[keycloak-user] Removing JaxrsBearerTokenFilter

Lukasz Lech l.lech at ringler.ch
Thu Feb 21 08:23:35 EST 2019


I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It is indeed poorly documented, for example I've found no mention that org.keycloak.adapters.KeycloakConfigResolver must cache org.keycloak.adapters.KeycloakDeployment, which resulted in public keys being downloaded from Keycloak Server with every request to our REST channel... 

If nobody have time and will to document it and fix bugs, what about moving it to separate project instead of deleting it? I haven't seen any alternative for securing jaxrs channels other than writing everything from scratch... Is there any alternative usable project?

Best regards,
Lukasz Lech

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda
Sent: Donnerstag, 21. Februar 2019 10:21
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Removing JaxrsBearerTokenFilter

Keycloak team things about removing JaxrsBearerTokenFilter.

Just to add some context, the JaxrsBearerTokenFilter is the "adapter", which we have in the codebase and which allows to "secure" the JaxRS Application by adding the JaxrsFilter, which implements our OIDC adapter.This filter is not documented and we don't have any examples/quickstarts of it. Hence it is not considered as officially supported Keycloak feature. And you can probably always secure your application through some other officially supported way (HTTP Servlet filter or any of our other built-in adapters).

Anyway, if someone is aware of any reason why to not remove this filter from Keycloak, please let me know, ideally by the Monday Feb 25th.

See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" .


keycloak-user mailing list
keycloak-user at lists.jboss.org

More information about the keycloak-user mailing list