keycloak-scim/docbook/auth-server-docs/reference/en/en-US/modules/jboss-adapter.xml

<section id="jboss-adapter">
    <title>JBoss/Wildfly Adapter</title>
    <para>
        To be able to secure WAR apps deployed on JBoss AS 7.1.1, JBoss EAP 6.x, or Wildfly, you must install and
        configure the Keycloak Subsystem.  You then have two options to secure your WARs.  You can provide a keycloak
        config file in your WAR and change the auth-method to KEYCLOAK within web.xml.  Alternatively, you don't have
        to crack open your WARs at all and can apply Keycloak via the Keycloak Subsystem configuration in standalone.xml.
        Both methods are described in this section.
    </para>
    <section id="jboss-adapter-installation">
        <title>Adapter Installation</title>
    <para>
        Adapters are no longer included with the appliance or war distribution.Each adapter is a separate download on
        the Keycloak download site.  They are also available as a maven artifact.
    </para>
    <para>
        Install on Wildfly 9 or 10:
<programlisting>
$ cd $WILDFLY_HOME
$ unzip keycloak-wildfly-adapter-dist.zip
</programlisting>
    </para>
    <para>
        Install on Wildfly 8:
<programlisting>
$ cd $WILDFLY_HOME
$ unzip keycloak-wf8-adapter-dist.zip
</programlisting>
    </para>
    <para>
        Install on JBoss EAP 6.x:
<programlisting>
$ cd $JBOSS_HOME
$ unzip keycloak-eap6-adapter-dist.zip
</programlisting>
    </para>
    <para>
        Install on JBoss AS 7.1.1:
<programlisting>
$ cd $JBOSS_HOME
$ unzip keycloak-as7-adapter-dist.zip
</programlisting>
    </para>
    <para>
        This zip file creates new JBoss Modules specific to the Wildfly Keycloak Adapter within your Wildfly distro.
    </para>
    <para>
        After adding the Keycloak modules, you must then enable the Keycloak Subsystem within your app server's server configuration:
        <literal>domain.xml</literal> or <literal>standalone.xml</literal>.
    </para>
    <para>
        There is a CLI script that will help you modify your server configuration.  Start the server and run the script 
        from the server's bin directory:
<programlisting>
$ cd $JBOSS_HOME/bin
$ jboss-cli.sh -c --file=adapter-install.cli
</programlisting>
        The script will add the extension, subsystem, and optional security-domain as described below.
    </para>
    <para>
<programlisting><![CDATA[
<server xmlns="urn:jboss:domain:1.4">

    <extensions>
        <extension module="org.keycloak.keycloak-adapter-subsystem"/>
          ...
    </extensions>

    <profile>
        <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
         ...
    </profile>
]]>
</programlisting>
    </para>
        <para>
            The keycloak security domain should be used with EJBs and other components when you need the security context created
            in the secured web tier to be propagated to the EJBs (other EE component) you are invoking.  Otherwise
            this configuration is optional.
        </para>
<programlisting><![CDATA[
<server xmlns="urn:jboss:domain:1.4">
 <subsystem xmlns="urn:jboss:domain:security:1.2">
    <security-domains>
...
      <security-domain name="keycloak">
         <authentication>
           <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule"
                         flag="required"/>
          </authentication>
      </security-domain>
    </security-domains>
]]>
</programlisting>
        <para>
            For example, if you have a JAX-RS service that is an EJB within your WEB-INF/classes directory, you'll want
            to annotate it with the @SecurityDomain annotation as follows:
        </para>
<programlisting><![CDATA[
import org.jboss.ejb3.annotation.SecurityDomain;
import org.jboss.resteasy.annotations.cache.NoCache;

import javax.annotation.security.RolesAllowed;
import javax.ejb.EJB;
import javax.ejb.Stateless;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import java.util.ArrayList;
import java.util.List;

@Path("customers")
@Stateless
@SecurityDomain("keycloak")
public class CustomerService {

    @EJB
    CustomerDB db;

    @GET
    @Produces("application/json")
    @NoCache
    @RolesAllowed("db_user")
    public List<String> getCustomers() {
        return db.getCustomers();
    }
}
]]>
</programlisting>
        <para>
            We hope to improve our integration in the future so that you don't have to specify the @SecurityDomain
            annotation when you want to propagate a keycloak security context to the EJB tier.
        </para>

