keycloak-scim/securing_apps/topics/oidc/java/jboss-adapter.adoc

270 lines
8 KiB
Text
Raw Normal View History

2016-04-18 19:10:32 +00:00
[[_jboss_adapter]]
2016-11-29 22:20:33 +00:00
2016-06-03 08:02:59 +00:00
{% if book.community %}
2016-06-09 13:12:10 +00:00
==== JBoss EAP/Wildfly Adapter
2016-06-03 08:02:59 +00:00
{% endif %}
{% if book.product %}
2016-06-09 13:12:10 +00:00
==== JBoss EAP Adapter
2016-06-03 08:02:59 +00:00
{% endif %}
2016-04-18 19:10:32 +00:00
{% if book.community %}
To be able to secure WAR apps deployed on JBoss EAP, WildFly or JBoss AS, you must install and configure the
2016-06-03 08:02:59 +00:00
{{book.project.name}} adapter subsystem. You then have two options to secure your WARs.
{% endif %}
{% if book.product %}
To be able to secure WAR apps deployed on JBoss EAP, you must install and configure the
{{book.project.name}} adapter subsystem. You then have two options to secure your WARs.
{% endif %}
2016-06-03 08:02:59 +00:00
You can provide an adapter config file in your WAR and change the auth-method to KEYCLOAK within web.xml.
Alternatively, you don't have to modify your WAR at all and you can secure it via the {{book.project.name}} adapter subsystem configuration in `standalone.xml`.
Both methods are described in this section.
2016-04-18 19:10:32 +00:00
[[_jboss_adapter_installation]]
===== Installing the adapter
2016-04-18 19:10:32 +00:00
Adapters are available as a separate archive depending on what server version you are using.
2016-04-18 19:10:32 +00:00
2016-06-03 08:02:59 +00:00
{% if book.community %}
Install on Wildfly 9, 10 or 11:
2016-04-18 19:10:32 +00:00
2016-06-09 12:54:13 +00:00
[source, subs="attributes"]
2016-04-18 19:10:32 +00:00
----
2016-06-03 08:02:59 +00:00
$ cd $WILDFLY_HOME
$ unzip keycloak-wildfly-adapter-dist-{{book.project.version}}.zip
----
Install on Wildfly 8:
2016-04-18 19:10:32 +00:00
2016-06-09 12:54:13 +00:00
[source, subs="attributes"]
2016-06-03 08:02:59 +00:00
----
2016-04-18 19:10:32 +00:00
$ cd $WILDFLY_HOME
2016-06-03 08:02:59 +00:00
$ unzip keycloak-wf8-adapter-dist-{{book.project.version}}.zip
----
Install on JBoss EAP 7:
2016-04-18 19:10:32 +00:00
2016-06-09 12:54:13 +00:00
[source, subs="attributes"]
2016-04-18 19:10:32 +00:00
----
2016-06-03 08:02:59 +00:00
$ cd $EAP_HOME
$ unzip keycloak-eap7-adapter-dist-{{book.project.version}}.zip
----
2016-04-18 19:10:32 +00:00
2016-06-03 08:02:59 +00:00
Install on JBoss EAP 6:
2016-04-18 19:10:32 +00:00
2016-06-09 12:54:13 +00:00
[source, subs="attributes"]
2016-04-18 19:10:32 +00:00
----
2016-06-03 08:02:59 +00:00
$ cd $EAP_HOME
$ unzip keycloak-eap6-adapter-dist-{{book.project.version}}.zip
----
2016-04-18 19:10:32 +00:00
2016-06-03 08:02:59 +00:00
Install on JBoss AS 7.1:
2016-04-18 19:10:32 +00:00
2016-06-09 12:54:13 +00:00
[source, subs="attributes"]
2016-04-18 19:10:32 +00:00
----
$ cd $JBOSS_HOME
2016-06-03 08:02:59 +00:00
$ unzip keycloak-as7-adapter-dist-{{book.project.version}}.zip
----
{% endif %}
2016-04-18 19:10:32 +00:00
2016-06-03 08:02:59 +00:00
{% if book.product %}
Install on JBoss EAP 7:
2016-04-18 19:10:32 +00:00
2016-06-09 12:54:13 +00:00
[source, subs="attributes"]
2016-06-03 08:02:59 +00:00
----
$ cd $EAP_HOME
2016-06-09 12:41:13 +00:00
$ unzip rh-sso-{{book.project.version}}-eap7-adapter.zip
2016-06-03 08:02:59 +00:00
----
2016-04-18 19:10:32 +00:00
2016-06-03 08:02:59 +00:00
Install on JBoss EAP 6:
2016-04-18 19:10:32 +00:00
2016-06-09 12:54:13 +00:00
[source, subs="attributes"]
2016-04-18 19:10:32 +00:00
----
2016-06-03 08:02:59 +00:00
$ cd $EAP_HOME
2016-06-09 12:41:13 +00:00
$ unzip rh-sso-{{book.project.version}}-eap6-adapter.zip
2016-06-03 08:02:59 +00:00
----
{% endif %}
2016-04-18 19:10:32 +00:00
This ZIP archive contains JBoss Modules specific to the {{book.project.name}} adapter. It also contains JBoss CLI scripts
to configure the adapter subsystem.
