From fea49765f0ab4ac059ea58f918d4632474d6cafa Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Wed, 24 Jan 2024 11:17:29 +0100 Subject: [PATCH] Remove Jetty 9.4 adapters (#26261) Only removing the distribution of the Jetty adapter for now, and leaving the rest for now. This is due to the complexity of removing all Jetty adapter code due to Spring, OSGI, Fuse, testsuite, etc. and it will be better to leave the rest of the clean-up to after 24 when we are removing most adapters Closes #26255 Signed-off-by: stianst --- .../adapters/jetty94-adapter-zip/assembly.xml | 56 ------- .../adapters/jetty94-adapter-zip/keycloak.mod | 28 ---- .../adapters/jetty94-adapter-zip/pom.xml | 68 --------- distribution/adapters/pom.xml | 1 - .../downloads/src/main/resources/files | 2 - .../jetty94-adapter-zip/assembly.xml | 56 ------- .../jetty94-adapter-zip/keycloak.mod | 28 ---- .../saml-adapters/jetty94-adapter-zip/pom.xml | 68 --------- distribution/saml-adapters/pom.xml | 1 - .../release_notes/topics/24_0_0.adoc | 21 +++ .../topics/oidc/java/java-adapters.adoc | 1 - .../topics/oidc/java/jetty9-adapter.adoc | 141 ------------------ .../topics/oidc/java/spring-boot-adapter.adoc | 1 - .../topics/overview/getting-started.adoc | 4 - .../topics/saml/java/java-adapters.adoc | 3 - .../topics/saml/java/jetty-adapter.adoc | 9 -- .../jetty-adapter/jetty9_installation.adoc | 30 ---- .../jetty-adapter/jetty9_per_war_config.adoc | 64 -------- .../topics/overview/features.adoc | 2 +- .../upgrading/topics/keycloak/changes.adoc | 2 +- pom.xml | 6 - 21 files changed, 23 insertions(+), 569 deletions(-) delete mode 100644 distribution/adapters/jetty94-adapter-zip/assembly.xml delete mode 100644 distribution/adapters/jetty94-adapter-zip/keycloak.mod delete mode 100644 distribution/adapters/jetty94-adapter-zip/pom.xml delete mode 100644 distribution/saml-adapters/jetty94-adapter-zip/assembly.xml delete mode 100644 distribution/saml-adapters/jetty94-adapter-zip/keycloak.mod delete mode 100644 distribution/saml-adapters/jetty94-adapter-zip/pom.xml delete mode 100644 docs/documentation/securing_apps/topics/oidc/java/jetty9-adapter.adoc delete mode 100644 docs/documentation/securing_apps/topics/saml/java/jetty-adapter.adoc delete mode 100644 docs/documentation/securing_apps/topics/saml/java/jetty-adapter/jetty9_installation.adoc delete mode 100644 docs/documentation/securing_apps/topics/saml/java/jetty-adapter/jetty9_per_war_config.adoc diff --git a/distribution/adapters/jetty94-adapter-zip/assembly.xml b/distribution/adapters/jetty94-adapter-zip/assembly.xml deleted file mode 100644 index bbb90d9830f4..000000000000 --- a/distribution/adapters/jetty94-adapter-zip/assembly.xml +++ /dev/null @@ -1,56 +0,0 @@ - - - - war-dist - - - zip - tar.gz - - false - - - - - - keycloak.mod - - modules - - - ${project.build.directory}/modules - - - - - - false - true - true - - org.keycloak:keycloak-jetty94-adapter - - - org.eclipse.jetty:jetty-server - org.eclipse.jetty:jetty-util - org.eclipse.jetty:jetty-security - - lib/keycloak - - - diff --git a/distribution/adapters/jetty94-adapter-zip/keycloak.mod b/distribution/adapters/jetty94-adapter-zip/keycloak.mod deleted file mode 100644 index 4da630848fde..000000000000 --- a/distribution/adapters/jetty94-adapter-zip/keycloak.mod +++ /dev/null @@ -1,28 +0,0 @@ -# -# Keycloak Jetty Adapter -# - -[depend] -server -security - -[lib] - - -lib/keycloak/*.jar - diff --git