2014-01-13 01:57:31 +00:00
|
|
|
<section>
|
|
|
|
<title>JBoss EAP6/AS7 Adapter</title>
|
|
|
|
<section>
|
|
|
|
<title>JBoss EAP6/AS7 Adapter Adapter Installation</title>
|
|
|
|
<para>
|
|
|
|
The JBoss EAP6 Adapter is contained in the Keycloak distribution within the <literal>adapters/keycloak-eap6-adapter-dist.zip</literal>
|
|
|
|
file. Conversely, the JBoss AS 7.1.1 adapter is contained in the file <literal>adapters/keycloak-as7-adapter-dist.zip</literal>
|
|
|
|
To install it:
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
<programlisting>
|
|
|
|
$ cd $JBOSS_HOME
|
|
|
|
# For an EAP distro
|
|
|
|
$ unzip keycloak-eap6-adapter-dist.zip
|
|
|
|
|
|
|
|
or
|
|
|
|
# For an JBoss AS 7.1.1 distro
|
|
|
|
$ unzip keycloak-as7-adapter-dist.zip
|
|
|
|
</programlisting>
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
This zip file creates new JBoss Modules specific to the JBoss EAP6 Keycloak Adapter within your JBoss distro.
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
<section>
|
|
|
|
<title>JBoss EAP6/AS7 Adapter Configuration</title>
|
|
|
|
<para>
|
|
|
|
The JBoss EAP6 Adapter is enabled per WAR application. The adapter code is contained in a JBoss Module
|
|
|
|
so you must first create a <literal>jboss-deployment-structure.xml</literal> within your WAR's
|
|
|
|
<literal>WEB-INF</literal> directory that imports the JBoss EAP6 Keycloak Adapter.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
<programlisting><![CDATA[
|
|
|
|
<jboss-deployment-structure>
|
|
|
|
<deployment>
|
|
|
|
<dependencies>
|
|
|
|
<module name="org.keycloak.keycloak-as7-adapter"/>
|
|
|
|
</dependencies>
|
|
|
|
</deployment>
|
|
|
|
</jboss-deployment-structure>]]>
|
|
|
|
</programlisting>
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
It is possible to add the adapter jars directory to your WAR, but its best to do module imports because
|
|
|
|
the adapter's dependencies may conflict with your application's.
|
|
|
|
</para>
|
|
|
|
<para>
|
2014-01-17 17:27:21 +00:00
|
|
|
Next thing you have to do is turn on the Keycloak adapter for this deployment. To do this you must
|
|
|
|
create a <literal>WEB-INF/jboss-web.xml</literal> file and specify a a Keycloak valve. This will override
|
|
|
|
any <literal>login-config</literal> setting you have defined with <literal>web.xml</literal>
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
<programlisting><![CDATA[<jboss-web>
|
|
|
|
<valve>
|
|
|
|
<class-name>org.keycloak.adapters.as7.KeycloakAuthenticatorValve</class-name>
|
|
|
|
</valve>
|
|
|
|
</jboss-web>]]>
|
|
|
|
</programlisting>
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
After creating the <literal>jboss-web.xml</literal> configuration file, you must create
|
2014-01-13 01:57:31 +00:00
|
|
|
a <literal>keycloak.json</literal> adapter config file within the <literal>WEB-INF</literal> directory
|
|
|
|
of your WAR. The format of this config file is describe in the <link linkend='adapter-config'>general adapter configuration</link>
|
|
|
|
section.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
While you do have to specify a login-config in your WAR's <literal>web.xml</literal>, it doesn't matter what values you put there.
|
|
|
|
You also
|
|
|
|
have to use standard servlet security to specify role-base constraints on your URLs. Here's an example
|
|
|
|
pulled from one of the examples that comes distributed with Keycloak.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
<programlisting>
|
|
|
|
<![CDATA[
|
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
|
|
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
|
|
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
|
|
|
|
version="3.0">
|
|
|
|
|
|
|
|
<module-name>customer-portal</module-name>
|
|
|
|
|
|
|
|
<security-constraint>
|
|
|
|
<web-resource-collection>
|
|
|
|
<web-resource-name>Admins</web-resource-name>
|
|
|
|
<url-pattern>/admin/*</url-pattern>
|
|
|
|
</web-resource-collection>
|
|
|
|
<auth-constraint>
|
|
|
|
<role-name>admin</role-name>
|
|
|
|
</auth-constraint>
|
|
|
|
</security-constraint>
|
|
|
|
<security-constraint>
|
|
|
|
<web-resource-collection>
|
|
|
|
<web-resource-name>Customers</web-resource-name>
|
|
|
|
<url-pattern>/customers/*</url-pattern>
|
|
|
|
</web-resource-collection>
|
|
|
|
<auth-constraint>
|
|
|
|
<role-name>user</role-name>
|
|
|
|
</auth-constraint>
|
|
|
|
</security-constraint>
|
|
|
|
|
|
|
|
<!--
|
|
|
|
<security-constraint>
|
|
|
|
<web-resource-collection>
|
|
|
|
<url-pattern>/*</url-pattern>
|
|
|
|
</web-resource-collection>
|
|
|
|
<user-data-constraint>
|
|
|
|
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
|
|
|
|
</user-data-constraint>
|
|
|
|
</security-constraint> -->
|
|
|
|
|
|
|
|
<login-config>
|
|
|
|
<auth-method>BASIC</auth-method>
|
|
|
|
<realm-name>commerce</realm-name>
|
|
|
|
</login-config>
|
|
|
|
|
|
|
|
<security-role>
|
|
|
|
<role-name>admin</role-name>
|
|
|
|
</security-role>
|
|
|
|
<security-role>
|
|
|
|
<role-name>user</role-name>
|
|
|
|
</security-role>
|
|
|
|
</web-app>
|
|
|
|
]]>
|
|
|
|
</programlisting>
|
|
|
|
</para>
|
|
|
|
</section> ]
|
|
|
|
|
|
|
|
</section>
|