[keycloak-dev] isolate picketlink dependency please

Marek Posolda mposolda at redhat.com
Wed Apr 30 11:52:33 EDT 2014


On 30.4.2014 16:14, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Wednesday, 30 April, 2014 2:48:35 PM
>> Subject: Re: [keycloak-dev] isolate picketlink dependency please
>>
>> Primary Keycloak code should not depend on Picketlink.  Picketlink
>> should always be hidden by SPIs.  So, if we need to provide LDAP support
>> on EAP using an older version of Picketlink, then we write a separate
>> maven module using that older version of Picketlink and plug it in.
>>
>> Following me?
> Yep
>
>> Right now, it looks that only the Mongo data model has a PL dependency.
>>    Correct?
> Yes (except authentication/authentication-picketlink of course)
Ok, I did not know that using picketlink is so big headache. Generally 
said, it seems that if your project want to run on EAP, it's much easier 
to depend on some 3rd party library, which can be bundled directly in 
your WAR instead on "jboss" projects, which are available as modules in 
EAP...:-(

My idea was that picketlink IDM will be used for LDAP integration and 
leveraged by both "authentication" and "sync" SPIs. So I've also added 
"keycloak-picketlink-api", which adds IdentityManagerProvider interface 
and is itself the SPI module. It's used by authentication-picketlink and 
the plan was to use it also in sync-picketlink .

So IdentityManagerProvider, which has direct dependency on 
picketlink-idm-api is itself the SPI module and it's referenced from 
KeycloakApplication: 
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/KeycloakApplication.java#L135 
hence removing picketlink idm JARS is causing NoClassDefFoundErrors now. 
So it seems that I will also need to refactor this, so that there is no 
dependency on picketlink from some SPI modules, but just from "SPI 
implementation" modules. Correct?

Marek
>
>> On 4/30/2014 4:44 AM, Stian Thorgersen wrote:
>>> It may be in the future, if we want to support all/most features on EAP,
>>> but I don't think we do now.
>>>
>>> Bill: wdyt?
>>>
>>> ----- Original Message -----
>>>> From: "Marek Posolda" <mposolda at redhat.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: keycloak-dev at lists.jboss.org
>>>> Sent: Wednesday, 30 April, 2014 9:30:14 AM
>>>> Subject: Re: [keycloak-dev] isolate picketlink dependency please
>>>>
>>>> Ok, I will remove the dependency from the mongo model, that's an easy
>>>> part though.
>>>>
>>>> So the fact that we actually bundle latest picketlink jars inside
>>>> Keycloak WAR in auth-server.war/WEB-INF/lib/ is not an issue?
>>>>
>>>> Marek
>>>>
>>>> On 30.4.2014 09:43, Stian Thorgersen wrote:
>>>>> AeroGear will use a stripped-down version of Keycloak WAR, without mongo,
>>>>> ldap, social, etc. so this won't be an issue for them, but I agree that
>>>>> we
>>>>> should remove this dependency from the Mongo model though.
>>>>>
>>>>> I don't see a problem with us using the latest version of PicketLink as
>>>>> long as only authentication-picketlink depends on it.
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Marek Posolda" <mposolda at redhat.com>
>>>>>> To: keycloak-dev at lists.jboss.org
>>>>>> Sent: Tuesday, 29 April, 2014 10:59:23 PM
>>>>>> Subject: Re: [keycloak-dev] isolate picketlink dependency please
>>>>>>
>>>>>> Mongo model is using just some helper reflection classes from
>>>>>> org.picketlink.common. It should be easy to fork some functionality and
>>>>>> completely remove dependency on org.picketlink.common from mongo model.
>>>>>>
>>>>>> However picketlink is also used for Ldap integration and here it's more
>>>>>> complicated...
>>>>>>
>>>>>> So what exactly is the requirement for picketlink integration? Am I
>>>>>> understand correctly that all picketlink dependencies must be removed
>>>>>> from auth-server.war/WEB-INF/lib/ and added as deps to
>>>>>> auth-server.war/WEB-INF/jboss-deployment-structure.xml instead?
>>>>>>
>>>>>> If I understand correctly, this means that Keycloak must use same
>>>>>> Picketlink version, which is bundled with EAP. Do you know what is our
>>>>>> target EAP version and which version of Picketlink is in it?
>>>>>>
>>>>>> Today I've upgraded Keycloak to newly released Picketlink 2.6.0.CR2,
>>>>>> which contains some nice LDAP improvements and fixes (like support for
>>>>>> RHDS and connection pooling). So it seems that I will need to revert
>>>>>> this and use some older picketlink version bundled in EAP instead:-(
>>>>>>
>>>>>> Marek
>>>>>>
>>>>>> On 29.4.2014 18:15, Bill Burke wrote:
>>>>>>> Mongo model project seems to have picketlink dependencies:
>>>>>>>
>>>>>>> org.picketlink.common
>>>>>>>
>>>>>>> These need to be isolated and removed as a dependency.  Since we may be
>>>>>>> introducing Keycloak into EAP (via Aerogear) we want to be sure we can
>>>>>>> remove any version conflicting picketlink dependencies.  So, anything
>>>>>>> picketlink related has to be behind a plugglable and removable SPI.
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>
>>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list