a/distribution/adapters/jetty94-adapter-zip/pom.xml b/distribution/adapters/jetty94-adapter-zip/pom.xml deleted file mode 100644 index 7e980c961d95..000000000000 --- a/distribution/adapters/jetty94-adapter-zip/pom.xml +++ /dev/null @@ -1,68 +0,0 @@ - - - - 4.0.0 - - keycloak-parent - org.keycloak - 999.0.0-SNAPSHOT - ../../../pom.xml - - - keycloak-jetty94-adapter-dist - pom - Keycloak Jetty 9.4.x Adapter Distro - - - - - org.keycloak - keycloak-jetty94-adapter - - - - - - maven-assembly-plugin - - - assemble - package - - single - - - - assembly.xml - - - target - - - target/assembly/work - - false - - - - - - - - diff --git a/distribution/adapters/pom.xml b/distribution/adapters/pom.xml index dc45b59bf0b0..2ae54a9b8a74 100755 --- a/distribution/adapters/pom.xml +++ b/distribution/adapters/pom.xml @@ -33,6 +33,5 @@ wildfly-adapter tomcat-adapter-zip - jetty94-adapter-zip diff --git a/distribution/downloads/src/main/resources/files b/distribution/downloads/src/main/resources/files index de4a49fac59b..898459da79fc 100644 --- a/distribution/downloads/src/main/resources/files +++ b/distribution/downloads/src/main/resources/files @@ -1,10 +1,8 @@ mvn:keycloak-quarkus-dist:keycloak mvn:keycloak-api-docs-dist:keycloak-api-docs -mvn:keycloak-jetty94-adapter-dist:keycloak-oidc-jetty94-adapter mvn:keycloak-tomcat-adapter-dist:keycloak-oidc-tomcat-adapter -mvn:keycloak-saml-jetty94-adapter-dist:keycloak-saml-jetty94-adapter mvn:keycloak-saml-tomcat-adapter-dist:keycloak-saml-tomcat-adapter mvn:documentation/keycloak-documentation:keycloak-documentation diff --git a/distribution/saml-adapters/jetty94-adapter-zip/assembly.xml b/distribution/saml-adapters/jetty94-adapter-zip/assembly.xml deleted file mode 100644 index 88267704d7da..000000000000 --- a/distribution/saml-adapters/jetty94-adapter-zip/assembly.xml +++ /dev/null @@ -1,56 +0,0 @@ - - - - war-dist - - - zip - tar.gz - - false - - - - - - keycloak.mod - - modules - - - ${project.build.directory}/modules - - - - - - false - true - true - - org.keycloak:keycloak-saml-jetty94-adapter - - - org.eclipse.jetty:jetty-server - org.eclipse.jetty:jetty-util - org.eclipse.jetty:jetty-security - - lib/keycloak - - - diff --git a/distribution/saml-adapters/jetty94-adapter-zip/keycloak.mod b/distribution/saml-adapters/jetty94-adapter-zip/keycloak.mod deleted file mode 100644 index 4da630848fde..000000000000 --- a/distribution/saml-adapters/jetty94-adapter-zip/keycloak.mod +++ /dev/null @@ -1,28 +0,0 @@ -# -# Keycloak Jetty Adapter -# - -[depend] -server -security - -[lib] - - -lib/keycloak/*.jar - diff --git a/distribution/saml-adapters/jetty94-adapter-zip/pom.xml b/distribution/saml-adapters/jetty94-adapter-zip/pom.xml deleted file mode 100644 index 21315a13f1f7..000000000000 --- a/distribution/saml-adapters/jetty94-adapter-zip/pom.xml +++ /dev/null @@ -1,68 +0,0 @@ - - - - 4.0.0 - - keycloak-parent - org.keycloak - 999.0.0-SNAPSHOT - ../../../pom.xml - - - keycloak-saml-jetty94-adapter-dist - pom - Keycloak SAML Jetty 9.4.x Adapter Distro - - - - - org.keycloak - keycloak-saml-jetty94-adapter - - - - - - maven-assembly-plugin - - - assemble - package - - single - - - - assembly.xml - - - target - - - target/assembly/work - - false - - - - - - - - diff --git a/distribution/saml-adapters/pom.xml b/distribution/saml-adapters/pom.xml index e357db3f9b4c..14e68e4f3511 100755 --- a/distribution/saml-adapters/pom.xml +++ b/distribution/saml-adapters/pom.xml @@ -32,7 +32,6 @@ wildfly-adapter - jetty94-adapter-zip tomcat-adapter-zip diff --git a/docs/documentation/release_notes/topics/24_0_0.adoc b/docs/documentation/release_notes/topics/24_0_0.adoc index 1eb5706c79f5..9f49648f64ee 100644 --- a/docs/documentation/release_notes/topics/24_0_0.adoc +++ b/docs/documentation/release_notes/topics/24_0_0.adoc @@ -1,3 +1,24 @@ += Java adapter deprecation and removal + +Back in 2022 we announced the https://www.keycloak.org/2022/02/adapter-deprecation.html[deprecation of Keycloak adapters in Keycloak 19]. +To give the community more time to adopt this https://www.keycloak.org/2023/03/adapter-deprecation-update.html[was delayed]. + +With that in mind this will be the last major release of Keycloak to include OpenID Connect and SAML adapters. +As Jetty 9.x has not been supported since 2022 the Jetty adapter has been removed already in this release. + +The generic Authorization Client library will continue to be supported, and aims to be used in combination with any +other OAuth 2.0 or OpenID Connect libraries. + +The only adapter we will continue to deliver is the SAML adapter for latest releases of WildFly and EAP 8.x. Reasoning +for continuing to support this is down to the fact that the majority of the SAML codebase in Keycloak was a contribution +from WildFly. As part of this contribution we agreed to maintain SAML adapters for WildFly and EAP in the long run. + +== Jetty adapter removed + +Jetty 9.4 has not been supported in the community for a long time, and reached end-of-life in 2022. At the same time the +adapter has not been updated or tested with more recent versions of Jetty. For these reasons the Jetty adapter has been +removed from this release. + = New Welcome Page The 'welcome' page that is shown when a user starts Keycloak for the first time, has been redesigned to provide a better setup experience and has been upgraded to the latest version of https://www.patternfly.org/[PatternFly]. The page layout has been simplified and now includes only a form to register the administrative user. After completing the registration, the user is redirected directly to the Administration Console. diff --git a/docs/documentation/securing_apps/topics/oidc/java/java-adapters.adoc b/docs/documentation/securing_apps/topics/oidc/java/java-adapters.adoc index 5319f4fcca39..6593d0117ce5 100644 --- a/docs/documentation/securing_apps/topics/oidc/java/java-adapters.adoc +++ b/docs/documentation/securing_apps/topics/oidc/java/java-adapters.adoc @@ -21,7 +21,6 @@ include::spring-boot-adapter.adoc[] ifeval::[{project_community}==true] include::tomcat-adapter.adoc[] -include::jetty9-adapter.adoc[] include::spring-security-adapter.adoc[] endif::[] diff --git a/docs/documentation/securing_apps/topics/oidc/java/jetty9-adapter.adoc b/docs/documentation/securing_apps/topics/oidc/java/jetty9-adapter.adoc deleted file mode 100644 index 1b87c618e3e0..000000000000 --- a/docs/documentation/securing_apps/topics/oidc/java/jetty9-adapter.adoc +++ /dev/null @@ -1,141 +0,0 @@ - -[[_jetty9_adapter]] -==== Jetty 9.4 adapter - -include::adapter-deprecation-notice.adoc[] - -{project_name} has a separate adapter for Jetty 9.4 that you will have to install into your Jetty installation. -You then have to provide some extra configuration in each WAR you deploy to Jetty. - -[[_jetty9_adapter_installation]] -===== Installing the adapter - -Adapters are no longer