keycloak-scim/topics/oidc/java/tomcat-adapter.adoc


[[_tomcat_adapter]]
=== Tomcat 6, 7 and 8 Adapters

To be able to secure WAR apps deployed on Tomcat 6, 7 and 8 you must install the Keycloak Tomcat 6, 7 or 8 adapter into your Tomcat installation.
You then have to provide some extra configuration in each WAR you deploy to Tomcat.
Let's go over these steps. 

[[_tomcat_adapter_installation]]
==== Adapter Installation

Adapters are no longer included with the appliance or war distribution.
Each adapter is a separate download on the Keycloak download site.
They are also available as a maven artifact. 

You must unzip the adapter distro into Tomcat's `lib/` directory.
Including adapter's jars within your WEB-INF/lib directory will not work!  The Keycloak adapter is implemented as a Valve and valve code must reside in Tomcat's main lib/ directory. 


[source]
----

$ cd $TOMCAT_HOME/lib
$ unzip keycloak-tomcat6-adapter-dist.zip
    or
$ unzip keycloak-tomcat7-adapter-dist.zip
    or
$ unzip keycloak-tomcat8-adapter-dist.zip
----    

==== Required Per WAR Configuration

This section describes how to secure a WAR directly by adding config and editing files within your WAR package. 

The first thing you must do is create a `META-INF/context.xml` file in your WAR package.
This is a Tomcat specific config file and you must define a Keycloak specific Valve. 

[source]
----


<Context path="/your-context-path">
    <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>
----

Next you must create a `keycloak.json` adapter config file within the `WEB-INF` directory of your WAR.
The format of this config file is describe in the <<_java_adapter_config,general adapter configuration>>            section. 

Finally you must specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs.
Here's an example: 


[source]
----


<web-app xmlns="http://java.sun.com/xml/ns/javaee"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
      version="3.0">

	<module-name>customer-portal</module-name>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Customers</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>this is ignored currently</realm-name>
    </login-config>

    <security-role>
        <role-name>admin</role-name>
    </security-role>
    <security-role>
        <role-name>user</role-name>
    </security-role>
</web-app>
----
initial import 2016-04-18 19:10:32 +00:00
			`[[_tomcat_adapter]]`
Re-structuring 2016-06-01 11:02:44 +00:00			`=== Tomcat 6, 7 and 8 Adapters`
initial import 2016-04-18 19:10:32 +00:00
			`To be able to secure WAR apps deployed on Tomcat 6, 7 and 8 you must install the Keycloak Tomcat 6, 7 or 8 adapter into your Tomcat installation.`
			`You then have to provide some extra configuration in each WAR you deploy to Tomcat.`
			`Let's go over these steps.`

			`[[_tomcat_adapter_installation]]`
Re-structuring 2016-06-01 11:02:44 +00:00			`==== Adapter Installation`
initial import 2016-04-18 19:10:32 +00:00
			`Adapters are no longer included with the appliance or war distribution.`
			`Each adapter is a separate download on the Keycloak download site.`
			`They are also available as a maven artifact.`

			You must unzip the adapter distro into Tomcat's `lib/` directory.
			`Including adapter's jars within your WEB-INF/lib directory will not work! The Keycloak adapter is implemented as a Valve and valve code must reside in Tomcat's main lib/ directory.`


			`[source]`
			`----`

			`$ cd $TOMCAT_HOME/lib`
			`$ unzip keycloak-tomcat6-adapter-dist.zip`
			`or`
			`$ unzip keycloak-tomcat7-adapter-dist.zip`
			`or`
			`$ unzip keycloak-tomcat8-adapter-dist.zip`
			`----`

Re-structuring 2016-06-01 11:02:44 +00:00			`==== Required Per WAR Configuration`
initial import 2016-04-18 19:10:32 +00:00
			`This section describes how to secure a WAR directly by adding config and editing files within your WAR package.`

			The first thing you must do is create a `META-INF/context.xml` file in your WAR package.
			`This is a Tomcat specific config file and you must define a Keycloak specific Valve.`

			`[source]`
			`----`


			`<Context path="/your-context-path">`
			`<Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>`
			`</Context>`
			`----`

			Next you must create a `keycloak.json` adapter config file within the `WEB-INF` directory of your WAR.
corrections as per review comments 2016-06-03 13:25:19 +00:00			`The format of this config file is describe in the <<_java_adapter_config,general adapter configuration>> section.`
initial import 2016-04-18 19:10:32 +00:00
			Finally you must specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs.
			`Here's an example:`


			`[source]`
			`----`


			`<web-app xmlns="http://java.sun.com/xml/ns/javaee"`
			`xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"`
			`xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"`
			`version="3.0">`

			`<module-name>customer-portal</module-name>`

			`<security-constraint>`
			`<web-resource-collection>`
			`<web-resource-name>Customers</web-resource-name>`
			`<url-pattern>/*</url-pattern>`
			`</web-resource-collection>`
			`<auth-constraint>`
			`<role-name>user</role-name>`
			`</auth-constraint>`
			`</security-constraint>`

			`<login-config>`
			`<auth-method>BASIC</auth-method>`
			`<realm-name>this is ignored currently</realm-name>`
			`</login-config>`

			`<security-role>`
			`<role-name>admin</role-name>`
			`</security-role>`
			`<security-role>`
			`<role-name>user</role-name>`
			`</security-role>`
			`</web-app>`
resolving compilation errors for the downstream build system 2016-06-03 12:46:22 +00:00			`----`