Fix and document Keycloak integration on Wildfly

hawtio · Feb 2, 2015 · b0d8469 · b0d8469
1 parent a48f8ae
commit b0d8469
Show file tree

Hide file tree

Showing 4 changed files with 85 additions and 9 deletions.
diff --git a/docs/Configuration.md b/docs/Configuration.md
@@ -326,7 +326,7 @@ At last enable the jaas module in jetty. This is done by adding the following li
 
 #### Keycloak integration
 
-Hawtio can now be integrated with [Keycloak](http://www.keycloak.org) for SSO authentication. See details [here](https://github.com/mposolda/hawtio/blob/master/sample-keycloak-integration/README.md) . 
+Hawtio can now be integrated with [Keycloak](http://www.keycloak.org) for SSO authentication. See details [here](https://github.com/hawtio/hawtio/blob/master/sample-keycloak-integration/README.md) . 
 
 ## Configuration Properties
 

diff --git a/hawtio-system/src/main/java/io/hawt/web/keycloak/KeycloakServlet.java b/hawtio-system/src/main/java/io/hawt/web/keycloak/KeycloakServlet.java
@@ -31,6 +31,9 @@ public class KeycloakServlet extends HttpServlet {
     public static final String KEYCLOAK_CLIENT_CONFIG = "keycloakClientConfig";
     public static final String KEYCLOAK_ENABLED = "keycloakEnabled";
 
+    public static final String HAWTIO_KEYCLOAK_CLIENT_CONFIG = "hawtio." + KEYCLOAK_CLIENT_CONFIG;
+    public static final String HAWTIO_KEYCLOAK_ENABLED = "hawtio." + KEYCLOAK_ENABLED;
+
     private String keycloakConfig = null;
     private boolean keycloakEnabled;
 
@@ -40,13 +43,22 @@ public void init() throws ServletException {
         ConfigManager config = (ConfigManager) getServletContext().getAttribute("ConfigManager");
 
         String keycloakEnabledCfg = config.get(KEYCLOAK_ENABLED, "false");
+        String keycloakConfigFile = config.get(KEYCLOAK_CLIENT_CONFIG, null);
+
+        // JVM system properties can override always
+        if (System.getProperty(HAWTIO_KEYCLOAK_ENABLED) != null) {
+            keycloakEnabledCfg = System.getProperty(HAWTIO_KEYCLOAK_ENABLED);
+        }
+        if (System.getProperty(HAWTIO_KEYCLOAK_CLIENT_CONFIG) != null) {
+            keycloakConfigFile = System.getProperty(HAWTIO_KEYCLOAK_CLIENT_CONFIG);
+        }
+
         keycloakEnabled = Boolean.parseBoolean(keycloakEnabledCfg);
-        LOG.info("Keycloak is " + (this.keycloakEnabled ? "enabled" : "disabled"));
+        LOG.info("Keycloak integration is " + (this.keycloakEnabled ? "enabled" : "disabled"));
         if (!keycloakEnabled) {
             return;
         }
 
-        String keycloakConfigFile = config.get(KEYCLOAK_CLIENT_CONFIG, null);
         if (keycloakConfigFile == null || keycloakConfigFile.length() == 0) {
             keycloakConfigFile = defaultKeycloakConfigLocation();
         }
@@ -91,6 +103,11 @@ protected String defaultKeycloakConfigLocation() {
             return tomcatHome + "/conf/keycloak.json";
         }
 
+        String jbossHome = System.getProperty("jboss.server.config.dir");
+        if (jbossHome != null) {
+            return jbossHome + "/keycloak.json";
+        }
+
         // Fallback to classpath inside hawtio.war
         return "classpath:keycloak.json";
     }

diff --git a/sample-keycloak-integration/README.md b/sample-keycloak-integration/README.md
@@ -43,7 +43,7 @@ This was tested with JBoss Fuse 6.1.0-redhat379 and Apache Karaf 2.4 . Steps are
 hawtio.keycloakEnabled=true
 hawtio.realm=keycloak
 hawtio.keycloakClientConfig=${karaf.base}/etc/keycloak-hawtio-client.json
-hawtio.rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal
+hawtio.rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal,org.apache.karaf.jaas.boot.principal.RolePrincipal
 ```
 
 * Download and copy [keycloak-hawtio.json](keycloak-hawtio.json) and [keycloak-hawtio-client.json](keycloak-hawtio-client.json) into Fuse. 
@@ -125,7 +125,7 @@ hawtio {
 };
 ```
 
-* Download and copy [keycloak-hawtio.json](keycloak-hawtio.json) and [keycloak-hawtio-client.json](keycloak-hawtio-client.json) into Fuse. 
+* Download and copy [keycloak-hawtio.json](keycloak-hawtio.json) and [keycloak-hawtio-client.json](keycloak-hawtio-client.json) into Jetty. 
   File `keycloak-hawtio.json` is currently used for adapters on server (JAAS Login module) side. File `keycloak-hawtio-client.json` is used on client (Hawt.io JS application) side.
 
 ```
@@ -144,9 +144,68 @@ export $JETTY_HOME=/mydir/jetty-distribution-8.1.16.v20140903
 * Export JAVA_OPTIONS and add all necessary system options similarly like this:
 
