2016-04-18 19:10:32 +00:00
2019-01-21 17:01:40 +00:00
[[_tomcat_adapter]]
2021-12-22 10:28:04 +00:00
==== Tomcat 7, 8, and 9 adapters
2016-04-18 19:10:32 +00:00
2021-12-22 10:28:04 +00:00
To be able to secure WAR apps deployed on Tomcat 7, 8, and 9, you install the Keycloak Tomcat 7 adapter or Keycloak Tomcat adapter into your Tomcat installation. You then perform extra configuration to secure each WAR you deploy to Tomcat.
2016-04-18 19:10:32 +00:00
2019-01-21 17:01:40 +00:00
[[_tomcat_adapter_installation]]
2021-12-22 10:28:04 +00:00
===== Installing the adapter
2016-04-18 19:10:32 +00:00
Adapters are no longer included with the appliance or war distribution.
2021-12-22 10:28:04 +00:00
Each adapter is a separate download on the Keycloak Downloads site.
They are also available as a maven artifact.
2016-04-18 19:10:32 +00:00
2021-12-22 10:28:04 +00:00
.Procedure
2016-04-18 19:10:32 +00:00
2021-12-22 10:28:04 +00:00
. Download the adapter for the Tomcat version on your system from the link:https://www.keycloak.org/downloads[Keycloak Downloads] site.
2016-04-18 19:10:32 +00:00
2021-12-22 10:28:04 +00:00
* Install on Tomcat 7:
+
2016-04-18 19:10:32 +00:00
[source]
----
$ cd $TOMCAT_HOME/lib
$ unzip keycloak-tomcat7-adapter-dist.zip
2021-12-22 10:28:04 +00:00
----
2019-05-23 09:21:31 +00:00
2021-12-22 10:28:04 +00:00
* Install on Tomcat 8 or 9:
+
2019-05-23 09:21:31 +00:00
[source]
----
$ cd $TOMCAT_HOME/lib
$ unzip keycloak-tomcat-adapter-dist.zip
2021-12-22 10:28:04 +00:00
----
2016-04-18 19:10:32 +00:00
2021-12-22 10:28:04 +00:00
====
[NOTE]
Including the adapter's jars within your WEB-INF/lib directory will not work. The Keycloak adapter is implemented as a Valve and valve code must reside in Tomcat's main lib/ directory.
====
2016-04-18 19:10:32 +00:00
2021-12-22 10:28:04 +00:00
===== Securing a WAR
2016-04-18 19:10:32 +00:00
2021-12-22 10:28:04 +00:00
This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
2016-04-18 19:10:32 +00:00
2021-12-22 10:28:04 +00:00
.Procedure
. Create a `META-INF/context.xml` file in your WAR package.
+
This is a Tomcat specific config file and you must define a Keycloak specific Valve.
+
2016-04-18 19:10:32 +00:00
[source]
----
<Context path="/your-context-path">
<Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>
----
2021-12-22 10:28:04 +00:00
. Create a `keycloak.json` adapter config file within the `WEB-INF` directory of your WAR.
+
The format of this config file is described in the <<_java_adapter_config,Java adapter configuration>>
2016-04-18 19:10:32 +00:00
2021-12-22 10:28:04 +00:00
. Specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs. Here's an example:
+
2018-02-08 21:09:26 +00:00
[source,xml]
2016-04-18 19:10:32 +00:00
----
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>customer-portal</module-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>Customers</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
2021-12-22 10:28:04 +00:00
----
