[keycloak-dev] Removing JaxrsBearerTokenFilter

Marek Posolda mposolda at redhat.com
Thu Feb 21 04:27:35 EST 2019

I've just sent it to keycloak-user.

But question is, if keycloak-user mailing list is good place for such 
things? I think most people use keycloak-user mailing list to search for 
solutions to their particular problem or send their particular issue 
with Keycloak. But not sure how much people read this mailing list 
regularly? IMO we should instruct community to monitor to keycloak-dev 
mailing list for general announcements from Keycloak team (EG. release 
announcements, questionnaires, ask for removing/deprecating some 
component) as in keycloak-user informations can be easily lost.


On 20/02/2019 21:25, Stian Thorgersen wrote:
> DId you send this to user mailing list as well? If not you should.
> On Wed, 20 Feb 2019 at 19:45, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>     Thanks for the confirm! Will wait few more days if someone has any
>     reason against removing it. If not, will likely send PR early next
>     week for removing it.
>     Marek
>     On 20/02/2019 15:32, Stian Thorgersen wrote:
>>     +1 To just removing it as long if there's no mention of it in the
>>     docs/examples/quickstarts
>>     On Wed, 20 Feb 2019 at 14:44, Marek Posolda <mposolda at redhat.com
>>     <mailto:mposolda at redhat.com>> wrote:
>>         I wonder if we can remove JaxrsBearerTokenFilter?
>>         Jut to add some context, the JaxrsBearerTokenFilter is the
>>         "adapter",
>>         which we have in the codebase and which allows to "secure"
>>         the JaxRS
>>         Application by adding the JaxrsFilter, which implements our OIDC
>>         adapter. Bill added this thing in the early days of Keycloak.
>>         I enhanced
>>         it a bit few years ago as someone wanted to secure the JaxRS
>>         application
>>         on Fuse. But this was before we had the proper Fuse adapter.
>>         This thing was never documented and we never had any
>>         examples/quickstarts for it. We have just few automated tests
>>         (in the
>>         old testsuite). IMO it is very obsolete now as you can
>>         probably always
>>         secure your application through some other oficially
>>         supported way (HTTP
>>         Servlet filter or any of our other built-in adapters).
>>         Does anyone have any reason why we shouldn't remove this?
>>         If not, I wonder if we can remove it directly without
>>         "deprecation
>>         period"? Considering that this was never documented or
>>         announced, it
>>         probably can't be treated as a Keycloak feature, but rather an
>>         "implementation detail" or "prototype" and hence removing it
>>         directly
>>         may be fine? In this case, we won't need to migrate the tests
>>         from the
>>         old testsuite (which is my main motivation for writing this
>>         email :)
>>         Marek
>>         _______________________________________________
>>         keycloak-dev mailing list
>>         keycloak-dev at lists.jboss.org
>>         <mailto:keycloak-dev at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list