keycloak-scim/topics/saml/java/jetty-adapter/jetty9_per_war_config.adoc


[[_saml-jetty9-per-war]]
===== Jetty 9 Required Per WAR Configuration

This section describes how to secure a WAR directly by adding config and editing files within your WAR package. 

The first thing you must do is create a `WEB-INF/jetty-web.xml` file in your WAR package.
This is a Jetty specific config file and you must define a Keycloak specific authenticator within it. 

[source,xml]
----
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="securityHandler">
        <Set name="authenticator">
            <New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
            </New>
        </Set>
    </Get>
</Configure>
----

Next you must create a `keycloak-saml.xml` adapter config file within the `WEB-INF` directory of your WAR.
The format of this config file is describe in the <<_adapter_config,general adapter configuration>> section. 

Finally you must specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs.
Here's an example: 

[source,xml]
----
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
      version="3.0">

	<module-name>customer-portal</module-name>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Customers</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>this is ignored currently</realm-name>
    </login-config>

    <security-role>
        <role-name>admin</role-name>
    </security-role>
    <security-role>
        <role-name>user</role-name>
    </security-role>
</web-app>
----
initial saml 2016-06-02 16:07:45 +00:00
			`[[_saml-jetty9-per-war]]`
			`===== Jetty 9 Required Per WAR Configuration`

			`This section describes how to secure a WAR directly by adding config and editing files within your WAR package.`

			The first thing you must do is create a `WEB-INF/jetty-web.xml` file in your WAR package.
			`This is a Jetty specific config file and you must define a Keycloak specific authenticator within it.`

			`[source,xml]`
			`----`
			`<?xml version="1.0"?>`
			`<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">`
			`<Configure class="org.eclipse.jetty.webapp.WebAppContext">`
			`<Get name="securityHandler">`
			`<Set name="authenticator">`
			`<New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">`
			`</New>`
			`</Set>`
			`</Get>`
			`</Configure>`
			`----`

			Next you must create a `keycloak-saml.xml` adapter config file within the `WEB-INF` directory of your WAR.
			`The format of this config file is describe in the <<_adapter_config,general adapter configuration>> section.`

			Finally you must specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs.
			`Here's an example:`

			`[source,xml]`
			`----`
			`<web-app xmlns="http://java.sun.com/xml/ns/javaee"`
			`xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"`
			`xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"`
			`version="3.0">`

			`<module-name>customer-portal</module-name>`

			`<security-constraint>`
			`<web-resource-collection>`
			`<web-resource-name>Customers</web-resource-name>`
			`<url-pattern>/*</url-pattern>`
			`</web-resource-collection>`
			`<auth-constraint>`
			`<role-name>user</role-name>`
			`</auth-constraint>`
			`<user-data-constraint>`
			`<transport-guarantee>CONFIDENTIAL</transport-guarantee>`
			`</user-data-constraint>`
			`</security-constraint>`

			`<login-config>`
			`<auth-method>BASIC</auth-method>`
			`<realm-name>this is ignored currently</realm-name>`
			`</login-config>`

			`<security-role>`
			`<role-name>admin</role-name>`
			`</security-role>`
			`<security-role>`
			`<role-name>user</role-name>`
			`</security-role>`
			`</web-app>`
			`----`