2016-04-18 19:10:32 +00:00
To configure the adapter subsystem if the server is not running execute:
2016-04-18 19:10:32 +00:00
{% if book.community %}
.Wildfly 11
[source]
----
$ ./bin/jboss-cli.sh --file=adapter-elytron-install-offline.cli
----
{% endif %}
.Any other server but Wildfly 11
2016-04-18 19:10:32 +00:00
[source]
----
$ ./bin/jboss-cli.sh --file=adapter-install-offline.cli
2016-11-29 22:20:33 +00:00
----
2016-04-18 19:10:32 +00:00
NOTE: The offline script is not available for JBoss EAP 6
2016-04-18 19:10:32 +00:00
Alternatively, if the server is running execute:
2016-04-18 19:10:32 +00:00
{% if book.community %}
.Wildfly 11
[source]
----
$ ./bin/jboss-cli.sh --file=adapter-elytron-install.cli
----
{% endif %}
.Any other server but Wildfly 11
[source]
2016-04-18 19:10:32 +00:00
----
$ ./bin/jboss-cli.sh --file=adapter-install.cli
2016-04-18 19:10:32 +00:00
----
2016-06-09 13:12:10 +00:00
===== Required Per WAR Configuration
2016-04-18 19:10:32 +00:00
This section describes how to secure a WAR directly by adding configuration and editing files within your WAR package.
2016-04-18 19:10:32 +00:00
The first thing you must do is create a `keycloak.json` adapter configuration file within the `WEB-INF` directory of your WAR.
2016-06-06 09:25:35 +00:00
The format of this configuration file is described in the <<fake/../java-adapter-config.adoc#_java_adapter_config,Java adapter configuration>> section.
2016-04-18 19:10:32 +00:00
Next you must set the `auth-method` to `KEYCLOAK` in `web.xml`.
You also have to use standard servlet security to specify role-base constraints on your URLs.
2016-06-03 08:02:59 +00:00
Here's an example:
2016-04-18 19:10:32 +00:00
2016-06-03 08:02:59 +00:00
[source,xml]
2016-04-18 19:10:32 +00:00
----
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
2016-06-03 08:02:59 +00:00
<module-name>application</module-name>
2016-04-18 19:10:32 +00:00
<security-constraint>
<web-resource-collection>
<web-resource-name>Admins</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Customers</web-resource-name>
<url-pattern>/customers/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
2016-11-29 22:20:33 +00:00
----
2016-04-18 19:10:32 +00:00
2016-06-09 13:12:10 +00:00
===== Securing WARs via Adapter Subsystem
2016-04-18 19:10:32 +00:00
2016-06-09 12:33:42 +00:00
You do not have to modify your WAR to secure it with {{book.project.name}}. Instead you can externally secure it via the {{book.project.name}} Adapter Subsystem.
2016-04-18 19:10:32 +00:00
While you don't have to specify KEYCLOAK as an `auth-method`, you still have to define the `security-constraints` in `web.xml`.
You do not, however, have to create a `WEB-INF/keycloak.json` file.
2016-06-09 12:33:42 +00:00
This metadata is instead defined within server configuration (i.e. `standalone.xml`) in the {{book.project.name}} subsystem definition.
2016-04-18 19:10:32 +00:00
2016-06-03 08:02:59 +00:00
[source,xml]
2016-04-18 19:10:32 +00:00
----
<extensions>
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
</extensions>
<profile>
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="WAR MODULE NAME.war">
<realm>demo</realm>
<auth-server-url>http://localhost:8081/auth</auth-server-url>
<ssl-required>external</ssl-required>
<resource>customer-portal</resource>
<credential name="secret">password</credential>
</secure-deployment>
</subsystem>
</profile>
----
The `secure-deployment` `name` attribute identifies the WAR you want to secure.
Its value is the `module-name` defined in `web.xml` with `.war` appended. The rest of the configuration corresponds pretty much one to one with the `keycloak.json` configuration options defined in <<fake/../java-adapter-config.adoc#_java_adapter_config,Java adapter configuration>>.
2016-06-06 09:25:35 +00:00
2016-11-29 22:20:33 +00:00
The exception is the `credential` element.
2016-04-18 19:10:32 +00:00
To make it easier for you, you can go to the {{book.project.name}} Administration Console and go to the Client/Installation tab of the application this WAR is aligned with.
2016-11-29 22:20:33 +00:00
It provides an example XML file you can cut and paste.
2016-04-18 19:10:32 +00:00
If you have multiple deployments secured by the same realm you can share the realm configuration in a separate element. For example:
2016-04-18 19:10:32 +00:00
2016-06-03 08:02:59 +00:00
[source,xml]
2016-04-18 19:10:32 +00:00
----
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<realm name="demo">
<auth-server-url>http://localhost:8080/auth</auth-server-url>
<ssl-required>external</ssl-required>
</realm>
<secure-deployment name="customer-portal.war">
<realm>demo</realm>
<resource>customer-portal</resource>
<credential name="secret">password</credential>
</secure-deployment>
<secure-deployment name="product-portal.war">
<realm>demo</realm>
<resource>product-portal</resource>
<credential name="secret">password</credential>
</secure-deployment>
<secure-deployment name="database.war">
<realm>demo</realm>
<resource>database-service</resource>
<bearer-only>true</bearer-only>
</secure-deployment>
</subsystem>
2016-11-29 22:20:33 +00:00
----
===== Security Domain
To propagate the security context to the EJB tier you need to configure it to use the "keycloak" security domain. This
can be achieved with the @SecurityDomain annotation:
[source]
----
import org.jboss.ejb3.annotation.SecurityDomain;
...
@Stateless
@SecurityDomain("keycloak")
public class CustomerService {
@RolesAllowed("user")
public List<String> getCustomers() {
return db.getCustomers();
}
}
----