<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 28/09/16 10:58, Stian Thorgersen
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAJgngAfoi3EfQVchn+341dbOcSrqb24B6xF9vA1j2DMvdzUMUg@mail.gmail.com"
      type="cite">
      <div dir="ltr">Not sure even using "<span style="font-size:12.8px">&lt;secure-deployment...&gt;"
          makes sense at all in this case.  If there's keycloak.json the
          subsystem still injects the dependencies, but doesn't do any
          configuration. Why can't it just rely on that? <br>
        </span></div>
    </blockquote>
    Without "secure-deployment", you also need the KEYCLOAK in
    login-config in web.xml  in addition to keycloak.json. <br>
    <br>
    Anyway, regarding usability, I suspect it's not an option to require
    people to crack inside hawtio.war and change the things in the WAR
    directly? Otherwise they can just add jboss-deployment-structure.xml
    into the hawtio.war and I don't need to care about subsystem at all.<br>
    <br>
    Marek<br>
    <br>
    <br>
    <blockquote
cite="mid:CAJgngAfoi3EfQVchn+341dbOcSrqb24B6xF9vA1j2DMvdzUMUg@mail.gmail.com"
      type="cite">
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On 26 September 2016 at 16:39, Marek
          Posolda <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">I've did
            some testing with hawtio on EAP 7. It works fine, however
            there<br>
            is one thing in our subsystem, which may improve integration
            a bit.<br>
            <br>
            Hawtio doesn't use servlet security ( security-constraints
            in web.xml )<br>
            but they rely on JAAS, which is needed for JMX calls to be
            performed on<br>
            behalf of JAAS Subject. Hawtio WAR needs to have access to<br>
            keycloak-adapter classes (as it needs login modules for
            JAAS), however<br>
            it doesn't need subsystem to configure adapter. This is all
            handled by<br>
            JAAS login module.<br>
            <br>
            In other words, it will be nice if subsystem can just inject<br>
            dependencies ( KeycloakDependencyProcessor ), but ignore
            adding<br>
            subsystem configuration ( KeycloakAdapterConfigDeploymen<wbr>tProcessor
            ).<br>
            <br>
            The workaround I used was to add secure-deployment section
            to<br>
            standalone.xml with some dummy values, which are mandatory
            for<br>
            subsystem. It works, but it's really not too pretty IMO.
            Something like:<br>
            <br>
                         &lt;secure-deployment name="hawtio.war"&gt;<br>
                             &lt;resource&gt;does-not-matter&lt;/<wbr>resource&gt;<br>
            &lt;auth-server-url&gt;does-not-<wbr>matter&lt;/auth-server-url&gt;<br>
                         &lt;/secure-deployment&gt;<br>
            <br>
            What will be nice is to have some of those possibilities:<br>
            <br>
            1) Have subsystem to use some default values like
            "undefined" instead of<br>
            null . This is more a workaround as subsystem will still
            process the<br>
            KeycloakAdapterConfigDeploymen<wbr>tProcessor. However it's
            less work and it<br>
            will improve usability, so this will work just fine:<br>
            <br>
            &lt;secure-deployment name="hawtio.war" /&gt;<br>
            <br>
            <br>
            2) Tell the subsystem to ignore<br>
            KeycloakAdapterConfigDeploymen<wbr>tProcessor. Looks like
            more work, but<br>
            seems to be more proper solution than (1). I can think of:<br>
            <br>
            2.a) some flag like:<br>
            <br>
            &lt;secure-deployment name="hawtio.war"
            ignore-deployment-config="<wbr>true" /&gt;<br>
            <br>
            2.b) Use different element like "deployment" instead of<br>
            "secure-deployment" . The "deployment" will inject
            dependencies, but<br>
            won't handle adapter configuration. So something like this
            will work:<br>
            <br>
            &lt;deployment name="hawtio.war" /&gt;<br>
            <br>
            <br>
            WDYT?<br>
            Marek<br>
            <br>
            <br>
            <br>
            ______________________________<wbr>_________________<br>
            keycloak-dev mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
            <a moz-do-not-send="true"
              href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
              rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-dev</a><br>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <p><br>
    </p>
  </body>
</html>