users@jax-rs-spec.java.net

[jax-rs-spec users] Re: Another backtracking problem

From: Sergey Beryozkin <sberyozkin_at_talend.com>
Date: Fri, 23 Jan 2015 16:00:46 +0000

Can you clarify please ?

Sergey

On 23/01/15 14:40, Bill Burke wrote:
> Coincidently, today, my co-lead on a security project asked me if we
> could shorted the URLs of our REST service endpoints...Unfortunately I
> can't because of the JAX-RS matching algorithm...
>
>
>
>
> -------- Forwarded Message --------
> Subject: Re: [keycloak-dev] Shortening URLs
> Date: Fri, 23 Jan 2015 09:36:09 -0500
> From: Bill Burke <bburke_at_redhat.com>
> To: keycloak-dev_at_lists.jboss.org
>
>
>
> On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
>> Our URLs are quite long, examples:
>>
>> * http://localhost:8080/auth/realms/master/protocols/openid-connect/login
>> * http://localhost:8080/auth/realms/master/account
>>
>> We could remove the 'realms' part and 'protocols' parts couldn't we?
>>
>> * http://localhost:8080/auth/master/oidc/login
>> * http://localhost:8080/auth/master/account
>>
>> That would require moving everything under a realm and I guess we'd
>> need to hard-wire the protocols, but I think that should be fine.
>>
>
> Wouldn't work for multiple reasons.
>
> * protocols/* exists to be able to plugin different protocols (oidc,
> saml, etc.)
> * Because of the crappy way JAX-RS dispatch algorithm handles wildcards
> for both resource classes and resource locators we need both a "realms"
> and "protocols" qualifier.
>
> Its really funny you bring this up now because I've renewed my argument
> with JAX-RS JSR just 2 minutes ago! Synchronicity!
>
>
>> We also need to make sure we can just the root context:
>>
>> * http://localhost:8080/master/oidc/login
>> * http://localhost:8080/master/account
>>
>> We can also introduce other mechanisms to select the realm. For
>> example a server with single realm can just omit it altogether:
>>
>> * http://localhost:8080/oidc/login
>> * http://localhost:8080/account
>>
>> And we could allow setting what domains uses what realms:
>>
>> * http://keycloak-master/oidc/login
>> * http://keycloak-other/oidc/login
>>
>
> You don't think its better to have URLS be consistent?
>
>