[RHPAM-4714] wildfly-elytron as provided #2961
Conversation
|
Jenkins run fdb |
|
Jenkins retest this |
|
It seems that https://github.com/kiegroup/droolsjbpm-integration/blob/main/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/security/ElytronIdentityProvider.java#L33 should also check for existence of SecurityDomain class in classpath. |
|
yes, this is not enough, i guess the test need to use real dependency with that class not directly shaded wildfly-elytron one. So the fix would be to declare there only needed dependencies from https://github.com/wildfly-security/wildfly-elytron/blob/1.x/wildfly-elytron/pom.xml The root cause is to use that wildfly-elytron agregated and shaded deps jar. |
|
also with this option https://github.com/wildfly-security/wildfly-elytron/blob/1.x/wildfly-elytron/pom.xml#LL171C30-L171C56 it should not be used as a dependency in other project(s) where they are not the leaf/final module see |
|
@mareknovotny @sutaakar I just tried adding
@mareknovotny if we want to switch to this approach I think we just need (from compilation point of view) the following deps:
but I don't know if this could introduce additional issues at runtime |
|
the direction is still not clear as documentation for wildfly-elytron purpose is not anywhere clear to me, and it was created for easier migration from previous security module, but as i filed at that time https://issues.redhat.com/browse/ELY-1971 and it was ignored while the already 2.x and 3.x streams are existing. |
lampajr
force-pushed
the
wildfly_elytron_provided
branch
2 times, most recently
from
cdebdca
to
025ecf0
Compare
|
looks like tests are fixed now |
mareknovotny
changed the title
| @@ -76,6 +76,7 @@ | |||
| <dependency> | |||
| <groupId>org.wildfly.security</groupId> | |||
| <artifactId>wildfly-elytron</artifactId> | |||
| <scope>provided</scope> | |||
There was a problem hiding this comment.
This works only for EAP.
For Tomcat and others this approach produce ClassNotFoundException because SecurityDomain is expected to be on classpath according to current implementation - https://github.com/kiegroup/droolsjbpm-integration/blob/main/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/security/ElytronIdentityProvider.java#L33
So either the code should handle the case if SecurityDomain is not on classpath or wildfly-elytron-auth-server needs to be bundled to war files for all application servers.
There was a problem hiding this comment.
we could try something like that:
<dependency>
<groupId>org.wildfly.security</groupId>
<artifactId>wildfly-elytron</artifactId>
<scope>provided</scope>
<exclusions>
<exclusion>
<groupId>org.wildfly.security</groupId>
<artifactId>wildfly-elytron-auth-server</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.wildfly.security</groupId>
<artifactId>wildfly-elytron-auth-server</artifactId>
</dependency>
In this way wildfly-elytron-auth-server should be bundled to war files for all application servers, wdyt?
There was a problem hiding this comment.
i think we need to differentiate then different AS platforms as it should be anyway better
so to have tomcat and similar deployment profile/tests
There was a problem hiding this comment.
I see there is already a wildfly profile, we could add wildfly-elytron-auth-server only if wildfly profile is not enabled - but I don't know exactly the purpose of that profile though
There was a problem hiding this comment.
or even add something like that for tomcat, which follows the same approach I see in the whole project:
<profiles>
<profile>
<id>tomcat9</id>
<activation>
<property>
<name>container.profile</name>
<value>tomcat9</value>
</property>
</activation>
<dependencies>
<dependency>
<groupId>org.wildfly.security</groupId>
<artifactId>wildfly-elytron-auth-server</artifactId>
</dependency>
</dependencies>
</profile>
</profiles>
There was a problem hiding this comment.
that's great, thanks @lampajr !
|
@MarianMacik @gmunozfe Can you please keep an eye on this PR for this week (I will be on PTO)? |
lampajr
force-pushed
the
wildfly_elytron_provided
branch
from
025ecf0
to
8f30016
Compare
|
Kudos, SonarCloud Quality Gate passed!
|
mareknovotny
added
backport-7.67.x
* wildfly-elytron as provided * Added wildfly-elytron-auth-server as test dependency * bundle wildfly-elytron-auth-server only for tomcat9 profile
* wildfly-elytron as provided * Added wildfly-elytron-auth-server as test dependency * bundle wildfly-elytron-auth-server only for tomcat9 profile
Thank you for submitting this pull request
JIRA:
RHPAM-4714
referenced Pull Requests:
How to replicate CI configuration locally?
Build Chain tool does "simple" maven build(s), the builds are just Maven commands, but because the repositories relates and depends on each other and any change in API or class method could affect several of those repositories there is a need to use build-chain tool to handle cross repository builds and be sure that we always use latest version of the code for each repository.
build-chain tool is a build tool which can be used on command line locally or in Github Actions workflow(s), in case you need to change multiple repositories and send multiple dependent pull requests related with a change you can easily reproduce the same build by executing it on Github hosted environment or locally in your development environment. See local execution details to get more information about it.
How to retest this PR or trigger a specific build:
a pull request please add comment: Jenkins retest this
a full downstream build please add comment: Jenkins run fdb
a compile downstream build please add comment: Jenkins run cdb
a full production downstream build please add comment: Jenkins execute product fdb
an upstream build please add comment: Jenkins run upstream
How to backport a pull request to a different branch?
In order to automatically create a backporting pull request please add one or more labels having the following format
backport-<branch-name>, where<branch-name>is the name of the branch where the pull request must be backported to (e.g.,backport-7.67.xto backport the original PR to the7.67.xbranch).Once the original pull request is successfully merged, the automated action will create one backporting pull request per each label (with the previous format) that has been added.
If something goes wrong, the author will be notified and at this point a manual backporting is needed.