Hi Bill,
How dynamic your realms are?
Can you e.g. incorporate realm names into the path template as a regexp?
Or can you implement your app to have a single root resource with a single sub-resource locator (that would return matched sub-resources)?
We have discussed this at length in the past and I do not want us open the “backtracking” issue again, unless there is a some real, major issue with the algorithm.
Cheers,
Marek
> On 23 Jan 2015, at 19:05, Bill Burke <bburke_at_redhat.com> wrote:
>
> Sure. We'd like to change:
>
> /realms/{realm} to just /{realm} to reduce the URL size.
>
>
> We'd have to have a root resource of:
>
> @Path("{realm}")
> public class RealmsResource {}
>
> But unfortunately, we also already have more specific root resources, so RealmsResource would never get matched because there is no backtracking.
>
> On 1/23/2015 11:00 AM, Sergey Beryozkin wrote:
>> Can you clarify please ?
>>
>> Sergey
>>
>> On 23/01/15 14:40, Bill Burke wrote:
>>> Coincidently, today, my co-lead on a security project asked me if we
>>> could shorted the URLs of our REST service endpoints...Unfortunately I
>>> can't because of the JAX-RS matching algorithm...
>>>
>>>
>>>
>>>
>>> -------- Forwarded Message --------
>>> Subject: Re: [keycloak-dev] Shortening URLs
>>> Date: Fri, 23 Jan 2015 09:36:09 -0500
>>> From: Bill Burke <bburke_at_redhat.com>
>>> To: keycloak-dev_at_lists.jboss.org
>>>
>>>
>>>
>>> On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
>>>> Our URLs are quite long, examples:
>>>>
>>>> *
>>>> http://localhost:8080/auth/realms/master/protocols/openid-connect/login
>>>> * http://localhost:8080/auth/realms/master/account
>>>>
>>>> We could remove the 'realms' part and 'protocols' parts couldn't we?
>>>>
>>>> * http://localhost:8080/auth/master/oidc/login
>>>> * http://localhost:8080/auth/master/account
>>>>
>>>> That would require moving everything under a realm and I guess we'd
>>>> need to hard-wire the protocols, but I think that should be fine.
>>>>
>>>
>>> Wouldn't work for multiple reasons.
>>>
>>> * protocols/* exists to be able to plugin different protocols (oidc,
>>> saml, etc.)
>>> * Because of the crappy way JAX-RS dispatch algorithm handles wildcards
>>> for both resource classes and resource locators we need both a "realms"
>>> and "protocols" qualifier.
>>>
>>> Its really funny you bring this up now because I've renewed my argument
>>> with JAX-RS JSR just 2 minutes ago! Synchronicity!
>>>
>>>
>>>> We also need to make sure we can just the root context:
>>>>
>>>> * http://localhost:8080/master/oidc/login
>>>> * http://localhost:8080/master/account
>>>>
>>>> We can also introduce other mechanisms to select the realm. For
>>>> example a server with single realm can just omit it altogether:
>>>>
>>>> * http://localhost:8080/oidc/login
>>>> * http://localhost:8080/account
>>>>
>>>> And we could allow setting what domains uses what realms:
>>>>
>>>> * http://keycloak-master/oidc/login
>>>> * http://keycloak-other/oidc/login
>>>>
>>>
>>> You don't think its better to have URLS be consistent?
>>>
>>>
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com