keycloak-scim/docbook/reference/en/en-US/modules/jetty9-adapter.xml

<section id="jetty9-adapter">
    <title>Jetty 9.x Adapters</title>
    <para>
        Keycloak has a separate adapter for Jetty 9.1.x and Jetty 9.2.x that you will have to install into your Jetty
        installation.  You then have to provide some extra configuration in each WAR you deploy to
        Jetty.  Let's go over these steps.
    </para>
    <section id="jetty9-adapter-installation">
        <title>Adapter Installation</title>
        <para>
            Adapters are no longer included with the appliance or war distribution.Each adapter is a separate download on
            the Keycloak download site.  They are also available as a maven artifact.
        </para>
        <para>
            You must unzip the Jetty 9.x  distro into Jetty 9.x's root directory.  Including
            adapter's jars within your WEB-INF/lib directory will not work!
        </para>
    <para>
<programlisting>
$ cd $JETTY_HOME
$ unzip keycloak-jetty92-adapter-dist.zip
</programlisting>
    </para>
    <para>
        Next, you will have to enable the keycloak module for your jetty.base.
    </para>
        <para>
<programlisting>
$ cd your-base
$ java -jar $JETTY_HOME/start.jar --add-to-startd=keycloak
</programlisting>

        </para>
    </section>

    <section id="jetty9_per_war">
        <title>Required Per WAR Configuration</title>
        <para>
            This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
        </para>
        <para>
            The first thing you must do is create a <literal>WEB-INF/jetty-web.xml</literal> file in your WAR package.  This is
            a Jetty specific config file and you must define a Keycloak specific authenticator within it.
        </para>
        <programlisting>
<![CDATA[
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="securityHandler">
        <Set name="authenticator">
            <New class="org.keycloak.adapters.jetty.KeycloakJettyAuthenticator">
            </New>
        </Set>
    </Get>
</Configure>]]>
        </programlisting>
        <para>
            Next you must create
            a <literal>keycloak.json</literal> adapter config file within the <literal>WEB-INF</literal> directory
            of your WAR.  The format of this config file is describe in the <link linkend='adapter-config'>general adapter configuration</link>
            section.
        </para>
        <warning>
            <para>
                The Jetty 9.1.x adapter will not be able to find the <literal>keycloak.json</literal> file.  You will have to define
                all adapter settings within the <literal>jetty-web.xml</literal> file as described below.
            </para>
        </warning>
        <para>
            Instead of using keycloak.json, you can define everything within the <literal>jetty-web.xml</literal>.  You'll
            just have to figure out how the json settings match to the <literal>org.keycloak.representations.adapters.config.AdapterConfig</literal>
            class.
        </para>
        <para>
<programlisting>
<![CDATA[
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
  <Get name="securityHandler">
    <Set name="authenticator">
        <New class="org.keycloak.adapters.jetty.KeycloakJettyAuthenticator">
            <Set name="adapterConfig">
                <New class="org.keycloak.representations.adapters.config.AdapterConfig">
                    <Set name="realm">tomcat</Set>
                    <Set name="resource">customer-portal</Set>
                    <Set name="authServerUrl">http://localhost:8081/auth</Set>
                    <Set name="sslRequired">external</Set>
                    <Set name="credentials">
                        <Map>
                            <Entry>
                                <Item>secret</Item>
                                <Item>password</Item>
                            </Entry>
                        </Map>
                    </Set>
                    <Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4</Set>
                </New>
            </Set>
        </New>
    </Set>
  </Get>
</Configure>
]]>
</programlisting>
        </para>
        <para>
            You do not have to crack open your WAR to secure it with keycloak.  Instead create the jetty-web.xml file
            in your webapps directory with the name of yourwar.xml.  Jetty should pick it up.  In this mode, you'll have
            to declare keycloak.json configuration directly within the xml file.
        </para>
        <para>
            Finally you must specify both a <literal>login-config</literal> and use standard servlet security to specify
            role-base constraints on your URLs.  Here's an example:
        </para>
        <para>
<programlisting>
<![CDATA[
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
      version="3.0">

	<module-name>customer-portal</module-name>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Customers</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>this is ignored currently/realm-name>
    </login-config>

    <security-role>
        <role-name>admin</role-name>
    </security-role>
    <security-role>
        <role-name>user</role-name>
    </security-role>
</web-app>
]]>
</programlisting>
        </para>
    </section>
</section>
final jetty stuff 2014-11-08 02:10:15 +00:00			`<section id="jetty9-adapter">`
			`<title>Jetty 9.x Adapters</title>`
			`<para>`
			`Keycloak has a separate adapter for Jetty 9.1.x and Jetty 9.2.x that you will have to install into your Jetty`
			`installation. You then have to provide some extra configuration in each WAR you deploy to`
			`Jetty. Let's go over these steps.`
			`</para>`
			`<section id="jetty9-adapter-installation">`
			`<title>Adapter Installation</title>`
rm adapters from appliance/war-dist 2014-12-05 23:30:41 +00:00			`<para>`
			`Adapters are no longer included with the appliance or war distribution.Each adapter is a separate download on`
			`the Keycloak download site. They are also available as a maven artifact.`
			`</para>`
			`<para>`
			`You must unzip the Jetty 9.x distro into Jetty 9.x's root directory. Including`
			`adapter's jars within your WEB-INF/lib directory will not work!`
			`</para>`
final jetty stuff 2014-11-08 02:10:15 +00:00			`<para>`
			`<programlisting>`
			`$ cd $JETTY_HOME`
			`$ unzip keycloak-jetty92-adapter-dist.zip`
			`</programlisting>`
			`</para>`
			`<para>`
			`Next, you will have to enable the keycloak module for your jetty.base.`
			`</para>`
			`<para>`
			`<programlisting>`
			`$ cd your-base`
			`$ java -jar $JETTY_HOME/start.jar --add-to-startd=keycloak`
			`</programlisting>`

