112 lines
3 KiB
Text
112 lines
3 KiB
Text
|
|
||
|
|
[[_saml-jboss-adapter-installation]]
|
||
|
|
===== Adapter Installation
|
||
|
|
|
||
|
|
SAML Adapters are no longer included with the appliance or war distribution.Each adapter is a separate download on the Keycloak download site.
|
||
|
|
They are also available as a maven artifact.
|
||
|
|
|
||
|
|
Install on Wildfly 9 or 10:
|
||
|
|
|
||
|
|
[source]
|
||
|
|
----
|
||
|
|
|
||
|
|
$ cd $WILDFLY_HOME
|
||
|
|
$ unzip keycloak-saml-wildfly-adapter-dist.zip
|
||
|
|
----
|
||
|
|
|
||
|
|
Install on JBoss EAP 6.x:
|
||
|
|
|
||
|
|
[source]
|
||
|
|
----
|
||
|
|
|
||
|
|
$ cd $JBOSS_HOME
|
||
|
|
$ unzip keycloak-saml-eap6-adapter-dist.zip
|
||
|
|
----
|
||
|
|
|
||
|
|
This zip file creates new JBoss Modules specific to the Wildfly Keycloak SAML Adapter within your Wildfly distro.
|
||
|
|
|
||
|
|
After adding the Keycloak modules, you must then enable the Keycloak SAML Subsystem within your app server's server configuration: `domain.xml` or `standalone.xml`.
|
||
|
|
|
||
|
|
There is a CLI script that will help you modify your server configuration.
|
||
|
|
Start the server and run the script from the server's bin directory:
|
||
|
|
|
||
|
|
[source]
|
||
|
|
----
|
||
|
|
|
||
|
|
$ cd $JBOSS_HOME/bin
|
||
|
|
$ jboss-cli.sh -c --file=adapter-install-saml.cli
|
||
|
|
----
|
||
|
|
The script will add the extension, subsystem, and optional security-domain as described below.
|
||
|
|
|
||
|
|
[source,xml]
|
||
|
|
----
|
||
|
|
<server xmlns="urn:jboss:domain:1.4">
|
||
|
|
|
||
|
|
<extensions>
|
||
|
|
<extension module="org.keycloak.keycloak-saml-adapter-subsystem"/>
|
||
|
|
...
|
||
|
|
</extensions>
|
||
|
|
|
||
|
|
<profile>
|
||
|
|
<subsystem xmlns="urn:jboss:domain:keycloak-saml:1.1"/>
|
||
|
|
...
|
||
|
|
</profile>
|
||
|
|
----
|
||
|
|
|
||
|
|
The keycloak security domain should be used with EJBs and other components when you need the security context created in the secured web tier to be propagated to the EJBs (other EE component) you are invoking.
|
||
|
|
Otherwise this configuration is optional.
|
||
|
|
|
||
|
|
[source,xml]
|
||
|
|
----
|
||
|
|
|
||
|
|
<server xmlns="urn:jboss:domain:1.4">
|
||
|
|
<subsystem xmlns="urn:jboss:domain:security:1.2">
|
||
|
|
<security-domains>
|
||
|
|
...
|
||
|
|
<security-domain name="keycloak">
|
||
|
|
<authentication>
|
||
|
|
<login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule"
|
||
|
|
flag="required"/>
|
||
|
|
</authentication>
|
||
|
|
</security-domain>
|
||
|
|
</security-domains>
|
||
|
|
----
|
||
|
|
|
||
|
|
For example, if you have a JAX-RS service that is an EJB within your WEB-INF/classes directory, you'll want to annotate it with the @SecurityDomain annotation as follows:
|
||
|
|
|
||
|
|
[source,xml]
|
||
|
|
----
|
||
|
|
|
||
|
|
import org.jboss.ejb3.annotation.SecurityDomain;
|
||
|
|
import org.jboss.resteasy.annotations.cache.NoCache;
|
||
|
|
|
||
|
|
import javax.annotation.security.RolesAllowed;
|
||
|
|
import javax.ejb.EJB;
|
||
|
|
import javax.ejb.Stateless;
|
||
|
|
import javax.ws.rs.GET;
|
||
|
|
import javax.ws.rs.Path;
|
||
|
|
import javax.ws.rs.Produces;
|
||
|
|
import java.util.ArrayList;
|
||
|
|
import java.util.List;
|
||
|
|
|
||
|
|
@Path("customers")
|
||
|
|
@Stateless
|
||
|
|
@SecurityDomain("keycloak")
|
||
|
|
public class CustomerService {
|
||
|
|
|
||
|
|
@EJB
|
||
|
|
CustomerDB db;
|
||
|
|
|
||
|
|
@GET
|
||
|
|
@Produces("application/json")
|
||
|
|
@NoCache
|
||
|
|
@RolesAllowed("db_user")
|
||
|
|
public List<String> getCustomers() {
|
||
|
|
return db.getCustomers();
|
||
|
|
}
|
||
|
|
}
|
||
|
|
----
|
||
|
|
|
||
|
|
We hope to improve our integration in the future so that you don't have to specify the @SecurityDomain annotation when you want to propagate a keycloak security context to the EJB tier.
|
||
|
|
|