2016-04-18 19:10:32 +00:00
[[_jboss_adapter]]
2016-11-29 22:20:33 +00:00
2017-08-28 12:50:14 +00:00
ifeval::[{project_community}==true]
2016-06-09 13:12:10 +00:00
==== JBoss EAP/Wildfly Adapter
2017-08-28 12:50:14 +00:00
endif::[]
ifeval::[{project_product}==true]
2016-06-09 13:12:10 +00:00
==== JBoss EAP Adapter
2017-08-28 12:50:14 +00:00
endif::[]
2016-04-18 19:10:32 +00:00
2017-08-28 12:50:14 +00:00
ifeval::[{project_community}==true]
2016-06-10 04:13:14 +00:00
To be able to secure WAR apps deployed on JBoss EAP, WildFly or JBoss AS, you must install and configure the
2017-08-28 12:50:14 +00:00
{project_name} adapter subsystem. You then have two options to secure your WARs.
endif::[]
ifeval::[{project_product}==true]
2016-06-10 04:13:14 +00:00
To be able to secure WAR apps deployed on JBoss EAP, you must install and configure the
2017-08-28 12:50:14 +00:00
{project_name} adapter subsystem. You then have two options to secure your WARs.
endif::[]
2016-06-03 08:02:59 +00:00
You can provide an adapter config file in your WAR and change the auth-method to KEYCLOAK within web.xml.
2017-08-28 12:50:14 +00:00
Alternatively, you don't have to modify your WAR at all and you can secure it via the {project_name} adapter subsystem configuration in `standalone.xml`.
2016-06-03 08:02:59 +00:00
Both methods are described in this section.
2016-04-18 19:10:32 +00:00
[[_jboss_adapter_installation]]
2017-02-02 12:20:15 +00:00
===== Installing the adapter
2016-04-18 19:10:32 +00:00
2017-02-02 12:20:15 +00:00
Adapters are available as a separate archive depending on what server version you are using.
2016-04-18 19:10:32 +00:00
2018-01-26 13:08:30 +00:00
NOTE: {appserver_name} should be running when you install the adapter. If you have either one running, you must stop it before installing and then restart it after installation is complete.
2018-01-16 20:18:15 +00:00
2017-08-28 12:50:14 +00:00
ifeval::[{project_community}==true]
2017-03-31 15:16:00 +00:00
Install on Wildfly 9, 10 or 11:
2016-04-18 19:10:32 +00:00
2016-06-09 12:54:13 +00:00
[source, subs="attributes"]
2016-04-18 19:10:32 +00:00
----
2016-06-03 08:02:59 +00:00
$ cd $WILDFLY_HOME
2017-08-28 12:50:14 +00:00
$ unzip keycloak-wildfly-adapter-dist-{project_version}.zip
2016-06-03 08:02:59 +00:00
----
Install on Wildfly 8:
2016-04-18 19:10:32 +00:00
2016-06-09 12:54:13 +00:00
[source, subs="attributes"]
2016-06-03 08:02:59 +00:00
----
2016-04-18 19:10:32 +00:00
$ cd $WILDFLY_HOME
2017-08-28 12:50:14 +00:00
$ unzip keycloak-wf8-adapter-dist-{project_version}.zip
2016-06-03 08:02:59 +00:00
----
Install on JBoss EAP 7:
2016-04-18 19:10:32 +00:00
2016-06-09 12:54:13 +00:00
[source, subs="attributes"]
2016-04-18 19:10:32 +00:00
----
2016-06-03 08:02:59 +00:00
$ cd $EAP_HOME
2017-08-28 12:50:14 +00:00
$ unzip keycloak-eap7-adapter-dist-{project_version}.zip
2016-06-03 08:02:59 +00:00
----
2016-04-18 19:10:32 +00:00
2016-06-03 08:02:59 +00:00
Install on JBoss EAP 6:
2016-04-18 19:10:32 +00:00
2016-06-09 12:54:13 +00:00
[source, subs="attributes"]
2016-04-18 19:10:32 +00:00
----
2016-06-03 08:02:59 +00:00
$ cd $EAP_HOME
2017-08-28 12:50:14 +00:00
$ unzip keycloak-eap6-adapter-dist-{project_version}.zip
2016-06-03 08:02:59 +00:00
----
2016-04-18 19:10:32 +00:00
2016-06-03 08:02:59 +00:00
Install on JBoss AS 7.1:
2016-04-18 19:10:32 +00:00
2016-06-09 12:54:13 +00:00
[source, subs="attributes"]
2016-04-18 19:10:32 +00:00
----
$ cd $JBOSS_HOME
2017-08-28 12:50:14 +00:00
$ unzip keycloak-as7-adapter-dist-{project_version}.zip
2016-06-03 08:02:59 +00:00
----
2017-08-28 12:50:14 +00:00
endif::[]
2016-04-18 19:10:32 +00:00
2017-08-28 12:50:14 +00:00
ifeval::[{project_product}==true]
2017-11-10 05:46:35 +00:00
2016-06-03 08:02:59 +00:00
Install on JBoss EAP 7:
2016-04-18 19:10:32 +00:00
2017-11-10 05:46:35 +00:00
You can install the EAP 7 adapters either by unzipping a ZIP file, or by using an RPM.
