keycloak codebase and remove in next version
(Keycloak 6.X probably?)
3) Remove directly from keycloak codebase
In case (2) or (3), it will be nice if you Lukasz (or someone else from
community) will maintain Jaxrs filter as an extension. In this case, it
can be listed from the extensions page
https://www.keycloak.org/extensions.html .
Your use-case looks ok, but it seems that we didn't have much other
requirements to maintain separate adapter for Jax RS filter. From
quickly looking at osgi-jax-rs-connector documentation, it seems that
connector still needs to be deployed on top of the servlet container or
Http Servlet filter, which Keycloak has adapter for, so you can always
secure at that level though. I don't think that we want (1) .
My order of preference is 3, 2, 1. Thoughts?
Marek
On 25/02/2019 15:49, Lukasz Lech wrote:
I’m using jax-rs connector implementation from Eclipse tema
(https://github.com/hstaudacher/osgi-jax-rs-connector) and it needs to have validation
injected in jax-rs context, and AFAIK this library was the only implementation that
provided that.
But never mind, I assume I can use current version, if it wasn’t maintained anyway…
Best regards,
Lukasz Lech
From: Stian Thorgersen [mailto:sthorger@redhat.com]
Sent: Montag, 25. Februar 2019 15:33
To: Lukasz Lech <l.lech(a)ringler.ch>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter
Tomcat if you're using Tomcat, WildFly if you're using WildFly, etc..
On Fri, 22 Feb 2019 at 08:26, Lukasz Lech
<l.lech@ringler.ch<mailto:l.lech@ringler.ch>> wrote:
Hmm which is a proper adapter for JaxRS then? I’ve found only that one…
From: Stian Thorgersen [mailto:sthorger@redhat.com<mailto:sthorger@redhat.com>]
Sent: Freitag, 22. Februar 2019 07:36
To: Lukasz Lech <l.lech@ringler.ch<mailto:l.lech@ringler.ch>>
Cc: keycloak-user
<keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter
Why not use one of the proper adapters for the container you are deploying to?
On Thu, 21 Feb 2019, 14:51 Lukasz Lech,
<l.lech@ringler.ch<mailto:l.lech@ringler.ch><mailto:l.lech@ringler.ch<mailto:l.lech@ringler.ch>>>
wrote:
Hello,
I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It is indeed
poorly documented, for example I've found no mention that
org.keycloak.adapters.KeycloakConfigResolver must cache
org.keycloak.adapters.KeycloakDeployment, which resulted in public keys being downloaded
from Keycloak Server with every request to our REST channel...
If nobody have time and will to document it and fix bugs, what about moving it to
separate project instead of deleting it? I haven't seen any alternative for securing
jaxrs channels other than writing everything from scratch... Is there any alternative
usable project?
Best regards,
Lukasz Lech
-----Original Message-----
From:
keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org><mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>
[mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org><mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>]
On Behalf Of Marek Posolda
Sent: Donnerstag, 21. Februar 2019 10:21
To:
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: [keycloak-user] Removing JaxrsBearerTokenFilter
Keycloak team things about removing JaxrsBearerTokenFilter.
Just to add some context, the JaxrsBearerTokenFilter is the "adapter", which we
have in the codebase and which allows to "secure" the JaxRS Application by
adding the JaxrsFilter, which implements our OIDC adapter.This filter is not documented
and we don't have any examples/quickstarts of it. Hence it is not considered as
officially supported Keycloak feature. And you can probably always secure your application
through some other officially supported way (HTTP Servlet filter or any of our other
built-in adapters).
Anyway, if someone is aware of any reason why to not remove this filter from Keycloak,
please let me know, ideally by the Monday Feb 25th.
See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" .
Thanks,
Marek
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:38 a.m.
Hello,
The problem with handling security in external layer is, that the Principal will not be
available in SecurityContext of JAX-RS, and the services registered by JAX-RS doesn't
have access to this external context, only to JAX-RS context.
The best solution would be probably to push the project to separate community-owned
repository. It could be marked as deprecated or not officially supported, but it will be
still possible to find via search engine, in case someone need it.
OSGi is a bit niche technology because of hard learning curve and unsatisfactory
documentation, and it will be likely even more niche in the future because of the growth
of containerization, which allows to achieve the same goal as OSGi with others means...
Best regards,
Lukasz Lech
-----Original Message-----
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: Dienstag, 26. Februar 2019 15:22
To: Lukasz Lech <l.lech(a)ringler.ch>; stian(a)redhat.com
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter
It seems we have 3 options:
1) Keep jaxrs filter adapter in the keycloak codebase and start to officially support it.
In this case, we will need some better docs and maybe quickstart?
2) Deprecate it in the keycloak codebase and remove in next version (Keycloak 6.X
probably?)
3) Remove directly from keycloak codebase
In case (2) or (3), it will be nice if you Lukasz (or someone else from
community) will maintain Jaxrs filter as an extension. In this case, it can be listed from
the extensions page https://www.keycloak.org/extensions.html .
