keycloak-scim/docs/guides/securing-apps/partials/saml/required_per_war_configuration.adoc


=== Securing a WAR

This section describes how to secure a WAR directly by adding config and editing files within your WAR package. 

Once `keycloak-saml.xml` is created and in the `WEB-INF` directory of your WAR, you must set the `auth-method` to `KEYCLOAK-SAML` in `web.xml`.
You also have to use standard servlet security to specify role-base constraints on your URLs.
Here's an example _web.xml_ file:

[source,xml]
----

<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd"
         version="6.0">

	<module-name>customer-portal</module-name>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Admins</web-resource-name>
            <url-pattern>/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Customers</web-resource-name>
            <url-pattern>/customers/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>KEYCLOAK-SAML</auth-method>
        <realm-name>this is ignored currently</realm-name>
    </login-config>

    <security-role>
        <role-name>admin</role-name>
    </security-role>
    <security-role>
        <role-name>user</role-name>
    </security-role>
</web-app>
----

All standard servlet settings except the `auth-method` setting.
initial saml 2016-06-02 16:07:45 +00:00
Move saml documentation to guides Closes #31330 Signed-off-by: rmartinc <rmartinc@redhat.com> 2024-07-22 08:16:24 +00:00			`=== Securing a WAR`
initial saml 2016-06-02 16:07:45 +00:00
			`This section describes how to secure a WAR directly by adding config and editing files within your WAR package.`

Move saml documentation to guides Closes #31330 Signed-off-by: rmartinc <rmartinc@redhat.com> 2024-07-22 08:16:24 +00:00			Once `keycloak-saml.xml` is created and in the `WEB-INF` directory of your WAR, you must set the `auth-method` to `KEYCLOAK-SAML` in `web.xml`.
initial saml 2016-06-02 16:07:45 +00:00			`You also have to use standard servlet security to specify role-base constraints on your URLs.`
saml general config 2016-06-02 21:18:42 +00:00			`Here's an example _web.xml_ file:`
initial saml 2016-06-02 16:07:45 +00:00
			`[source,xml]`
			`----`

Update securing_applications guide for latest adapter changes (community) (#20995) closes #20994 Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2023-06-20 07:21:47 +00:00			`<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee"`
			`xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"`
			`xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd"`
			`version="6.0">`
initial saml 2016-06-02 16:07:45 +00:00
			`<module-name>customer-portal</module-name>`

			`<security-constraint>`
			`<web-resource-collection>`
			`<web-resource-name>Admins</web-resource-name>`
			`<url-pattern>/admin/*</url-pattern>`
			`</web-resource-collection>`
			`<auth-constraint>`
			`<role-name>admin</role-name>`
			`</auth-constraint>`
			`<user-data-constraint>`
			`<transport-guarantee>CONFIDENTIAL</transport-guarantee>`
			`</user-data-constraint>`
			`</security-constraint>`
			`<security-constraint>`
			`<web-resource-collection>`
			`<web-resource-name>Customers</web-resource-name>`
			`<url-pattern>/customers/*</url-pattern>`
			`</web-resource-collection>`
			`<auth-constraint>`
			`<role-name>user</role-name>`
			`</auth-constraint>`
			`<user-data-constraint>`
			`<transport-guarantee>CONFIDENTIAL</transport-guarantee>`
			`</user-data-constraint>`
			`</security-constraint>`

			`<login-config>`
			`<auth-method>KEYCLOAK-SAML</auth-method>`
			`<realm-name>this is ignored currently</realm-name>`
			`</login-config>`

			`<security-role>`
			`<role-name>admin</role-name>`
			`</security-role>`
			`<security-role>`
			`<role-name>user</role-name>`
			`</security-role>`
			`</web-app>`
saml general config 2016-06-02 21:18:42 +00:00			`----`

			All standard servlet settings except the `auth-method` setting.
initial saml 2016-06-02 16:07:45 +00:00