[keycloak-dev] Removing JaxrsBearerTokenFilter

[Marek Posolda]

For now, we just remove the automated tests and we deprecated jaxrs 
filter. This change will be from Keycloak 5.0.0

We may remove the filter itself in some later Keycloak 6.X, so if you 
want to keep using it, I suggest to fork it into your repository and we 
can then reference it from the extensions page [1] as a an extension 
maintained by community. Please let us know in that case, so there are 
not more people working on a maintenance on this.

[1] https://www.keycloak.org/extensions.html

Thanks!
Marek


On 20/02/2019 14:35, Marek Posolda wrote:
> I wonder if we can remove JaxrsBearerTokenFilter?
>
> Jut to add some context, the JaxrsBearerTokenFilter is the "adapter", 
> which we have in the codebase and which allows to "secure" the JaxRS 
> Application by adding the JaxrsFilter, which implements our OIDC 
> adapter. Bill added this thing in the early days of Keycloak. I 
> enhanced it a bit few years ago as someone wanted to secure the JaxRS 
> application on Fuse. But this was before we had the proper Fuse adapter.
>
> This thing was never documented and we never had any 
> examples/quickstarts for it. We have just few automated tests (in the 
> old testsuite). IMO it is very obsolete now as you can probably always 
> secure your application through some other oficially supported way 
> (HTTP Servlet filter or any of our other built-in adapters).
>
> Does anyone have any reason why we shouldn't remove this?
>
> If not, I wonder if we can remove it directly without "deprecation 
> period"? Considering that this was never documented or announced, it 
> probably can't be treated as a Keycloak feature, but rather an 
> "implementation detail" or "prototype" and hence removing it directly 
> may be fine? In this case, we won't need to migrate the tests from the 
> old testsuite (which is my main motivation for writing this email :)
>
> Marek
>