Your use-case looks ok, but it seems that we didn't have much other requirements to
maintain separate adapter for Jax RS filter. From quickly looking at osgi-jax-rs-connector
documentation, it seems that connector still needs to be deployed on top of the servlet
container or Http Servlet filter, which Keycloak has adapter for, so you can always secure
at that level though. I don't think that we want (1) .
My order of preference is 3, 2, 1. Thoughts?
Marek
On 25/02/2019 15:49, Lukasz Lech wrote:
I’m using jax-rs connector implementation from Eclipse tema
(https://github.com/hstaudacher/osgi-jax-rs-connector) and it needs to have validation
injected in jax-rs context, and AFAIK this library was the only implementation that
provided that.
But never mind, I assume I can use current version, if it wasn’t
maintained anyway…
Best regards,
Lukasz Lech
From: Stian Thorgersen [mailto:sthorger@redhat.com]
Sent: Montag, 25. Februar 2019 15:33
To: Lukasz Lech <l.lech(a)ringler.ch>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter
Tomcat if you're using Tomcat, WildFly if you're using WildFly, etc..
On Fri, 22 Feb 2019 at 08:26, Lukasz Lech
<l.lech@ringler.ch<mailto:l.lech@ringler.ch>> wrote:
Hmm which is a proper adapter for JaxRS then? I’ve found only that
one…
From: Stian Thorgersen
[mailto:sthorger@redhat.com<mailto:sthorger@redhat.com>]
Sent: Freitag, 22. Februar 2019 07:36
To: Lukasz Lech <l.lech@ringler.ch<mailto:l.lech@ringler.ch>>
Cc: keycloak-user
<keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter
Why not use one of the proper adapters for the container you are deploying to?
On Thu, 21 Feb 2019, 14:51 Lukasz Lech,
<l.lech@ringler.ch<mailto:l.lech@ringler.ch><mailto:l.lech@ringler.ch<mailto:l.lech@ringler.ch>>>
wrote:
Hello,
I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It is indeed
poorly documented, for example I've found no mention that
org.keycloak.adapters.KeycloakConfigResolver must cache
org.keycloak.adapters.KeycloakDeployment, which resulted in public keys being downloaded
from Keycloak Server with every request to our REST channel...
If nobody have time and will to document it and fix bugs, what about moving it to
separate project instead of deleting it? I haven't seen any alternative for securing
jaxrs channels other than writing everything from scratch... Is there any alternative
usable project?
Best regards,
Lukasz Lech
-----Original Message-----
From:
keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lis
ts.jboss.org><mailto:keycloak-user-bounces@lists.jboss.org<mailto:keyc
loak-user-bounces(a)lists.jboss.org>>
[mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bou
nces@lists.jboss.org><mailto:keycloak-user-bounces@lists.jboss.org<mai
lto:keycloak-user-bounces@lists.jboss.org>>] On Behalf Of Marek
Posolda
Sent: Donnerstag, 21. Februar 2019 10:21
To:
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><ma
ilto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.or
g>>
Subject: [keycloak-user] Removing JaxrsBearerTokenFilter
Keycloak team things about removing JaxrsBearerTokenFilter.
Just to add some context, the JaxrsBearerTokenFilter is the "adapter", which we
have in the codebase and which allows to "secure" the JaxRS Application by
adding the JaxrsFilter, which implements our OIDC adapter.This filter is not documented
and we don't have any examples/quickstarts of it. Hence it is not considered as
officially supported Keycloak feature. And you can probably always secure your application
through some other officially supported way (HTTP Servlet filter or any of our other
built-in adapters).
Anyway, if someone is aware of any reason why to not remove this filter from Keycloak,
please let me know, ideally by the Monday Feb 25th.
See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" .
Thanks,
Marek
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><ma
ilto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.or
g>> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><ma
ilto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.or
g>> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:04 a.m.
For now, we just remove the automated tests and we deprecated jaxrs
filter. This change will be from Keycloak 5.0.0
We may remove the filter itself in some later Keycloak 6.X, so if you
want to keep using it, I suggest to fork it into your repository and we
can then reference it from the extensions page [1] as a an extension
maintained by community.
[1] https://www.keycloak.org/extensions.html
Thanks!
Marek
On 26/02/2019 16:38, Lukasz Lech wrote:
Hello,
The problem with handling security in external layer is, that the Principal will not be
available in SecurityContext of JAX-RS, and the services registered by JAX-RS doesn't
have access to this external context, only to JAX-RS context.
The best solution would be probably to push the project to separate community-owned
repository. It could be marked as deprecated or not officially supported, but it will be
still possible to find via search engine, in case someone need it.
OSGi is a bit niche technology because of hard learning curve and unsatisfactory
documentation, and it will be likely even more niche in the future because of the growth
of containerization, which allows to achieve the same goal as OSGi with others means...
