2016-04-18 19:10:32 +00:00
2019-01-21 17:01:40 +00:00
[[_tomcat_adapter]]
2022-05-04 08:28:16 +00:00
==== Tomcat 8 and 9 adapters
2016-04-18 19:10:32 +00:00
2023-07-11 11:32:52 +00:00
include::adapter-deprecation-notice.adoc[]
2022-05-04 08:28:16 +00:00
To be able to secure WAR apps deployed on Tomcat 8, and 9, you install the Keycloak Tomcat adapter into your Tomcat installation. You then perform extra configuration to secure each WAR you deploy to Tomcat.
2016-04-18 19:10:32 +00:00
2019-01-21 17:01:40 +00:00
[[_tomcat_adapter_installation]]
2021-12-22 10:28:04 +00:00
===== Installing the adapter
2016-04-18 19:10:32 +00:00
Adapters are no longer included with the appliance or war distribution.
2021-12-22 10:28:04 +00:00
Each adapter is a separate download on the Keycloak Downloads site.
They are also available as a maven artifact.
2016-04-18 19:10:32 +00:00
2021-12-22 10:28:04 +00:00
.Procedure
2016-04-18 19:10:32 +00:00
2021-12-22 10:28:04 +00:00
. Download the adapter for the Tomcat version on your system from the link:https://www.keycloak.org/downloads[Keycloak Downloads] site.
2016-04-18 19:10:32 +00:00
2021-12-22 10:28:04 +00:00
* Install on Tomcat 8 or 9:
+
2019-05-23 09:21:31 +00:00
[source]
----
$ cd $TOMCAT_HOME/lib
$ unzip keycloak-tomcat-adapter-dist.zip
2021-12-22 10:28:04 +00:00
----
2016-04-18 19:10:32 +00:00
2021-12-22 10:28:04 +00:00
====
[NOTE]
Including the adapter's jars within your WEB-INF/lib directory will not work. The Keycloak adapter is implemented as a Valve and valve code must reside in Tomcat's main lib/ directory.
====
2016-04-18 19:10:32 +00:00
2021-12-22 10:28:04 +00:00
===== Securing a WAR
2016-04-18 19:10:32 +00:00
2021-12-22 10:28:04 +00:00
This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
2016-04-18 19:10:32 +00:00
2021-12-22 10:28:04 +00:00
.Procedure
. Create a `META-INF/context.xml` file in your WAR package.
+
This is a Tomcat specific config file and you must define a Keycloak specific Valve.
+
2016-04-18 19:10:32 +00:00
[source]
----
<Context path="/your-context-path">
<Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>
----
2021-12-22 10:28:04 +00:00
. Create a `keycloak.json` adapter config file within the `WEB-INF` directory of your WAR.
+
The format of this config file is described in the <<_java_adapter_config,Java adapter configuration>>
2016-04-18 19:10:32 +00:00
2021-12-22 10:28:04 +00:00
. Specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs. Here's an example:
+
2018-02-08 21:09:26 +00:00
[source,xml]
2016-04-18 19:10:32 +00:00
----
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>customer-portal</module-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>Customers</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
2021-12-22 10:28:04 +00:00
----