			`</para>`
			`</section>`

jetty 8 docs 2014-11-12 15:44:20 +00:00			`<section id="jetty9_per_war">`
final jetty stuff 2014-11-08 02:10:15 +00:00			`<title>Required Per WAR Configuration</title>`
			`<para>`
			`This section describes how to secure a WAR directly by adding config and editing files within your WAR package.`
			`</para>`
			`<para>`
			`The first thing you must do is create a <literal>WEB-INF/jetty-web.xml</literal> file in your WAR package. This is`
			`a Jetty specific config file and you must define a Keycloak specific authenticator within it.`
			`</para>`
			`<programlisting>`
			`<![CDATA[`
			`<?xml version="1.0"?>`
			`<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">`
			`<Configure class="org.eclipse.jetty.webapp.WebAppContext">`
			`<Get name="securityHandler">`
			`<Set name="authenticator">`
			`<New class="org.keycloak.adapters.jetty.KeycloakJettyAuthenticator">`
			`</New>`
			`</Set>`
			`</Get>`
			`</Configure>]]>`
			`</programlisting>`
			`<para>`
			`Next you must create`
			`a <literal>keycloak.json</literal> adapter config file within the <literal>WEB-INF</literal> directory`
			`of your WAR. The format of this config file is describe in the <link linkend='adapter-config'>general adapter configuration</link>`
			`section.`
			`</para>`
			`<warning>`
			`<para>`
			`The Jetty 9.1.x adapter will not be able to find the <literal>keycloak.json</literal> file. You will have to define`
			`all adapter settings within the <literal>jetty-web.xml</literal> file as described below.`
			`</para>`
			`</warning>`
			`<para>`
			`Instead of using keycloak.json, you can define everything within the <literal>jetty-web.xml</literal>. You'll`
			`just have to figure out how the json settings match to the <literal>org.keycloak.representations.adapters.config.AdapterConfig</literal>`
			`class.`
			`</para>`
			`<para>`
			`<programlisting>`
			`<![CDATA[`
			`<?xml version="1.0"?>`
			`<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">`
			`<Configure class="org.eclipse.jetty.webapp.WebAppContext">`
			`<Get name="securityHandler">`
			`<Set name="authenticator">`
			`<New class="org.keycloak.adapters.jetty.KeycloakJettyAuthenticator">`
			`<Set name="adapterConfig">`
			`<New class="org.keycloak.representations.adapters.config.AdapterConfig">`
			`<Set name="realm">tomcat</Set>`
			`<Set name="resource">customer-portal</Set>`
			`<Set name="authServerUrl">http://localhost:8081/auth</Set>`
			`<Set name="sslRequired">external</Set>`
			`<Set name="credentials">`
			`<Map>`
			`<Entry>`
			`<Item>secret</Item>`
			`<Item>password</Item>`
			`</Entry>`
			`</Map>`
			`</Set>`
			`<Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4</Set>`
			`</New>`
			`</Set>`
			`</New>`
			`</Set>`
			`</Get>`
			`</Configure>`
			`]]>`
			`</programlisting>`
			`</para>`
			`<para>`
			`You do not have to crack open your WAR to secure it with keycloak. Instead create the jetty-web.xml file`
			`in your webapps directory with the name of yourwar.xml. Jetty should pick it up. In this mode, you'll have`
			`to declare keycloak.json configuration directly within the xml file.`
			`</para>`
			`<para>`
			`Finally you must specify both a <literal>login-config</literal> and use standard servlet security to specify`
			`role-base constraints on your URLs. Here's an example:`
			`</para>`
			`<para>`
			`<programlisting>`
			`<![CDATA[`
			`<web-app xmlns="http://java.sun.com/xml/ns/javaee"`
			`xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"`
			`xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"`
			`version="3.0">`

			`<module-name>customer-portal</module-name>`

			`<security-constraint>`
			`<web-resource-collection>`
			`<web-resource-name>Customers</web-resource-name>`
			`<url-pattern>/*</url-pattern>`
			`</web-resource-collection>`
			`<auth-constraint>`
			`<role-name>user</role-name>`
			`</auth-constraint>`
			`</security-constraint>`

			`<security-constraint>`
			`<web-resource-collection>`
			`<url-pattern>/*</url-pattern>`
			`</web-resource-collection>`
			`<user-data-constraint>`
			`<transport-guarantee>CONFIDENTIAL</transport-guarantee>`
			`</user-data-constraint>`
			`</security-constraint>`

			`<login-config>`
			`<auth-method>BASIC</auth-method>`
			`<realm-name>this is ignored currently/realm-name>`
			`</login-config>`

			`<security-role>`
			`<role-name>admin</role-name>`
			`</security-role>`
			`<security-role>`
			`<role-name>user</role-name>`
			`</security-role>`
			`</web-app>`
			`]]>`
			`</programlisting>`
			`</para>`
			`</section>`
			`</section>`