[keycloak-dev] Keycloak in Tomcat server

Adam Young ayoung at redhat.com
Mon Nov 30 20:56:23 EST 2015 

On 11/30/2015 05:24 PM, Bill Burke wrote:
> Infinispan (caching), JPA, datasources, servlet, JAX-RS.  Wildfly/JBoss
> is also set to run out of the box in a cluster and managable in a domain
> ( a cluster) out of the box.  Not to mention all the classloader
> isolation you DO NOT get with Tomcat.  Finally all the built in patch
> management that comes with Wildfly/JBoss.  Then there's developers that
> will want to deploy integration/extension plugins.  We can also leverage
> Wildfly's deployment engine for that too.
>
> Running Keycloak Auth Server in Tomcat/Jetty would actually not be a
> very smart thing to do.  There are huge advantages to running within
> Wildfly/JBoss.  The only disadvantage is the size of the distro.  There
> is no performance penalty.


In order to deploy Keycloak as a partner to FreeIPA, it needs to be 
managed in the same manner as FreeIPA.

They are two different deployment strategies, with different management 
tooling around each.  Dogtag is an example of Tomcat only based 
deployment that is managed via RPMs, with a specially hardened Tomcat 
container that is necessary to pass Common Criteria and FIPS 140 
certifications;  making those changes to JBoss would be awesome, but 
perhaps far more of an engineering effort than any of us care to make.

I am personally a fan of JBoss based deployments, but a Tomcat only is 
more practical from a Fedora and CentOS starting point.

We see this same issue come up with all of the language specific package 
and patch managers.  We can't deploy Python code from PIP, Ruby via 
Gems, or Perl from CPAN;  they all get packaged first.  The extra work 
ensures that nothing binary-only sneaks in, that all licenses get 
reviewed, and that someone from outside the team reviews the packaging 
to ensure it meets distribution standards.



>
> We have looked into trimming the Wildfly distro, but nixed that because
> it puts a huge burden on productization.  Its just much easier for them
> if we just layer on top of the full app server.

More information about the keycloak-dev mailing list