[keycloak-dev] Allow adapter subsystem to just inject dependencies

Stian Thorgersen sthorger at redhat.com
Wed Sep 28 04:58:08 EDT 2016


Not sure even using "<secure-deployment...>" makes sense at all in this
case.  If there's keycloak.json the subsystem still injects the
dependencies, but doesn't do any configuration. Why can't it just rely on
that?

On 26 September 2016 at 16:39, Marek Posolda <mposolda at redhat.com> wrote:

> I've did some testing with hawtio on EAP 7. It works fine, however there
> is one thing in our subsystem, which may improve integration a bit.
>
> Hawtio doesn't use servlet security ( security-constraints in web.xml )
> but they rely on JAAS, which is needed for JMX calls to be performed on
> behalf of JAAS Subject. Hawtio WAR needs to have access to
> keycloak-adapter classes (as it needs login modules for JAAS), however
> it doesn't need subsystem to configure adapter. This is all handled by
> JAAS login module.
>
> In other words, it will be nice if subsystem can just inject
> dependencies ( KeycloakDependencyProcessor ), but ignore adding
> subsystem configuration ( KeycloakAdapterConfigDeploymentProcessor ).
>
> The workaround I used was to add secure-deployment section to
> standalone.xml with some dummy values, which are mandatory for
> subsystem. It works, but it's really not too pretty IMO. Something like:
>
>              <secure-deployment name="hawtio.war">
>                  <resource>does-not-matter</resource>
> <auth-server-url>does-not-matter</auth-server-url>
>              </secure-deployment>
>
> What will be nice is to have some of those possibilities:
>
> 1) Have subsystem to use some default values like "undefined" instead of
> null . This is more a workaround as subsystem will still process the
> KeycloakAdapterConfigDeploymentProcessor. However it's less work and it
> will improve usability, so this will work just fine:
>
> <secure-deployment name="hawtio.war" />
>
>
> 2) Tell the subsystem to ignore
> KeycloakAdapterConfigDeploymentProcessor. Looks like more work, but
> seems to be more proper solution than (1). I can think of:
>
> 2.a) some flag like:
>
> <secure-deployment name="hawtio.war" ignore-deployment-config="true" />
>
> 2.b) Use different element like "deployment" instead of
> "secure-deployment" . The "deployment" will inject dependencies, but
> won't handle adapter configuration. So something like this will work:
>
> <deployment name="hawtio.war" />
>
>
> WDYT?
> Marek
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160928/a4ed6171/attachment.html 


More information about the keycloak-dev mailing list