users@jax-rs-spec.java.net

[jax-rs-spec users] Re: Another backtracking problem

From: Bill Burke <bburke_at_redhat.com>
Date: Fri, 23 Jan 2015 13:05:49 -0500

Sure. We'd like to change:

/realms/{realm} to just /{realm} to reduce the URL size.


We'd have to have a root resource of:

@Path("{realm}")
public class RealmsResource {}

But unfortunately, we also already have more specific root resources, so
RealmsResource would never get matched because there is no backtracking.

On 1/23/2015 11:00 AM, Sergey Beryozkin wrote:
> Can you clarify please ?
>
> Sergey
>
> On 23/01/15 14:40, Bill Burke wrote:
>> Coincidently, today, my co-lead on a security project asked me if we
>> could shorted the URLs of our REST service endpoints...Unfortunately I
>> can't because of the JAX-RS matching algorithm...
>>
>>
>>
>>
>> -------- Forwarded Message --------
>> Subject: Re: [keycloak-dev] Shortening URLs
>> Date: Fri, 23 Jan 2015 09:36:09 -0500
>> From: Bill Burke <bburke_at_redhat.com>
>> To: keycloak-dev_at_lists.jboss.org
>>
>>
>>
>> On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
>>> Our URLs are quite long, examples:
>>>
>>> *
>>> http://localhost:8080/auth/realms/master/protocols/openid-connect/login
>>> * http://localhost:8080/auth/realms/master/account
>>>
>>> We could remove the 'realms' part and 'protocols' parts couldn't we?
>>>
>>> * http://localhost:8080/auth/master/oidc/login
>>> * http://localhost:8080/auth/master/account
>>>
>>> That would require moving everything under a realm and I guess we'd
>>> need to hard-wire the protocols, but I think that should be fine.
>>>
>>
>> Wouldn't work for multiple reasons.
>>
>> * protocols/* exists to be able to plugin different protocols (oidc,
>> saml, etc.)
>> * Because of the crappy way JAX-RS dispatch algorithm handles wildcards
>> for both resource classes and resource locators we need both a "realms"
>> and "protocols" qualifier.
>>
>> Its really funny you bring this up now because I've renewed my argument
>> with JAX-RS JSR just 2 minutes ago! Synchronicity!
>>
>>
>>> We also need to make sure we can just the root context:
>>>
>>> * http://localhost:8080/master/oidc/login
>>> * http://localhost:8080/master/account
>>>
>>> We can also introduce other mechanisms to select the realm. For
>>> example a server with single realm can just omit it altogether:
>>>
>>> * http://localhost:8080/oidc/login
>>> * http://localhost:8080/account
>>>
>>> And we could allow setting what domains uses what realms:
>>>
>>> * http://keycloak-master/oidc/login
>>> * http://keycloak-other/oidc/login
>>>
>>
>> You don't think its better to have URLS be consistent?
>>
>>
> 

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.