keycloak-scim/securing_apps/topics/oidc/java/jaas.adoc

[[_jaas_adapter]]
==== JAAS plugin

It's generally not needed to use JAAS for most of the applications, especially if they are HTTP based, and you should most likely choose one of our other adapters.
However, some applications and systems may still rely on pure legacy JAAS solution.
{project_name} provides two login modules to help in these situations.

The provided login modules are:

org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule::
  This login module allows to authenticate with username/password from {project_name}.
  It's using <<_resource_owner_password_credentials_flow,Resource Owner Password Credentials>> flow to validate if the provided
  username/password is valid. It's useful for non-web based systems, which need to rely on JAAS and want to use {project_name}, but can't use the standard browser
  based flows due to their non-web nature. Example of such application could be messaging or SSH.

org.keycloak.adapters.jaas.BearerTokenLoginModule::
  This login module allows to authenticate with {project_name} access token passed to it through CallbackHandler as password.
  It may be useful for example in case, when you have {project_name} access token from standard based authentication flow and your web application then
  needs to talk to external non-web based system, which rely on JAAS. For example a messaging system.

Both modules use the following configuration properties:

keycloak-config-file::
    The location of the `keycloak.json` configuration file. The configuration file can either be located on the filesystem or on the classpath. If it's located
    on the classpath you need to prefix the location with `classpath:` (for example `classpath:/path/keycloak.json`).
    This is _REQUIRED._

`role-principal-class`::
    Configure alternative class for Role principals attached to JAAS Subject.
    Default value is `org.keycloak.adapters.jaas.RolePrincipal`. Note: The class is required to have a constructor with a single `String` argument.

`scope`::
    This option is only applicable to the `DirectAccessGrantsLoginModule`. The specified value will be used as the OAuth2 `scope`
    parameter in the Resource Owner Password Credentials Grant request.
Revert "fixed Wildfly mentions and faulty links with underscores" This reverts commit 1ecbc1ba14075203af437295927699adf84cc428. 2019-01-21 17:01:40 +00:00			`[[_jaas_adapter]]`
Fix headers in oidc chapter 2016-06-09 13:12:10 +00:00			`==== JAAS plugin`
initial import 2016-04-18 19:10:32 +00:00
Complete Java chapters 2016-06-03 10:35:36 +00:00			`It's generally not needed to use JAAS for most of the applications, especially if they are HTTP based, and you should most likely choose one of our other adapters.`
			`However, some applications and systems may still rely on pure legacy JAAS solution.`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`{project_name} provides two login modules to help in these situations.`
initial import 2016-04-18 19:10:32 +00:00
Complete Java chapters 2016-06-03 10:35:36 +00:00			`The provided login modules are:`
initial import 2016-04-18 19:10:32 +00:00
			`org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule::`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`This login module allows to authenticate with username/password from {project_name}.`
			`It's using <<_resource_owner_password_credentials_flow,Resource Owner Password Credentials>> flow to validate if the provided`
			`username/password is valid. It's useful for non-web based systems, which need to rely on JAAS and want to use {project_name}, but can't use the standard browser`
Complete Java chapters 2016-06-03 10:35:36 +00:00			`based flows due to their non-web nature. Example of such application could be messaging or SSH.`
initial import 2016-04-18 19:10:32 +00:00
			`org.keycloak.adapters.jaas.BearerTokenLoginModule::`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`This login module allows to authenticate with {project_name} access token passed to it through CallbackHandler as password.`
			`It may be useful for example in case, when you have {project_name} access token from standard based authentication flow and your web application then`
Complete Java chapters 2016-06-03 10:35:36 +00:00			`needs to talk to external non-web based system, which rely on JAAS. For example a messaging system.`

			`Both modules use the following configuration properties:`
initial import 2016-04-18 19:10:32 +00:00
Complete Java chapters 2016-06-03 10:35:36 +00:00			`keycloak-config-file::`
			The location of the `keycloak.json` configuration file. The configuration file can either be located on the filesystem or on the classpath. If it's located
			on the classpath you need to prefix the location with `classpath:` (for example `classpath:/path/keycloak.json`).
			`This is _REQUIRED._`
initial import 2016-04-18 19:10:32 +00:00
Complete Java chapters 2016-06-03 10:35:36 +00:00			`role-principal-class`::
			`Configure alternative class for Role principals attached to JAAS Subject.`
Update topics/oidc/java/jaas.adoc 2016-06-09 12:28:28 +00:00			Default value is `org.keycloak.adapters.jaas.RolePrincipal`. Note: The class is required to have a constructor with a single `String` argument.
Update topics/oidc/java/jaas.adoc 2016-06-09 12:29:01 +00:00
KEYCLOAK-8297 Documentation for audience 2018-09-24 08:17:11 +00:00			`scope`::
			This option is only applicable to the `DirectAccessGrantsLoginModule`. The specified value will be used as the OAuth2 `scope`
			`parameter in the Resource Owner Password Credentials Grant request.`