 ```
-export JAVA_OPTIONS="-Dhawtio.authenticationEnabled=true -Dhawtio.realm=hawtio -Dhawtio.keycloakEnabled=true 
+export JAVA_OPTIONS="-Dhawtio.authenticationEnabled=true -Dhawtio.realm=hawtio -Dhawtio.keycloakEnabled=true -Dhawtio.roles=admin,viewer -Dhawtio.rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal 
 -Dhawtio.keycloakClientConfig=$JETTY_HOME/etc/keycloak-hawtio-client.json -Dhawtio.keycloakServerConfig=$JETTY_HOME/etc/keycloak-hawtio.json 
 -Djava.security.auth.login.config=$JETTY_HOME/etc/login.conf"
 ```
 
-* Run Jetty and go to [http://localhost:8080/hawtio](http://localhost:8080/hawtio) . Users are again `root` and `john` with access and `mary` without access.
+* Run Jetty and go to [http://localhost:8080/hawtio](http://localhost:8080/hawtio) . Users are again `root` and `john` with access and `mary` without access.
+
+
+Hawtio and Keycloak integration on Tomcat
+-----------------------------------------
+
+Instructions are quite similar to Jetty, you would need to setup JAAS realm and set the system properties. Just use Tomcat adapter instead of the Jetty one.
+Also you may need to add system property `-Dhawtio.authenticationContainerDiscoveryClasses=` (really empty value). This is needed, so that
+Tomcat will use configured JAAS realm with BearerTokenLoginModule instead of `tomcat-users.xml` file, which Hawtio uses on Tomcat by default.
+
+
+Hawtio and Keycloak integration on Wildfly
+------------------------------------------
+
+This is even easier as you can use same WildFly server where Keycloak is already running. No need to have separate server, but you can use separate server if you want. 
+
+So in next steps we will use the existing Keycloak server on localhost:8081 and assume that Hawtio WAR is already deployed on WildFly as 
+described in [http://hawt.io/getstarted/index.html](http://hawt.io/getstarted/index.html) .
+
+* Download and copy [keycloak-hawtio.json](keycloak-hawtio.json) and [keycloak-hawtio-client.json](keycloak-hawtio-client.json) into Wildfly. 
+  File `keycloak-hawtio.json` is currently used for adapters on server (JAAS Login module) side. File `keycloak-hawtio-client.json` is used on client (Hawt.io JS application) side.
+
+```
+cp /downloads/keycloak-hawtio.json $JBOSS_HOME/standalone/configuration/
+cp /downloads/keycloak-hawtio-client.json $JBOSS_HOME/standalone/configuration/
+```
+
+* In `$JBOSS_HOME/standalone/configuration/standalone.xml` configure system properties like this:
+
+```
+<extensions>
+...
+</extensions>
+
+<system-properties>
+    <property name="hawtio.authenticationEnabled" value="true" />
+    <property name="hawtio.realm" value="hawtio" />
+    <property name="hawtio.roles" value="admin,viewer" />
+    <property name="hawtio.rolePrincipalClasses" value="org.keycloak.adapters.jaas.RolePrincipal" />
+    <property name="hawtio.keycloakEnabled" value="true" />
+    <property name="hawtio.keycloakClientConfig" value="${jboss.server.config.dir}/keycloak-hawtio-client.json" />
+    <property name="hawtio.keycloakServerConfig" value="${jboss.server.config.dir}/keycloak-hawtio.json" />
+</system-properties>
+```
+
+Also add hawtio realm to this file to `security-domains` section:
+
+```
+<security-domain name="hawtio" cache-type="default">
+    <authentication>
+        <login-module code="org.keycloak.adapters.jaas.BearerTokenLoginModule" flag="required">
+            <module-option name="keycloak-config-file" value="${hawtio.keycloakServerConfig}"/>
+        </login-module>                        
+    </authentication>
+</security-domain>
+```
+
+* Run WildFly on port 8081 as described in [Prepare Keycloak Server](#prepare-keycloak-server) section and go to [http://localhost:8081/hawtio](http://localhost:8081/hawtio) . 
+Users are again `root` and `john` with access and `mary` without access. 
+
diff --git a/sample-keycloak-integration/demorealm.json b/sample-keycloak-integration/demorealm.json
@@ -85,8 +85,8 @@
             "name" : "hawtio-client",
             "surrogateAuthRequired" : false,
             "enabled" : true,
-            "redirectUris" : [ "http://localhost:8080/hawtio/*", "http://localhost:8181/hawtio/*" ],
-            "webOrigins" : [ "http://localhost:8080", "http://localhost:8181" ],
+            "redirectUris" : [ "http://localhost:8080/hawtio/*", "http://localhost:8181/hawtio/*", "http://localhost:8081/hawtio/*" ],
+            "webOrigins" : [ "http://localhost:8080", "http://localhost:8181", "http://localhost:8081" ],
             "claims" : {
                 "name" : true,
                 "username" : true,