    </section>
    <section>
        <title>Required Per WAR Configuration</title>
        <para>
            This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
        </para>
        <para>
            The first thing you must do is create
            a <literal>keycloak.json</literal> adapter config file within the <literal>WEB-INF</literal> directory
            of your WAR.  The format of this config file is describe in the <link linkend='adapter-config'>general adapter configuration</link>
            section.
        </para>
        <para>
            Next you must set the <literal>auth-method</literal> to <literal>KEYCLOAK</literal> in <literal>web.xml</literal>.  You also
            have to use standard servlet security to specify role-base constraints on your URLs.  Here's an example
            pulled from one of the examples that comes distributed with Keycloak.
        </para>
        <para>
<programlisting>
<![CDATA[
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
      version="3.0">

	<module-name>customer-portal</module-name>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Admins</web-resource-name>
            <url-pattern>/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Customers</web-resource-name>
            <url-pattern>/customers/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>KEYCLOAK</auth-method>
        <realm-name>this is ignored currently</realm-name>
    </login-config>

    <security-role>
        <role-name>admin</role-name>
    </security-role>
    <security-role>
        <role-name>user</role-name>
    </security-role>
</web-app>
]]>
</programlisting>
        </para>
    </section>
    <section>
        <title>Securing WARs via Keycloak Subsystem</title>
        <para>
            You do not have to crack open a WAR to secure it with Keycloak.  Alternatively, you can externally secure
            it via the Keycloak Adapter Subsystem.  While you don't have to specify KEYCLOAK as an <literal>auth-method</literal>,
            you still have to define the <literal>security-constraints</literal> in <literal>web.xml</literal>.  You do
            not, however, have to create a <literal>WEB-INF/keycloak.json</literal> file.  This metadata is instead defined
            within XML in your server's <literal>domain.xml</literal> or <literal>standalone.xml</literal> subsystem
            configuration section.
        </para>
<para>
<programlisting><![CDATA[
<extensions>
  <extension module="org.keycloak.keycloak-adapter-subsystem"/>
</extensions>

<profile>
  <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
     <secure-deployment name="WAR MODULE NAME.war">
        <realm>demo</realm>
        <realm-public-key>MIGfMA0GCSqGSIb3DQEBAQUAA</realm-public-key>
        <auth-server-url>http://localhost:8081/auth</auth-server-url>
        <ssl-required>external</ssl-required>
        <resource>customer-portal</resource>
        <credential name="secret">password</credential>
     </secure-deployment>
  </subsystem>
</profile>
]]>
</programlisting>
</para>
        <para>
            The <literal>secure-deployment</literal> <literal>name</literal> attribute identifies the WAR you want
            to secure.  Its value is the <literal>module-name</literal> defined in <literal>web.xml</literal> with
            <literal>.war</literal> appended.  The rest of the configuration corresponds pretty much one to one
            with the <literal>keycloak.json</literal> configuration options defined in <link linkend='adapter-config'>general adapter configuration</link>.
            The exception is the <literal>credential</literal> element.
        </para>
        <para>
            To make it easier for you, you can go to the Keycloak Adminstration Console and go to the Application/Installation
            tab of the application this WAR is aligned with.  It provides an example XML file you can cut and paste.
        </para>
        <para>
            There is an additional convenience format for this XML if you have multiple WARs you are deployment that
            are secured by the same domain.  This format allows you to define common configuration items in one place
            under the <literal>realm</literal> element.
        </para>
        <para>
            <programlisting><![CDATA[
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
    <realm name="demo">
        <realm-public-key>MIGfMA0GCSqGSIb3DQEBA</realm-public-key>
        <auth-server-url>http://localhost:8080/auth</auth-server-url>
        <ssl-required>external</ssl-required>
    </realm>
    <secure-deployment name="customer-portal.war">
        <realm>demo</realm>
        <resource>customer-portal</resource>
        <credential name="secret">password</credential>
    </secure-deployment>
    <secure-deployment name="product-portal.war">
        <realm>demo</realm>
        <resource>product-portal</resource>
        <credential name="secret">password</credential>
    </secure-deployment>
    <secure-deployment name="database.war">
        <realm>demo</realm>
        <resource>database-service</resource>
        <bearer-only>true</bearer-only>
    </secure-deployment>
</subsystem>
]]>
            </programlisting>
        </para>
    </section>