Install the EAP 7 Adapters from a ZIP File:
2016-06-09 12:54:13 +00:00
[source, subs="attributes"]
2016-06-03 08:02:59 +00:00
----
$ cd $EAP_HOME
2017-08-28 12:50:14 +00:00
$ unzip rh-sso-{project_version}-eap7-adapter.zip
2016-06-03 08:02:59 +00:00
----
2016-04-18 19:10:32 +00:00
2017-11-10 05:46:35 +00:00
2016-06-03 08:02:59 +00:00
Install on JBoss EAP 6:
2016-04-18 19:10:32 +00:00
2017-11-10 05:46:35 +00:00
You can install the EAP 6 adapters either by unzipping a ZIP file, or by using an RPM.
Install the EAP 6 Adapters from a ZIP File:
2016-06-09 12:54:13 +00:00
[source, subs="attributes"]
2016-04-18 19:10:32 +00:00
----
2016-06-03 08:02:59 +00:00
$ cd $EAP_HOME
2017-08-28 12:50:14 +00:00
$ unzip rh-sso-{project_version}-eap6-adapter.zip
2016-06-03 08:02:59 +00:00
----
2018-01-31 13:35:29 +00:00
endif::[]
2017-11-10 05:46:35 +00:00
2018-01-31 13:35:29 +00:00
This ZIP archive contains JBoss Modules specific to the {project_name} adapter. It also contains JBoss CLI scripts to configure the adapter subsystem.
2017-11-10 05:46:35 +00:00
2018-01-31 13:35:29 +00:00
To configure the adapter subsystem if the server is not running execute:
2017-11-10 05:46:35 +00:00
2018-01-31 13:35:29 +00:00
ifeval::[{project_community}==true]
.WildFly 11
[source]
2017-11-10 05:46:35 +00:00
----
2018-01-31 13:35:29 +00:00
$ ./bin/jboss-cli.sh --file=adapter-elytron-install-offline.cli
2017-11-10 05:46:35 +00:00
----
2018-01-31 13:35:29 +00:00
.WildFly 10 or older
[source]
2017-11-10 05:46:35 +00:00
----
2018-01-31 13:35:29 +00:00
$ ./bin/jboss-cli.sh --file=adapter-install-offline.cli
2017-11-10 05:46:35 +00:00
----
2018-01-31 13:35:29 +00:00
endif::[]
2017-11-10 05:46:35 +00:00
2018-01-31 13:35:29 +00:00
ifeval::[{project_product}==true]
.JBoss EAP 7.1
[source]
2017-11-10 05:46:35 +00:00
----
2018-01-31 13:35:29 +00:00
$ ./bin/jboss-cli.sh --file=adapter-elytron-install-offline.cli
2017-11-10 05:46:35 +00:00
----
2018-01-31 13:35:29 +00:00
.JBoss EAP 7.0
[source]
2017-11-10 05:46:35 +00:00
----
2018-01-31 13:35:29 +00:00
$ ./bin/jboss-cli.sh --file=adapter-install-offline.cli
2017-11-10 05:46:35 +00:00
----
2017-08-28 12:50:14 +00:00
endif::[]
2016-04-18 19:10:32 +00:00
2018-01-31 13:35:29 +00:00
NOTE: The offline script is not available for JBoss EAP 6.4
Alternatively, if the server is running execute:
2016-04-18 19:10:32 +00:00
2017-08-28 12:50:14 +00:00
ifeval::[{project_community}==true]
2017-03-31 15:16:00 +00:00
.Wildfly 11
[source]
----
2018-01-31 13:35:29 +00:00
$ ./bin/jboss-cli.sh --file=adapter-elytron-install.cli
2017-03-31 15:16:00 +00:00
----
2018-01-31 13:35:29 +00:00
.WildFly 10 or older
2016-04-18 19:10:32 +00:00
[source]
----
2018-01-31 13:35:29 +00:00
$ ./bin/jboss-cli.sh --file=adapter-install.cli
2016-11-29 22:20:33 +00:00
----
2018-01-31 13:35:29 +00:00
endif::[]
2016-04-18 19:10:32 +00:00
2018-01-31 13:35:29 +00:00
ifeval::[{project_product}==true]
.JBoss EAP 7.1
2017-03-31 15:16:00 +00:00
[source]
----
$ ./bin/jboss-cli.sh --file=adapter-elytron-install.cli
----
2018-01-31 13:35:29 +00:00
.JBoss EAP 7.0 and 6.4
2017-02-02 12:20:15 +00:00
[source]
2016-04-18 19:10:32 +00:00
----
2017-02-02 12:20:15 +00:00
$ ./bin/jboss-cli.sh --file=adapter-install.cli
2016-04-18 19:10:32 +00:00
----
2018-01-31 13:35:29 +00:00
endif::[]
2016-04-18 19:10:32 +00:00
2017-12-05 09:27:11 +00:00
===== JBoss SSO
{appserver_name} has built-in support for single sign-on for web applications deployed to the same {appserver_name}
instance. This should not be enabled when using {project_name}.
