[keycloak-dev] Allow adapter subsystem to just inject dependencies

Marek Posolda mposolda at redhat.com
Mon Sep 26 10:39:19 EDT 2016

I've did some testing with hawtio on EAP 7. It works fine, however there 
is one thing in our subsystem, which may improve integration a bit.

Hawtio doesn't use servlet security ( security-constraints in web.xml ) 
but they rely on JAAS, which is needed for JMX calls to be performed on 
behalf of JAAS Subject. Hawtio WAR needs to have access to 
keycloak-adapter classes (as it needs login modules for JAAS), however 
it doesn't need subsystem to configure adapter. This is all handled by 
JAAS login module.

In other words, it will be nice if subsystem can just inject 
dependencies ( KeycloakDependencyProcessor ), but ignore adding 
subsystem configuration ( KeycloakAdapterConfigDeploymentProcessor ).

The workaround I used was to add secure-deployment section to 
standalone.xml with some dummy values, which are mandatory for 
subsystem. It works, but it's really not too pretty IMO. Something like:

             <secure-deployment name="hawtio.war">

What will be nice is to have some of those possibilities:

1) Have subsystem to use some default values like "undefined" instead of 
null . This is more a workaround as subsystem will still process the 
KeycloakAdapterConfigDeploymentProcessor. However it's less work and it 
will improve usability, so this will work just fine:

<secure-deployment name="hawtio.war" />

2) Tell the subsystem to ignore 
KeycloakAdapterConfigDeploymentProcessor. Looks like more work, but 
seems to be more proper solution than (1). I can think of:

2.a) some flag like:

<secure-deployment name="hawtio.war" ignore-deployment-config="true" />

2.b) Use different element like "deployment" instead of 
"secure-deployment" . The "deployment" will inject dependencies, but 
won't handle adapter configuration. So something like this will work:

<deployment name="hawtio.war" />


More information about the keycloak-dev mailing list