New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RHPAM-4714] wildfly-elytron as provided #2961
Conversation
Jenkins run fdb |
Jenkins retest this |
It seems that https://github.com/kiegroup/droolsjbpm-integration/blob/main/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/security/ElytronIdentityProvider.java#L33 should also check for existence of SecurityDomain class in classpath. |
yes, this is not enough, i guess the test need to use real dependency with that class not directly shaded wildfly-elytron one. So the fix would be to declare there only needed dependencies from https://github.com/wildfly-security/wildfly-elytron/blob/1.x/wildfly-elytron/pom.xml The root cause is to use that wildfly-elytron agregated and shaded deps jar. |
also with this option https://github.com/wildfly-security/wildfly-elytron/blob/1.x/wildfly-elytron/pom.xml#LL171C30-L171C56 it should not be used as a dependency in other project(s) where they are not the leaf/final module see |
@mareknovotny @sutaakar I just tried adding
@mareknovotny if we want to switch to this approach I think we just need (from compilation point of view) the following deps:
but I don't know if this could introduce additional issues at runtime |
the direction is still not clear as documentation for wildfly-elytron purpose is not anywhere clear to me, and it was created for easier migration from previous security module, but as i filed at that time https://issues.redhat.com/browse/ELY-1971 and it was ignored while the already 2.x and 3.x streams are existing. |
cdebdca
to
025ecf0
Compare
looks like tests are fixed now |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@@ -76,6 +76,7 @@ | |||
<dependency> | |||
<groupId>org.wildfly.security</groupId> | |||
<artifactId>wildfly-elytron</artifactId> | |||
<scope>provided</scope> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This works only for EAP.
For Tomcat and others this approach produce ClassNotFoundException because SecurityDomain is expected to be on classpath according to current implementation - https://github.com/kiegroup/droolsjbpm-integration/blob/main/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/security/ElytronIdentityProvider.java#L33
So either the code should handle the case if SecurityDomain is not on classpath or wildfly-elytron-auth-server needs to be bundled to war files for all application servers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we could try something like that:
<dependency>
<groupId>org.wildfly.security</groupId>
<artifactId>wildfly-elytron</artifactId>
<scope>provided</scope>
<exclusions>
<exclusion>
<groupId>org.wildfly.security</groupId>
<artifactId>wildfly-elytron-auth-server</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.wildfly.security</groupId>
<artifactId>wildfly-elytron-auth-server</artifactId>
</dependency>
In this way wildfly-elytron-auth-server
should be bundled to war files for all application servers, wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think we need to differentiate then different AS platforms as it should be anyway better
so to have tomcat and similar deployment profile/tests
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see there is already a wildfly
profile, we could add wildfly-elytron-auth-server
only if wildfly
profile is not enabled - but I don't know exactly the purpose of that profile though
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or even add something like that for tomcat
, which follows the same approach I see in the whole project:
<profiles>
<profile>
<id>tomcat9</id>
<activation>
<property>
<name>container.profile</name>
<value>tomcat9</value>
</property>
</activation>
<dependencies>
<dependency>
<groupId>org.wildfly.security</groupId>
<artifactId>wildfly-elytron-auth-server</artifactId>
</dependency>
</dependencies>
</profile>
</profiles>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's great, thanks @lampajr !
@MarianMacik @gmunozfe Can you please keep an eye on this PR for this week (I will be on PTO)? |
025ecf0
to
8f30016
Compare
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good to me, outstanding work @lampajr !
* wildfly-elytron as provided * Added wildfly-elytron-auth-server as test dependency * bundle wildfly-elytron-auth-server only for tomcat9 profile
* wildfly-elytron as provided * Added wildfly-elytron-auth-server as test dependency * bundle wildfly-elytron-auth-server only for tomcat9 profile
Thank you for submitting this pull request
JIRA:
RHPAM-4714
referenced Pull Requests:
How to replicate CI configuration locally?
Build Chain tool does "simple" maven build(s), the builds are just Maven commands, but because the repositories relates and depends on each other and any change in API or class method could affect several of those repositories there is a need to use build-chain tool to handle cross repository builds and be sure that we always use latest version of the code for each repository.
build-chain tool is a build tool which can be used on command line locally or in Github Actions workflow(s), in case you need to change multiple repositories and send multiple dependent pull requests related with a change you can easily reproduce the same build by executing it on Github hosted environment or locally in your development environment. See local execution details to get more information about it.
How to retest this PR or trigger a specific build:
a pull request please add comment: Jenkins retest this
a full downstream build please add comment: Jenkins run fdb
a compile downstream build please add comment: Jenkins run cdb
a full production downstream build please add comment: Jenkins execute product fdb
an upstream build please add comment: Jenkins run upstream
How to backport a pull request to a different branch?
In order to automatically create a backporting pull request please add one or more labels having the following format
backport-<branch-name>
, where<branch-name>
is the name of the branch where the pull request must be backported to (e.g.,backport-7.67.x
to backport the original PR to the7.67.x
branch).Once the original pull request is successfully merged, the automated action will create one backporting pull request per each label (with the previous format) that has been added.
If something goes wrong, the author will be notified and at this point a manual backporting is needed.