Best regards,
Lukasz Lech
-----Original Message-----
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: Dienstag, 26. Februar 2019 15:22
To: Lukasz Lech <l.lech(a)ringler.ch>; stian(a)redhat.com
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter
It seems we have 3 options:
1) Keep jaxrs filter adapter in the keycloak codebase and start to officially support it.
In this case, we will need some better docs and maybe quickstart?
2) Deprecate it in the keycloak codebase and remove in next version (Keycloak 6.X
probably?)
3) Remove directly from keycloak codebase
In case (2) or (3), it will be nice if you Lukasz (or someone else from
community) will maintain Jaxrs filter as an extension. In this case, it can be listed
from the extensions page https://www.keycloak.org/extensions.html .
Your use-case looks ok, but it seems that we didn't have much other requirements to
maintain separate adapter for Jax RS filter. From quickly looking at osgi-jax-rs-connector
documentation, it seems that connector still needs to be deployed on top of the servlet
container or Http Servlet filter, which Keycloak has adapter for, so you can always secure
at that level though. I don't think that we want (1) .
My order of preference is 3, 2, 1. Thoughts?
Marek
On 25/02/2019 15:49, Lukasz Lech wrote:
> I’m using jax-rs connector implementation from Eclipse tema
(https://github.com/hstaudacher/osgi-jax-rs-connector) and it needs to have validation
injected in jax-rs context, and AFAIK this library was the only implementation that
provided that.
>
> But never mind, I assume I can use current version, if it wasn’t
> maintained anyway…
>
> Best regards,
> Lukasz Lech
>
>
> From: Stian Thorgersen [mailto:sthorger@redhat.com]
> Sent: Montag, 25. Februar 2019 15:33
> To: Lukasz Lech <l.lech(a)ringler.ch>
> Cc: keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter
>
> Tomcat if you're using Tomcat, WildFly if you're using WildFly, etc..
>
> On Fri, 22 Feb 2019 at 08:26, Lukasz Lech
<l.lech@ringler.ch<mailto:l.lech@ringler.ch>> wrote:
> Hmm which is a proper adapter for JaxRS then? I’ve found only that
> one…
>
>
> From: Stian Thorgersen
> [mailto:sthorger@redhat.com<mailto:sthorger@redhat.com>]
> Sent: Freitag, 22. Februar 2019 07:36
> To: Lukasz Lech <l.lech@ringler.ch<mailto:l.lech@ringler.ch>>
> Cc: keycloak-user
> <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
> Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter
>
> Why not use one of the proper adapters for the container you are deploying to?
> On Thu, 21 Feb 2019, 14:51 Lukasz Lech,
<l.lech@ringler.ch<mailto:l.lech@ringler.ch><mailto:l.lech@ringler.ch<mailto:l.lech@ringler.ch>>>
wrote:
> Hello,
>
> I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It is
indeed poorly documented, for example I've found no mention that
org.keycloak.adapters.KeycloakConfigResolver must cache
org.keycloak.adapters.KeycloakDeployment, which resulted in public keys being downloaded
from Keycloak Server with every request to our REST channel...
>
> If nobody have time and will to document it and fix bugs, what about moving it to
separate project instead of deleting it? I haven't seen any alternative for securing
jaxrs channels other than writing everything from scratch... Is there any alternative
usable project?
>
>
>
>
> Best regards,
> Lukasz Lech
>
>
> -----Original Message-----
> From:
> keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lis
> ts.jboss.org><mailto:keycloak-user-bounces@lists.jboss.org<mailto:keyc
> loak-user-bounces(a)lists.jboss.org>>
> [mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bou
> nces@lists.jboss.org><mailto:keycloak-user-bounces@lists.jboss.org<mai
> lto:keycloak-user-bounces@lists.jboss.org>>] On Behalf Of Marek
> Posolda
> Sent: Donnerstag, 21. Februar 2019 10:21
> To:
> keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><ma
> ilto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.or
> g>>
> Subject: [keycloak-user] Removing JaxrsBearerTokenFilter
>
> Keycloak team things about removing JaxrsBearerTokenFilter.
>
> Just to add some context, the JaxrsBearerTokenFilter is the "adapter",
which we have in the codebase and which allows to "secure" the JaxRS Application
by adding the JaxrsFilter, which implements our OIDC adapter.This filter is not documented
and we don't have any examples/quickstarts of it. Hence it is not considered as
officially supported Keycloak feature. And you can probably always secure your application
through some other officially supported way (HTTP Servlet filter or any of our other
built-in adapters).
>
> Anyway, if someone is aware of any reason why to not remove this filter from
Keycloak, please let me know, ideally by the Monday Feb 25th.
>
> See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter"
.
>
> Thanks,
> Marek
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><ma
> ilto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.or
> g>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><ma
> ilto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.or
> g>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
2136
days inactive
2147
days old
8 comments
3 participants
participants (3)
-
Lukasz Lech -
Marek Posolda -
Stian Thorgersen