Custom Realm and shiro.ini

492 views
Skip to first unread message

Roger Parkinson

unread,
Aug 19, 2020, 11:01:10 PM8/19/20
to Kill Bill users mailing-list
Hi there,

I'm trying to implement a custom realm for Shiro so that I can use KeyCloak as my user store. I've cloned the Okta code and adjusted it. It works under unit test so now I'm up to testing it under KillBill.

First problem is that I've found my changes to shiro.ini have no effect. I added this:


[main]
myRealm = nz.co.billrush.KeyCloakCustomRealm
securityManager.realms = $myRealm 
credentialsMatcher = org.killbill.billing.util.security.shiro.KillbillCredentialsMatcher
myRealm.credentialsMatcher = $credentialsMatcher

I copied my shiro.ini into an extended image using
COPY --chown=tomcat:tomcat target/config/shiro.ini /var/lib/killbill
but it has no effect. It doesn't try loading my custom realm.

So I tried changing the admin password (should have tried that before now :)) and that doesn't change either. I can see the file when I attach to the running docker image and it is my file, it just isn't being used.

While I'm here I should say I'm also copying tmy jar file to /var/lib/tomcat/lib and, again, it lands there okay. I can't see if it's working yet because of the above problem, but is this the right localtion?

Thanks
Roger

Roger Parkinson

unread,
Aug 20, 2020, 1:28:10 AM8/20/20
to Kill Bill users mailing-list
In addition to the copy I set KILLBILL_SECURITY_SHIRO_RESOURCE_PATH=file:/var/lib/killbill/shiro.ini
I thought that was the default is actually classpath:shiro.ini. Anyway that solved locating the shiro.ini

But I still have the second question: how do I copy my files into the image so that tomcat picks them up. I don't want to build the image from scratch because then I have a maintenance headache.
Is there a known trick to doing this?
Thanks

Pierre-Alexandre Meyer

unread,
Aug 20, 2020, 10:27:26 AM8/20/20
to Roger Parkinson, Kill Bill users mailing-list
Hi Roger,

You would need to tweak the image, either by exploding the war manually (put the jar in WEB-INF/lib) and/or by adding a custom Ansible playbook.

Alternatively, if the implementation is lightweight, we could consider adding it into the core (in which case, feel free to open a PR and we can move the discussion over to GitHub).

Cheers,


--
You received this message because you are subscribed to the Google Groups "Kill Bill users mailing-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to killbilling-us...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/killbilling-users/ac30cbea-6839-457a-91a0-52be565c8a2an%40googlegroups.com.


--
Pierre

a...@caravelo.com

unread,
Oct 19, 2021, 9:47:45 AM10/19/21
to Kill Bill users mailing-list
Hello all,

sorry for reviving this thread, but I think it is something interesting. I see that now Kill Bill offers integrations with Okta and Auth0, so I'm wondering if there is a specific reason for implementing those integration as separate, instead of just implementing a plain OpenId Connect one, which would cover all those providers (including Keycloak).

Regards
--
Alessio Gaeta

step...@kill-bill.org

unread,
Oct 25, 2021, 1:42:57 PM10/25/21
to Kill Bill users mailing-list
Thanks for pointing that out, we have not looked into too much details at OpenId Connect, perhaps this is indeed a good path forward.

Jacob Spizziri

unread,
Oct 20, 2022, 1:59:53 PM10/20/22
to Kill Bill users mailing-list
Hi all,

I'm late to the party too. However, I'm super interested in KillBill but would really need OpenID Connect support before being able to integrate it with our existing stack. Are there any further thoughts on this? Feasibility, architecture, etc? I'm only about 4hrs into reading the KillBill docs so I'm not proficient enough in the arch at this point to make any sort of assessment. In general, I think standardized SSO support would be a great feature to have in KillBill, and OIDC is a great standard to do that with.

Pierre-Alexandre Meyer

unread,
Oct 21, 2022, 1:20:14 PM10/21/22
to Jacob Spizziri, Kill Bill users mailing-list
Hi Jacob,

Agreed, this sounds like a great addition. From an architecture perspective, I can't think of any red flag. We've just never had the time/resources to focus on it (most of our Enterprise users rely on Auth0 or tools like oauth2-proxy/JWT).



--
Pierre

sh...@methodmaker.co.nz

unread,
Oct 31, 2022, 4:55:43 AM10/31/22
to Kill Bill users mailing-list
Hi Pierre,

The Bill Rush team could help with the OIDC SSO keycloak work if it would help. 

Rgs
Shaun

Rogelio Delgado

unread,
Dec 20, 2023, 6:02:57 PM12/20/23
to Kill Bill users mailing-list
Hello to all!

Is there any update or news on this topic? I'm interested in the Keycloack / OpenID connect support.

Ahmed Elwan

unread,
Aug 26, 2025, 3:01:16 PM (12 days ago) Aug 26
to Kill Bill users mailing-list
Hi all,

Any updates about OpenID Connect support?

Reply all
Reply to author
Forward
0 new messages