</section>
KEYCLOAK-1385 Introduce end-of-line normalization 2015-07-17 11:45:43 +00:00			`<section id="jboss-adapter">`
			`<title>JBoss/Wildfly Adapter</title>`
			`<para>`
			`To be able to secure WAR apps deployed on JBoss AS 7.1.1, JBoss EAP 6.x, or Wildfly, you must install and`
			`configure the Keycloak Subsystem. You then have two options to secure your WARs. You can provide a keycloak`
			`config file in your WAR and change the auth-method to KEYCLOAK within web.xml. Alternatively, you don't have`
			`to crack open your WARs at all and can apply Keycloak via the Keycloak Subsystem configuration in standalone.xml.`
			`Both methods are described in this section.`
			`</para>`
			`<section id="jboss-adapter-installation">`
			`<title>Adapter Installation</title>`
			`<para>`
			`Adapters are no longer included with the appliance or war distribution.Each adapter is a separate download on`
			`the Keycloak download site. They are also available as a maven artifact.`
			`</para>`
			`<para>`
KEYCLOAK-2099 WildFly 10 adapter subsystem 2015-11-27 13:36:49 +00:00			`Install on Wildfly 9 or 10:`
KEYCLOAK-1385 Introduce end-of-line normalization 2015-07-17 11:45:43 +00:00			`<programlisting>`
			`$ cd $WILDFLY_HOME`
KEYCLOAK-2099 WildFly 10 adapter subsystem 2015-11-27 13:36:49 +00:00			`$ unzip keycloak-wildfly-adapter-dist.zip`
KEYCLOAK-1385 Introduce end-of-line normalization 2015-07-17 11:45:43 +00:00			`</programlisting>`
			`</para>`
			`<para>`
			`Install on Wildfly 8:`
			`<programlisting>`
			`$ cd $WILDFLY_HOME`
			`$ unzip keycloak-wf8-adapter-dist.zip`
			`</programlisting>`
			`</para>`
			`<para>`
			`Install on JBoss EAP 6.x:`
			`<programlisting>`
			`$ cd $JBOSS_HOME`
			`$ unzip keycloak-eap6-adapter-dist.zip`
			`</programlisting>`
			`</para>`
			`<para>`
			`Install on JBoss AS 7.1.1:`
			`<programlisting>`
			`$ cd $JBOSS_HOME`
			`$ unzip keycloak-as7-adapter-dist.zip`
			`</programlisting>`
			`</para>`
			`<para>`
			`This zip file creates new JBoss Modules specific to the Wildfly Keycloak Adapter within your Wildfly distro.`
			`</para>`
			`<para>`
			`After adding the Keycloak modules, you must then enable the Keycloak Subsystem within your app server's server configuration:`
			`<literal>domain.xml</literal> or <literal>standalone.xml</literal>.`
			`</para>`
Merge branch 'KEYCLOAK-1414-cli-script-adapters' of https://github.com/ssilvert/keycloak into ssilvert-KEYCLOAK-1414-cli-script-adapters Conflicts: docbook/reference/en/en-US/modules/jboss-adapter.xml 2015-07-20 11:10:51 +00:00			`<para>`
			`There is a CLI script that will help you modify your server configuration. Start the server and run the script`
			`from the server's bin directory:`
			`<programlisting>`
			`$ cd $JBOSS_HOME/bin`
			`$ jboss-cli.sh -c --file=adapter-install.cli`
			`</programlisting>`
			`The script will add the extension, subsystem, and optional security-domain as described below.`
			`</para>`
KEYCLOAK-1385 Introduce end-of-line normalization 2015-07-17 11:45:43 +00:00			`<para>`
			`<programlisting><![CDATA[`
			`<server xmlns="urn:jboss:domain:1.4">`

			`<extensions>`
			`<extension module="org.keycloak.keycloak-adapter-subsystem"/>`
			`...`
			`</extensions>`

