keycloak-scim/topics/saml/java/jboss-adapter/jboss_adapter_installation.adoc

137 lines
3.2 KiB
Text
Raw Normal View History

2016-06-02 16:07:45 +00:00
[[_saml-jboss-adapter-installation]]
===== Adapter Installation
2016-06-02 21:18:42 +00:00
Each adapter is a separate download on the {{book.project.name}} download site.
2016-06-02 16:07:45 +00:00
2016-06-02 21:18:42 +00:00
{% if book.community %}
Install on Wildfly 9 or 10, or JBoss EAP 7:
2016-06-02 16:07:45 +00:00
[source]
----
$ cd $WILDFLY_HOME
$ unzip keycloak-saml-wildfly-adapter-dist.zip
2016-06-02 21:18:42 +00:00
----
{% endif %}
2016-06-02 16:07:45 +00:00
2016-06-02 21:18:42 +00:00
{% if book.community %}
Install on JBoss EAP 6.x:
2016-06-02 16:07:45 +00:00
[source]
----
$ cd $JBOSS_HOME
$ unzip keycloak-saml-eap6-adapter-dist.zip
2016-06-02 21:18:42 +00:00
----
{% endif %}
{% if book.product %}
Install on JBoss EAP 6.x:
[source]
----
$ cd $JBOSS_HOME
$ unzip RH-SSO-saml-eap6-adapter.zip
----
Install on JBoss EAP 7.x:
[source]
----
$ cd $JBOSS_HOME
$ unzip RH-SSO-saml-eap7-adapter.zip
----
{% endif %}
2016-06-02 16:07:45 +00:00
2016-06-02 21:18:42 +00:00
These zip files create new JBoss Modules specific to the Wildfly/JBoss EPKeycloak SAML Adapter within your Wildfly or JBoss EAP distro.
2016-06-02 16:07:45 +00:00
2016-06-02 21:18:42 +00:00
After adding the modules, you must then enable the {{book.project.name}} SAML Subsystem within your app server's server configuration: `domain.xml` or `standalone.xml`.
2016-06-02 16:07:45 +00:00
There is a CLI script that will help you modify your server configuration.
Start the server and run the script from the server's bin directory:
[source]
----
$ cd $JBOSS_HOME/bin
$ jboss-cli.sh -c --file=adapter-install-saml.cli
----
The script will add the extension, subsystem, and optional security-domain as described below.
[source,xml]
----
<server xmlns="urn:jboss:domain:1.4">
<extensions>
<extension module="org.keycloak.keycloak-saml-adapter-subsystem"/>
...
</extensions>
<profile>
<subsystem xmlns="urn:jboss:domain:keycloak-saml:1.1"/>
...
</profile>
----
2016-06-02 21:18:42 +00:00
The `keycloak` security domain should be used with EJBs and other components when you need the security context created
in the secured web tier to be propagated to the EJBs (other EE component) you are invoking.
2016-06-02 16:07:45 +00:00
Otherwise this configuration is optional.
[source,xml]
----
<server xmlns="urn:jboss:domain:1.4">
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
...
<security-domain name="keycloak">
<authentication>
<login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule"
flag="required"/>
</authentication>
</security-domain>
</security-domains>
----
2016-06-02 21:18:42 +00:00
For example, if you have a JAX-RS service that is an EJB within your WEB-INF/classes directory,
you'll want to annotate it with the `@SecurityDomain` annotation as follows:
2016-06-02 16:07:45 +00:00
[source,xml]
----
import org.jboss.ejb3.annotation.SecurityDomain;
import org.jboss.resteasy.annotations.cache.NoCache;
import javax.annotation.security.RolesAllowed;
import javax.ejb.EJB;
import javax.ejb.Stateless;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import java.util.ArrayList;
import java.util.List;
@Path("customers")
@Stateless
@SecurityDomain("keycloak")
public class CustomerService {
@EJB
CustomerDB db;
@GET
@Produces("application/json")
@NoCache
@RolesAllowed("db_user")
public List<String> getCustomers() {
return db.getCustomers();
}
}
----
2016-06-02 21:18:42 +00:00
We hope to improve our integration in the future so that you don't have to specify the
`@SecurityDomain` annotation when you want to propagate a keycloak security context to the EJB tier.
2016-06-02 16:07:45 +00:00