[keycloak-dev] Allow adapter subsystem to just inject dependencies
Marek Posolda
mposolda at redhat.com
Thu Sep 29 02:18:16 EDT 2016
On 28/09/16 10:58, Stian Thorgersen wrote:
> Not sure even using "<secure-deployment...>" makes sense at all in
> this case. If there's keycloak.json the subsystem still injects the
> dependencies, but doesn't do any configuration. Why can't it just rely
> on that?
Without "secure-deployment", you also need the KEYCLOAK in login-config
in web.xml in addition to keycloak.json.
Anyway, regarding usability, I suspect it's not an option to require
people to crack inside hawtio.war and change the things in the WAR
directly? Otherwise they can just add jboss-deployment-structure.xml
into the hawtio.war and I don't need to care about subsystem at all.
Marek
>
> On 26 September 2016 at 16:39, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> I've did some testing with hawtio on EAP 7. It works fine, however
> there
> is one thing in our subsystem, which may improve integration a bit.
>
> Hawtio doesn't use servlet security ( security-constraints in
> web.xml )
> but they rely on JAAS, which is needed for JMX calls to be
> performed on
> behalf of JAAS Subject. Hawtio WAR needs to have access to
> keycloak-adapter classes (as it needs login modules for JAAS), however
> it doesn't need subsystem to configure adapter. This is all handled by
> JAAS login module.
>
> In other words, it will be nice if subsystem can just inject
> dependencies ( KeycloakDependencyProcessor ), but ignore adding
> subsystem configuration ( KeycloakAdapterConfigDeploymentProcessor ).
>
> The workaround I used was to add secure-deployment section to
> standalone.xml with some dummy values, which are mandatory for
> subsystem. It works, but it's really not too pretty IMO. Something
> like:
>
> <secure-deployment name="hawtio.war">
> <resource>does-not-matter</resource>
> <auth-server-url>does-not-matter</auth-server-url>
> </secure-deployment>
>
> What will be nice is to have some of those possibilities:
>
> 1) Have subsystem to use some default values like "undefined"
> instead of
> null . This is more a workaround as subsystem will still process the
> KeycloakAdapterConfigDeploymentProcessor. However it's less work
> and it
> will improve usability, so this will work just fine:
>
> <secure-deployment name="hawtio.war" />
>
>
> 2) Tell the subsystem to ignore
> KeycloakAdapterConfigDeploymentProcessor. Looks like more work, but
> seems to be more proper solution than (1). I can think of:
>
> 2.a) some flag like:
>
> <secure-deployment name="hawtio.war"
> ignore-deployment-config="true" />
>
> 2.b) Use different element like "deployment" instead of
> "secure-deployment" . The "deployment" will inject dependencies, but
> won't handle adapter configuration. So something like this will work:
>
> <deployment name="hawtio.war" />
>
>
> WDYT?
> Marek
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160929/e017f86a/attachment.html
More information about the keycloak-dev
mailing list