2016-06-07 06:14:38 +00:00
2016-04-18 19:10:32 +00:00
[[_jetty9_adapter]]
2016-06-09 13:12:10 +00:00
==== Jetty 9.x Adapters
2016-04-18 19:10:32 +00:00
2017-01-03 20:42:58 +00:00
Keycloak has a separate adapter for Jetty 9.1.x, Jetty 9.2.x and Jetty 9.3.x that you will have to install into your Jetty installation.
2016-04-18 19:10:32 +00:00
You then have to provide some extra configuration in each WAR you deploy to Jetty.
2017-01-03 20:42:58 +00:00
Let's go over these steps.
2016-04-18 19:10:32 +00:00
2016-06-07 06:14:38 +00:00
[[_jetty9_adapter_installation]]
2016-06-09 13:12:10 +00:00
===== Adapter Installation
2016-04-18 19:10:32 +00:00
2017-11-16 03:51:42 +00:00
Adapters are no longer included with the appliance or war distribution. Each adapter is a separate download on the Keycloak download site.
2017-01-03 20:42:58 +00:00
They are also available as a maven artifact.
2016-04-18 19:10:32 +00:00
2017-11-16 03:51:42 +00:00
You must unzip the Jetty 9.x distro into Jetty 9.x's link:https://www.eclipse.org/jetty/documentation/current/startup-base-and-home.html[base directory].
2017-01-03 20:42:58 +00:00
Including adapter's jars within your WEB-INF/lib directory will not work!
In the example below, the Jetty base is named `your-base`:
2016-04-18 19:10:32 +00:00
[source]
----
2017-01-03 20:42:58 +00:00
$ cd your-base
$ unzip keycloak-jetty93-adapter-dist-2.5.0.Final.zip
----
2016-04-18 19:10:32 +00:00
2017-01-03 20:42:58 +00:00
Next, you will have to enable the `keycloak` module for your Jetty base:
2016-04-18 19:10:32 +00:00
[source]
----
$ java -jar $JETTY_HOME/start.jar --add-to-startd=keycloak
2017-01-03 20:42:58 +00:00
----
2016-04-18 19:10:32 +00:00
[[_jetty9_per_war]]
2016-06-09 13:12:10 +00:00
===== Required Per WAR Configuration
2016-04-18 19:10:32 +00:00
2017-01-03 20:42:58 +00:00
This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
2016-04-18 19:10:32 +00:00
The first thing you must do is create a `WEB-INF/jetty-web.xml` file in your WAR package.
2017-01-03 20:42:58 +00:00
This is a Jetty specific config file and you must define a Keycloak specific authenticator within it.
2016-04-18 19:10:32 +00:00
[source]
----
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="securityHandler">
<Set name="authenticator">
<New class="org.keycloak.adapters.jetty.KeycloakJettyAuthenticator">
</New>
</Set>
</Get>
</Configure>
----
Next you must create a `keycloak.json` adapter config file within the `WEB-INF` directory of your WAR.
2016-06-06 09:25:35 +00:00
2017-11-16 03:51:42 +00:00
The format of this config file is described in the <<_java_adapter_config,Java adapter configuration>> section.
2016-04-18 19:10:32 +00:00
WARNING: The Jetty 9.1.x adapter will not be able to find the `keycloak.json` file.
2017-01-03 20:42:58 +00:00
You will have to define all adapter settings within the `jetty-web.xml` file as described below.
2016-04-18 19:10:32 +00:00
Instead of using keycloak.json, you can define everything within the `jetty-web.xml`.
2017-01-03 20:42:58 +00:00
You'll just have to figure out how the json settings match to the `org.keycloak.representations.adapters.config.AdapterConfig` class.
2016-04-18 19:10:32 +00:00
[source]
----
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="securityHandler">
<Set name="authenticator">
<New class="org.keycloak.adapters.jetty.KeycloakJettyAuthenticator">
<Set name="adapterConfig">
<New class="org.keycloak.representations.adapters.config.AdapterConfig">
<Set name="realm">tomcat</Set>
<Set name="resource">customer-portal</Set>
<Set name="authServerUrl">http://localhost:8081/auth</Set>
<Set name="sslRequired">external</Set>
<Set name="credentials">
<Map>
<Entry>
<Item>secret</Item>
<Item>password</Item>
</Entry>
</Map>
</Set>
</New>
</Set>
</New>
</Set>
</Get>
</Configure>
2017-01-03 20:42:58 +00:00
----
2016-04-18 19:10:32 +00:00
You do not have to crack open your WAR to secure it with keycloak.
Instead create the jetty-web.xml file in your webapps directory with the name of yourwar.xml.
Jetty should pick it up.
2017-01-03 20:42:58 +00:00
In this mode, you'll have to declare keycloak.json configuration directly within the xml file.
2016-04-18 19:10:32 +00:00
Finally you must specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs.
2017-01-03 20:42:58 +00:00
Here's an example:
2016-04-18 19:10:32 +00:00
[source]
----
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>customer-portal</module-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>Customers</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
2017-01-03 20:42:58 +00:00
----