included with the appliance or war distribution. Each adapter is a separate download on the {project_name} downloads site. They are also available as a maven artifact. - -.Procedure -. Download the {project_name} Jetty 9.4 adapter ZIP archive from the link:https://www.keycloak.org/downloads[Keycloak Downloads] site. - -. Unzip the Jetty 9.4 distro into Jetty 9.4's link:https://eclipse.dev/jetty/documentation/jetty-9/index.html[base directory]. In the example below, the Jetty base is named `your-base`: -+ -[source, subs="attributes"] ----- -$ cd your-base -$ unzip keycloak-jetty94-adapter-dist-{project_version}.Final.zip ----- - -. Enable the `keycloak` module for your Jetty base: -+ -[source] ----- -$ java -jar $JETTY_HOME/start.jar --add-to-startd=keycloak ----- -+ -==== -[NOTE] -Including the adapter's jars within your WEB-INF/lib directory will not work. -==== - -[[_jetty9_per_war]] -===== Jetty 9 Securing a WAR - -Use this procedure to secure a WAR directly by adding config and editing files within your WAR package. - -.Procedure - -. Create a `WEB-INF/jetty-web.xml` file in your WAR package. This is a Jetty specific config fil. You define a {project_name} specific authenticator within it. -+ -[source] ----- - - - - - - - - - - ----- - -. Create a `keycloak.json` adapter config file within the `WEB-INF` directory of your WAR. -+ -The format of this config file is described in the <<_java_adapter_config,Java adapter configuration>> section. -+ -WARNING: The Jetty 9.4 adapter will not be able to find the `keycloak.json` file. -You will have to define all adapter settings within the `jetty-web.xml` file as described below. -Instead of using keycloak.json, you can define everything within the `jetty-web.xml`. -You'll just have to figure out how the json settings match to the `org.keycloak.representations.adapters.config.AdapterConfig` class. -+ -[source,subs="attributes+"] ----- - - - - - - - - - tomcat - customer-portal - http://localhost:8081{kc_base_path} - external - - - - secret - password - - - - - - - - - ----- - - -. Create the jetty-web.xml file in your webapps directory with the name of yourwar.xml. -Jetty should pick it up. You do not need to open your WAR to secure it with {project_name}. -In this mode, you declare keycloak.json configuration directly within the xml file. - -. Specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs. Here's an example: -+ -[source,xml] ----- - - - customer-portal - - - - Customers - /* - - - user - - - CONFIDENTIAL - - - - - BASIC - this is ignored currently - - - - admin - - - user - - ----- diff --git a/docs/documentation/securing_apps/topics/oidc/java/spring-boot-adapter.adoc b/docs/documentation/securing_apps/topics/oidc/java/spring-boot-adapter.adoc index fa08e852e11a..a2303ad00d67 100644 --- a/docs/documentation/securing_apps/topics/oidc/java/spring-boot-adapter.adoc +++ b/docs/documentation/securing_apps/topics/oidc/java/spring-boot-adapter.adoc @@ -55,7 +55,6 @@ Currently the following embedded containers are supported and do not require any * Tomcat * Undertow -* Jetty [[_spring_boot_adapter_configuration]] ===== Configuring the Spring Boot Adapter diff --git a/docs/documentation/securing_apps/topics/overview/getting-started.adoc b/docs/documentation/securing_apps/topics/overview/getting-started.adoc index 78ae117a7455..227427bcdee3 100644 --- a/docs/documentation/securing_apps/topics/overview/getting-started.adoc +++ b/docs/documentation/securing_apps/topics/overview/getting-started.adoc @@ -15,7 +15,6 @@ ifeval::[{project_community}==true] * {quickstartRepo_link}/tree/latest/spring/rest-authz-resource-server[Spring Boot] * <<_jboss_adapter, {project_name} Wildfly Adapter>> (Deprecated) * <<_tomcat_adapter,{project_name} Tomcat Adapter>> (Deprecated) -* <<_jetty9_adapter,{project_name} Jetty 9>> (Deprecated) * <<_servlet_filter_adapter,{project_name} Servlet Filter>> (Deprecated) * <<_spring_boot_adapter,{project_name} Spring Boot>> (Deprecated) * <<_spring_security_adapter,{project_name} Spring Security>> (Deprecated) @@ -55,9 +54,6 @@ ifeval::[{project_community}==true] * <<_saml-tomcat-adapter,Tomcat>> endif::[] * <<_java-servlet-filter-adapter,Servlet filter>> -ifeval::[{project_community}==true] -* <<_jetty_saml_adapter,Jetty>> -endif::[] ===== Apache HTTP Server diff --git a/docs/documentation/securing_apps/topics/saml/java/java-adapters.adoc b/docs/documentation/securing_apps/topics/saml/java/java-adapters.adoc index 63de0ad1c09f..fdd9ba5e94e1 100644 --- a/docs/documentation/securing_apps/topics/saml/java/java-adapters.adoc +++ b/docs/documentation/securing_apps/topics/saml/java/java-adapters.adoc @@ -27,9 +27,6 @@ include::tomcat-adapter.adoc[] include::tomcat-adapter/tomcat_adapter_installation.adoc[] include::tomcat-adapter/tomcat_adapter_per_war_config.adoc[] include::tomcat-adapter/tomcat-adapter-samesite-setting.adoc[] -include::jetty-adapter.adoc[] -include::jetty-adapter/jetty9_installation.adoc[] -include::jetty-adapter/jetty9_per_war_config.adoc[] endif::[] include::servlet-filter-adapter.adoc[] diff --git a/docs/documentation/securing_apps/topics/saml/java/jetty-adapter.adoc b/docs/documentation/securing_apps/topics/saml/java/jetty-adapter.adoc deleted file mode 100644 index 63a0eff26cc4..000000000000 --- a/docs/documentation/securing_apps/topics/saml/java/jetty-adapter.adoc +++ /dev/null @@ -1,9 +0,0 @@ -[[_jetty_saml_adapter]] - -==== Jetty SAML adapters - -WARNING: The {project_name} Jetty SAML adapter is deprecated. We recommend that you use another client adapter if possible. - -To be able to secure WAR apps deployed on Jetty you must install the {project_name} Jetty 9.4 SAML adapter into your Jetty installation. You then provide some extra configuration in each WAR you deploy to Jetty. - -Use the following installation and configuration procedures. diff --git a/docs/documentation/securing_apps/topics/saml/java/jetty-adapter/jetty9_installation.adoc b/docs/documentation/securing_apps/topics/saml/java/jetty-adapter/jetty9_installation.adoc deleted file mode 100644 index d3f898ba399d..000000000000 --- a/docs/documentation/securing_apps/topics/saml/java/jetty-adapter/jetty9_installation.adoc +++ /dev/null @@ -1,30 +0,0 @@ -[[_jetty9_saml_adapter_installation]] - -===== Jetty 9 Installing the adapter - -{project_name} has a separate SAML adapter for Jetty 9.4. Adapters are no longer included with the appliance or war distribution. Each adapter is a separate download on the Keycloak download site. -They are also available as a maven artifact. - -.Procedure -. Download the {project_name} Jetty 9.4 adapter ZIP archive from the link:https://www.keycloak.org/downloads[Keycloak Downloads] site. - -. Unzip the Jetty 9.4 distro into Jetty 9.4's root directory. -+ -==== -[NOTE] -Including adapter's jars within your WEB-INF/lib directory will not work. -==== -+ -[source] ----- -$ cd $JETTY_HOME -$ unzip keycloak-saml-jetty94-adapter-dist.zip ----- - -. Enable the keycloak module for your jetty.base. -+ -[source] ----- -$ cd your-base -$ java -jar $JETTY_HOME/start.jar --add-to-startd=keycloak ----- diff --git a/docs/documentation/securing_apps/topics/saml/java/jetty-adapter/jetty9_per_war_config.adoc b/docs/documentation/securing_apps/topics/saml/java/jetty-adapter/jetty9_per_war_config.adoc deleted file mode 100644 index 2343749c91de..000000000000 --- a/docs/documentation/securing_apps/topics/saml/java/jetty-adapter/jetty9_per_war_config.adoc +++ /dev/null @@ -1,64 +0,0 @@ - -[[_saml-jetty9-per-war]] -===== Jetty 9 WAR Configuration - -Use this procedure to secure a WAR directly. - -.Procedure -. Create a `WEB-INF/jetty-web.xml` file in your WAR package. -This is a Jetty specific config file and you must define a Keycloak specific authenticator within it. -+ -[source,xml] ----- - - - - - - - - - - ----- - -. Create a `keycloak-saml.xml` adapter config file within the `WEB-INF` directory of your WAR. -The format of this config file is described in the <<_saml-general-config,General Adapter Config>> section. - -. Specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs. Here's an example: -+ -[source,xml] ----- - - - customer-portal - - - - Customers - /* - - - user - - - CONFIDENTIAL - - - - - BASIC - this is ignored currently - - - - admin - - - user - - ----- diff --git a/docs/documentation/server_admin/topics/overview/features.adoc b/docs/documentation/server_admin/topics/overview/features.adoc index f9304b7a00cd..c87ac6b7503a 100644 --- a/docs/documentation/server_admin/topics/overview/features.adoc +++ b/docs/documentation/server_admin/topics/overview/features.adoc @@ -23,7 +23,7 @@ ifeval::[{project_community}==true] * Service Provider Interfaces (SPI) - A number of SPIs to enable customizing various aspects of the server. Authentication flows, user federation providers, protocol mappers and many more. -* Client adapters for JavaScript applications, WildFly, JBoss EAP, Tomcat, Jetty, Spring, etc. +* Client adapters for JavaScript applications, WildFly, JBoss EAP, Tomcat, Spring, etc. endif::[] ifeval::[{project_product}==true] * Client adapters for JavaScript applications, JBoss EAP, etc. diff --git a/docs/documentation/upgrading/topics/keycloak/changes.adoc b/docs/documentation/upgrading/topics/keycloak/changes.adoc index 1c95495291c0..1f299f46a67e 100644 --- a/docs/documentation/upgrading/topics/keycloak/changes.adoc +++ b/docs/documentation/upgrading/topics/keycloak/changes.adoc @@ -910,7 +910,7 @@ Same goes with mongo and Infinispan under modules keycloak-model-mongo and keycl ==== For adapters, session id changed after login -To plug a security attack vector, for platforms that support it (Tomcat 8, Undertow/WildFly, Jetty 9), the Keycloak OIDC and SAML adapters will change the session id after login. +To plug a security attack vector, for platforms that support it (Tomcat 8, Undertow/WildFly), the Keycloak OIDC and SAML adapters will change the session id after login. You can turn off this behavior check adapter config switches. ==== SAML SP Client adapter changes diff --git a/pom.xml b/pom.xml index cec66e60840c..54baa13cfc79 100644 --- a/pom.xml +++ b/pom.xml @@ -1461,12 +1461,6 @@ ${project.version} zip - - org.keycloak - keycloak-jetty94-adapter-dist - ${project.version} - zip - org.keycloak keycloak-as7-adapter-dist