			`<profile>`
			`<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>`
			`...`
			`</profile>`
			`]]>`
			`</programlisting>`
			`</para>`
			`<para>`
Merge branch 'KEYCLOAK-1414-cli-script-adapters' of https://github.com/ssilvert/keycloak into ssilvert-KEYCLOAK-1414-cli-script-adapters Conflicts: docbook/reference/en/en-US/modules/jboss-adapter.xml 2015-07-20 11:10:51 +00:00			`The keycloak security domain should be used with EJBs and other components when you need the security context created`
KEYCLOAK-1385 Introduce end-of-line normalization 2015-07-17 11:45:43 +00:00			`in the secured web tier to be propagated to the EJBs (other EE component) you are invoking. Otherwise`
			`this configuration is optional.`
			`</para>`
			`<programlisting><![CDATA[`
			`<server xmlns="urn:jboss:domain:1.4">`
			`<subsystem xmlns="urn:jboss:domain:security:1.2">`
			`<security-domains>`
			`...`
			`<security-domain name="keycloak">`
			`<authentication>`
			`<login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule"`
			`flag="required"/>`
			`</authentication>`
			`</security-domain>`
			`</security-domains>`
			`]]>`
			`</programlisting>`
			`<para>`
			`For example, if you have a JAX-RS service that is an EJB within your WEB-INF/classes directory, you'll want`
			`to annotate it with the @SecurityDomain annotation as follows:`
			`</para>`
			`<programlisting><![CDATA[`
			`import org.jboss.ejb3.annotation.SecurityDomain;`
			`import org.jboss.resteasy.annotations.cache.NoCache;`

			`import javax.annotation.security.RolesAllowed;`
			`import javax.ejb.EJB;`
			`import javax.ejb.Stateless;`
			`import javax.ws.rs.GET;`
			`import javax.ws.rs.Path;`
			`import javax.ws.rs.Produces;`
			`import java.util.ArrayList;`
			`import java.util.List;`

			`@Path("customers")`
			`@Stateless`
			`@SecurityDomain("keycloak")`
			`public class CustomerService {`

			`@EJB`
			`CustomerDB db;`

			`@GET`
			`@Produces("application/json")`
			`@NoCache`
			`@RolesAllowed("db_user")`
			`public List<String> getCustomers() {`
			`return db.getCustomers();`
			`}`
			`}`
			`]]>`
			`</programlisting>`
			`<para>`
			`We hope to improve our integration in the future so that you don't have to specify the @SecurityDomain`
			`annotation when you want to propagate a keycloak security context to the EJB tier.`
			`</para>`

			`</section>`
			`<section>`
			`<title>Required Per WAR Configuration</title>`
			`<para>`
			`This section describes how to secure a WAR directly by adding config and editing files within your WAR package.`
			`</para>`
			`<para>`
			`The first thing you must do is create`
			`a <literal>keycloak.json</literal> adapter config file within the <literal>WEB-INF</literal> directory`
			`of your WAR. The format of this config file is describe in the <link linkend='adapter-config'>general adapter configuration</link>`
			`section.`
			`</para>`
			`<para>`
			`Next you must set the <literal>auth-method</literal> to <literal>KEYCLOAK</literal> in <literal>web.xml</literal>. You also`
			`have to use standard servlet security to specify role-base constraints on your URLs. Here's an example`
			`pulled from one of the examples that comes distributed with Keycloak.`
			`</para>`
			`<para>`
			`<programlisting>`
			`<![CDATA[`
			`<web-app xmlns="http://java.sun.com/xml/ns/javaee"`
			`xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"`
			`xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"`
			`version="3.0">`

			`<module-name>customer-portal</module-name>`

			`<security-constraint>`
			`<web-resource-collection>`
			`<web-resource-name>Admins</web-resource-name>`
			`<url-pattern>/admin/*</url-pattern>`
			`</web-resource-collection>`
			`<auth-constraint>`
			`<role-name>admin</role-name>`
			`</auth-constraint>`
KEYCLOAK-1161 web.xml example in the doc is incorrect 2015-08-20 11:40:35 +00:00			`<user-data-constraint>`
			`<transport-guarantee>CONFIDENTIAL</transport-guarantee>`
			`</user-data-constraint>`
KEYCLOAK-1385 Introduce end-of-line normalization 2015-07-17 11:45:43 +00:00			`</security-constraint>`
			`<security-constraint>`
			`<web-resource-collection>`
			`<web-resource-name>Customers</web-resource-name>`
			`<url-pattern>/customers/*</url-pattern>`
			`</web-resource-collection>`
			`<auth-constraint>`
			`<role-name>user</role-name>`
			`</auth-constraint>`
			`<user-data-constraint>`
			`<transport-guarantee>CONFIDENTIAL</transport-guarantee>`
			`</user-data-constraint>`
			`</security-constraint>`

