Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
111 lines (93 sloc) 4.22 KB
Securing a Classic WAR Application

The needed steps to secure your WAR application are:

  1. In the /WEB-INF/web.xml file, declare the necessary:

    • security constraints in the <security-constraint> element

    • login configuration in the <login-config> element. Make sure that the <auth-method> is KEYCLOAK.

    • security roles in the <security-role> element

      For example:

      <?xml version="1.0" encoding="UTF-8"?>
      <web-app xmlns=""
  2. Within the /WEB-INF/ directory of your WAR, create a new file, keycloak.json. The format of this configuration file is described in the Java Adapters Config section. It is also possible to make this file available externally as described in Configuring the External Adapter.

    For example:

        "realm": "demo",
        "resource": "customer-portal",
        "auth-server-url": "http://localhost:8080/auth",
        "ssl-required" : "external",
        "credentials": {
            "secret": "password"
  3. Contrary to the Fuse 6 adapter, there are no special OSGi imports needed in MANIFEST.MF.

Configuration Resolvers

The keycloak.json adapter configuration file can be stored inside a bundle, which is default behaviour, or in a directory on a filesystem. To specify the actual source of the configuration file, set the keycloak.config.resolver deployment parameter to the desired configuration resolver class. For example, in a classic WAR application, set the keycloak.config.resolver context parameter in web.xml file like this:


The following resolvers are available for keycloak.config.resolver:


This is the default resolver. The configuration file is expected inside the OSGi bundle that is being secured. By default, it loads file named WEB-INF/keycloak.json but this file name can be configured via configLocation property.


This resolver searches for a file called <your_web_context>-keycloak.json inside a folder that is specified by keycloak.config system property. If keycloak.config is not set, karaf.etc system property is used instead.

For example, if your web application is deployed into context my-portal, then your adapter configuration would be loaded either from the ${keycloak.config}/my-portal-keycloak.json file, or from ${karaf.etc}/my-portal-keycloak.json.


This resolver is similar to PathBasedKeycloakConfigResolver above, where for given URI path, configuration locations are checked from most to least specific.

For example, for /my/web-app/context URI, the following configuration locations are searched for existence until the first one exists:

  • ${karaf.etc}/my-web-app-context-keycloak.json

  • ${karaf.etc}/my-web-app-keycloak.json

  • ${karaf.etc}/my-keycloak.json

  • ${karaf.etc}/keycloak.json