2016-06-09 13:12:10 +00:00
===== Required Per WAR Configuration
2016-04-18 19:10:32 +00:00
2017-02-03 23:34:01 +00:00
This section describes how to secure a WAR directly by adding configuration and editing files within your WAR package.
2016-04-18 19:10:32 +00:00
2017-02-03 23:34:01 +00:00
The first thing you must do is create a `keycloak.json` adapter configuration file within the `WEB-INF` directory of your WAR.
2016-06-06 09:25:35 +00:00
2017-08-28 12:50:14 +00:00
The format of this configuration file is described in the <<_java_adapter_config,Java adapter configuration>> section.
2016-04-18 19:10:32 +00:00
Next you must set the `auth-method` to `KEYCLOAK` in `web.xml`.
You also have to use standard servlet security to specify role-base constraints on your URLs.
2016-06-03 08:02:59 +00:00
Here's an example:
2016-04-18 19:10:32 +00:00
2016-06-03 08:02:59 +00:00
[source,xml]
2016-04-18 19:10:32 +00:00
----
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
2016-06-03 08:02:59 +00:00
<module-name>application</module-name>
2016-04-18 19:10:32 +00:00
<security-constraint>
<web-resource-collection>
<web-resource-name>Admins</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Customers</web-resource-name>
<url-pattern>/customers/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
2016-11-29 22:20:33 +00:00
----
2016-04-18 19:10:32 +00:00
2016-06-09 13:12:10 +00:00
===== Securing WARs via Adapter Subsystem
2016-04-18 19:10:32 +00:00
2017-08-28 12:50:14 +00:00
You do not have to modify your WAR to secure it with {project_name}. Instead you can externally secure it via the {project_name} Adapter Subsystem.
2016-04-18 19:10:32 +00:00
While you don't have to specify KEYCLOAK as an `auth-method`, you still have to define the `security-constraints` in `web.xml`.
You do not, however, have to create a `WEB-INF/keycloak.json` file.
2017-08-28 12:50:14 +00:00
This metadata is instead defined within server configuration (i.e. `standalone.xml`) in the {project_name} subsystem definition.
2016-04-18 19:10:32 +00:00
2016-06-03 08:02:59 +00:00
[source,xml]
2016-04-18 19:10:32 +00:00
----
<extensions>
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
</extensions>
<profile>
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="WAR MODULE NAME.war">
<realm>demo</realm>
<auth-server-url>http://localhost:8081/auth</auth-server-url>
<ssl-required>external</ssl-required>
<resource>customer-portal</resource>
<credential name="secret">password</credential>
</secure-deployment>
</subsystem>
</profile>
----
The `secure-deployment` `name` attribute identifies the WAR you want to secure.
2017-08-28 12:50:14 +00:00
Its value is the `module-name` defined in `web.xml` with `.war` appended. The rest of the configuration corresponds pretty much one to one with the `keycloak.json` configuration options defined in <<_java_adapter_config,Java adapter configuration>>.
2016-06-06 09:25:35 +00:00
2016-11-29 22:20:33 +00:00
The exception is the `credential` element.
2016-04-18 19:10:32 +00:00
2017-08-28 12:50:14 +00:00
To make it easier for you, you can go to the {project_name} Administration Console and go to the Client/Installation tab of the application this WAR is aligned with.
2016-11-29 22:20:33 +00:00
It provides an example XML file you can cut and paste.
2016-04-18 19:10:32 +00:00
2016-06-09 12:57:50 +00:00
If you have multiple deployments secured by the same realm you can share the realm configuration in a separate element. For example:
2016-04-18 19:10:32 +00:00
2016-06-03 08:02:59 +00:00
[source,xml]
2016-04-18 19:10:32 +00:00
----
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<realm name="demo">
<auth-server-url>http://localhost:8080/auth</auth-server-url>
<ssl-required>external</ssl-required>
</realm>
<secure-deployment name="customer-portal.war">
<realm>demo</realm>
<resource>customer-portal</resource>
<credential name="secret">password</credential>
</secure-deployment>
<secure-deployment name="product-portal.war">
<realm>demo</realm>
<resource>product-portal</resource>
<credential name="secret">password</credential>
</secure-deployment>
<secure-deployment name="database.war">
<realm>demo</realm>
<resource>database-service</resource>
<bearer-only>true</bearer-only>
</secure-deployment>
</subsystem>
2016-11-29 22:20:33 +00:00
----
2017-02-02 12:20:15 +00:00
===== Security Domain
2017-02-03 23:34:01 +00:00
To propagate the security context to the EJB tier you need to configure it to use the "keycloak" security domain. This
2017-02-02 12:20:15 +00:00
can be achieved with the @SecurityDomain annotation:
2018-02-08 21:09:26 +00:00
[source,java]
2017-02-02 12:20:15 +00:00
----
import org.jboss.ejb3.annotation.SecurityDomain;
...
@Stateless
@SecurityDomain("keycloak")
public class CustomerService {
@RolesAllowed("user")
public List<String> getCustomers() {
return db.getCustomers();
}
}
----