			`<login-config>`
			`<auth-method>KEYCLOAK</auth-method>`
add missing tag start type to sample jboss configuration in docbook 2015-08-18 12:43:28 +00:00			`<realm-name>this is ignored currently</realm-name>`
KEYCLOAK-1385 Introduce end-of-line normalization 2015-07-17 11:45:43 +00:00			`</login-config>`

			`<security-role>`
			`<role-name>admin</role-name>`
			`</security-role>`
			`<security-role>`
			`<role-name>user</role-name>`
			`</security-role>`
			`</web-app>`
			`]]>`
			`</programlisting>`
			`</para>`
			`</section>`
			`<section>`
			`<title>Securing WARs via Keycloak Subsystem</title>`
			`<para>`
			`You do not have to crack open a WAR to secure it with Keycloak. Alternatively, you can externally secure`
			`it via the Keycloak Adapter Subsystem. While you don't have to specify KEYCLOAK as an <literal>auth-method</literal>,`
			`you still have to define the <literal>security-constraints</literal> in <literal>web.xml</literal>. You do`
			`not, however, have to create a <literal>WEB-INF/keycloak.json</literal> file. This metadata is instead defined`
			`within XML in your server's <literal>domain.xml</literal> or <literal>standalone.xml</literal> subsystem`
			`configuration section.`
			`</para>`
			`<para>`
			`<programlisting><![CDATA[`
			`<extensions>`
			`<extension module="org.keycloak.keycloak-adapter-subsystem"/>`
			`</extensions>`

			`<profile>`
			`<subsystem xmlns="urn:jboss:domain:keycloak:1.1">`
			`<secure-deployment name="WAR MODULE NAME.war">`
			`<realm>demo</realm>`
			`<realm-public-key>MIGfMA0GCSqGSIb3DQEBAQUAA</realm-public-key>`
			`<auth-server-url>http://localhost:8081/auth</auth-server-url>`
			`<ssl-required>external</ssl-required>`
			`<resource>customer-portal</resource>`
			`<credential name="secret">password</credential>`
			`</secure-deployment>`
			`</subsystem>`
			`</profile>`
			`]]>`
			`</programlisting>`
			`</para>`
			`<para>`
KEYCLOAK-1130 security-deployment vs. secure-deployment in the documentation 2015-08-20 11:37:50 +00:00			`The <literal>secure-deployment</literal> <literal>name</literal> attribute identifies the WAR you want`
KEYCLOAK-1385 Introduce end-of-line normalization 2015-07-17 11:45:43 +00:00			`to secure. Its value is the <literal>module-name</literal> defined in <literal>web.xml</literal> with`
			`<literal>.war</literal> appended. The rest of the configuration corresponds pretty much one to one`
			`with the <literal>keycloak.json</literal> configuration options defined in <link linkend='adapter-config'>general adapter configuration</link>.`
			`The exception is the <literal>credential</literal> element.`
			`</para>`
			`<para>`
			`To make it easier for you, you can go to the Keycloak Adminstration Console and go to the Application/Installation`
			`tab of the application this WAR is aligned with. It provides an example XML file you can cut and paste.`
			`</para>`
			`<para>`
			`There is an additional convenience format for this XML if you have multiple WARs you are deployment that`
			`are secured by the same domain. This format allows you to define common configuration items in one place`
			`under the <literal>realm</literal> element.`
			`</para>`
			`<para>`
			`<programlisting><![CDATA[`
			`<subsystem xmlns="urn:jboss:domain:keycloak:1.1">`
			`<realm name="demo">`
			`<realm-public-key>MIGfMA0GCSqGSIb3DQEBA</realm-public-key>`
			`<auth-server-url>http://localhost:8080/auth</auth-server-url>`
			`<ssl-required>external</ssl-required>`
			`</realm>`
			`<secure-deployment name="customer-portal.war">`
			`<realm>demo</realm>`
			`<resource>customer-portal</resource>`
			`<credential name="secret">password</credential>`
			`</secure-deployment>`
			`<secure-deployment name="product-portal.war">`
			`<realm>demo</realm>`
			`<resource>product-portal</resource>`
			`<credential name="secret">password</credential>`
			`</secure-deployment>`
			`<secure-deployment name="database.war">`
			`<realm>demo</realm>`
			`<resource>database-service</resource>`
			`<bearer-only>true</bearer-only>`
			`</secure-deployment>`
			`</subsystem>`
			`]]>`
			`</programlisting>`
			`</para>`
			`</section>`

docbook updates for adapter 2014-02-14 14:50:49 +00:00			`</section>`