Permalink
Fetching contributors…
Cannot retrieve contributors at this time
112 lines (93 sloc) 4.22 KB
Securing a Classic WAR Application

The needed steps to secure your WAR application are:

  1. In the /WEB-INF/web.xml file, declare the necessary:

    • security constraints in the <security-constraint> element

    • login configuration in the <login-config> element. Make sure that the <auth-method> is KEYCLOAK.

    • security roles in the <security-role> element

      For example:

      <?xml version="1.0" encoding="UTF-8"?>
      <web-app xmlns="http://java.sun.com/xml/ns/javaee"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
               version="3.0">
      
          <module-name>customer-portal</module-name>
      
          <welcome-file-list>
              <welcome-file>index.html</welcome-file>
          </welcome-file-list>
      
          <security-constraint>
              <web-resource-collection>
                  <web-resource-name>Customers</web-resource-name>
                  <url-pattern>/customers/*</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>user</role-name>
              </auth-constraint>
          </security-constraint>
      
          <login-config>
              <auth-method>KEYCLOAK</auth-method>
              <realm-name>does-not-matter</realm-name>
          </login-config>
      
          <security-role>
              <role-name>admin</role-name>
          </security-role>
          <security-role>
              <role-name>user</role-name>
          </security-role>
      </web-app>
  2. Within the /WEB-INF/ directory of your WAR, create a new file, keycloak.json. The format of this configuration file is described in the Java Adapters Config section. It is also possible to make this file available externally as described in Configuring the External Adapter.

    For example:

    {
        "realm": "demo",
        "resource": "customer-portal",
        "auth-server-url": "http://localhost:8080/auth",
        "ssl-required" : "external",
        "credentials": {
            "secret": "password"
        }
    }
  3. Contrary to the Fuse 6 adapter, there are no special OSGi imports needed in MANIFEST.MF.

Configuration Resolvers

The keycloak.json adapter configuration file can be stored inside a bundle, which is default behaviour, or in a directory on a filesystem. To specify the actual source of the configuration file, set the keycloak.config.resolver deployment parameter to the desired configuration resolver class. For example, in a classic WAR application, set the keycloak.config.resolver context parameter in web.xml file like this:

<context-param>
    <param-name>keycloak.config.resolver</param-name>
    <param-value>org.keycloak.adapters.osgi.PathBasedKeycloakConfigResolver</param-value>
</context-param>

The following resolvers are available for keycloak.config.resolver:

org.keycloak.adapters.osgi.BundleBasedKeycloakConfigResolver

This is the default resolver. The configuration file is expected inside the OSGi bundle that is being secured. By default, it loads file named WEB-INF/keycloak.json but this file name can be configured via configLocation property.

org.keycloak.adapters.osgi.PathBasedKeycloakConfigResolver

This resolver searches for a file called <your_web_context>-keycloak.json inside a folder that is specified by keycloak.config system property. If keycloak.config is not set, karaf.etc system property is used instead.

For example, if your web application is deployed into context my-portal, then your adapter configuration would be loaded either from the ${keycloak.config}/my-portal-keycloak.json file, or from ${karaf.etc}/my-portal-keycloak.json.

org.keycloak.adapters.osgi.HierarchicalPathBasedKeycloakConfigResolver

This resolver is similar to PathBasedKeycloakConfigResolver above, where for given URI path, configuration locations are checked from most to least specific.

For example, for /my/web-app/context URI, the following configuration locations are searched for existence until the first one exists:

  • ${karaf.etc}/my-web-app-context-keycloak.json

  • ${karaf.etc}/my-web-app-keycloak.json

  • ${karaf.etc}/my-keycloak.json

  • ${karaf.etc}/keycloak.json