[keycloak-dev] User apps and HttpClient
Stan Silvert
ssilvert at redhat.com
Fri May 22 07:00:11 EDT 2015
On 5/22/2015 3:50 AM, Marko Strukelj wrote:
> I like Stian's solution much better ... it's much simpler :)
Yea, to extend the medical metaphor, it's like the guy who goes in to
see the doctor. He raises his arm in a funny way and says, "Hey doc, it
hurts when I do this." Doctor says, "Don't do that."
>
> @Stian: Is there some docs where I can get a better understanding of
> what's an API that is exposed to client, and what is implementation
> details never to be used by client apps ...
>
> Ideally that would be easy to establish based on package names - e.g.
> anything not in org.keycloak.something.impl might be an API, or
> nothing but what's in org.keycloak.something.api might be an API ...
> Or maybe we have one single module that's client API?
>
>
> ------------------------------------------------------------------------
>
> On 5/21/2015 4:56 PM, Marko Strukelj wrote:
>
> We package examples with jboss-deployment-structure.xml that looks like this:
>
>
> <jboss-deployment-structure>
> <deployment>
> <dependencies>
> <module name="org.apache.httpcomponents"/>
> </dependencies>
> </deployment>
> </jboss-deployment-structure>
>
>
> If we drop a .war containing this into Wildfly 9 (distribution/server-dist - ATM distribution/demo-dist, and distribution/adapters/wildfly-adapter-zip look buggy as they still use slot=4.3), things are fine.
>
> However, if we dropped this into Wildfly 8 with keycloak adapter modules using org.apache.httpcomponents slot=4.3, we get a java.lang.LinkageError as soon as some Keycloak logic is triggered by user app.
>
> The question: how come jboss modules isolation doesn’t kick in and allow keycloak adapter modules to use slot=4.3 while at the same time user app (our examples) uses slot=main?
>
> The answer is that org.keycloak.adapters.HttpClientBuilder which seems to be our helper class for org.apache.httpcomponents inevitably leaks the version of HttpClient its module refers to - can’t be any other way (unless we change the code to use client app’s classloader - opening a can of worms). Any user app using HttpClientBuilder.build() method receives an instance of HttpClient loaded through org.keycloak.keycloak-adapter-core module, and transitively through org.apache.httpcomponents referred to therein.
>
> Any attempt of an application (.war) to package its own httpcomponents jars, or to refer to a different jboss module than the exact one referred to by org.keycloak.keycloak-adapter-core will result in ‘catastrophic failure’. Example:
>
>
> HttpClient client = new HttpClientBuilder().disableTrustManager().build();
>
>
> HttpClient on the left is loaded by app’s classloader. The one returned by build() on the right is loaded by org.keycloak.keycloak-adapter-core module’s version of httpcomponents. If it’s not the same classloader (jboss module) on both sides loading HttpClient you get a LinkageError.
>
>
> In light of this I wonder if it wasn’t the best solution to reexport org.apache.httpcomponents to .wars by default, thereby removing the necessity to package jboss-deployment-structure.xml at all, and ensuring that user application always uses the proper module.
>
> Currently jboss-deployment-structure.xml is required for wildfly / as7, and is a nuisance, especially as it has to be different (refer to slot=4.3) for Wildfly 8.
>
> If using HttpClientBuilder is supposed to be completely optional, we could maybe add configuration to keycloak subsystem to control exposing it to all or specific secure deployments.
>
> We could simply add another common attribute that can be used in <realm> and <secure-deployment>. We could expose it by default and have something like:
>
> <expose-httpcomponents>false</expose-httpcomponents>
>
> to inhibit exposing it if a situation calls for it.
>
>
> WDYT?
>
> What do I think? I think that classloading questions always make
> my head hurt!
>
> The best solution would be to find a way to detect the problem and
> fix it at deploy time. Using a DependencyProcessor, it should be
> possible to detect that the deployment contains the same module
> from two different slots. Then pick the best slot and spit out a
> warning message that you are removing the undesirable module.
>
> It should be possible, but I don't know if it actually IS
> possible. A version mismatch between modules is like a cancer. I
> think you should speak to an oncologist or David Lloyd. Since Red
> Hat doesn't employ any oncologists, go with David. :-)
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20150522/37843785/attachment.html
More information about the keycloak-dev
mailing list