94 lines
3.6 KiB
XML
94 lines
3.6 KiB
XML
|
<section id="tomcat-adapter">
|
||
|
|
<title>Tomcat 7 Adapter</title>
|
||
|
|
<para>
|
||
|
|
To be able to secure WAR apps deployed on Tomcat 7 you must install the Keycloak Tomcat 7 adapter
|
||
|
|
into your Tomcat installation. You then have to provide some extra configuration in each WAR you deploy to
|
||
|
|
Tomcat. Let's go over these steps.
|
||
|
|
</para>
|
||
|
|
<section id="tomcat-adapter-installation">
|
||
|
|
<title>Adapter Installation</title>
|
||
|
|
<para>
|
||
|
|
There is a adapter zip file for Tomcat 7 in the <literal>adapters/</literal> directory in the Keycloak appliance
|
||
|
|
or war distribution. You must unzip this file into Tomcat's <literal>lib/</literal> directory. Including
|
||
|
|
adapter's jars within your WEB-INF/lib directory will not work! The Keycloak adapter is implemented as a Valve
|
||
|
|
and valve code must reside in Tomcat's main lib/ directory.
|
||
|
|
</para>
|
||
|
|
<para>
|
||
|
|
<programlisting>
|
||
|
|
$ cd $TOMCAT_HOME/lib
|
||
|
|
$ unzip keycloak-tomcat7-adapter-dist.zip
|
||
|
|
</programlisting>
|
||
|
|
</para>
|
||
|
|
</section>
|
||
|
|
|
||
|
|
<section>
|
||
|
|
<title>Required Per WAR Configuration</title>
|
||
|
|
<para>
|
||
|
|
This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
|
||
|
|
</para>
|
||
|
|
<para>
|
||
|
|
The first thing you must do is create a <literal>META-INF/context.xml</literal> file in your WAR package. This is
|
||
|
|
a Tomcat specific config file and you must define a Keycloak specific Valve.
|
||
|
|
</para>
|
||
|
|
<programlisting>
|
||
|
|
<![CDATA[
|
||
|
|
<Context path="/your-context-path">
|
||
|
|
<Valve className="org.keycloak.adapters.tomcat7.KeycloakAuthenticatorValve"/>
|
||
|
|
</Context>]]>
|
||
|
|
</programlisting>
|
||
|
|
<para>
|
||
|
|
Next you must create
|
||
|
|
a <literal>keycloak.json</literal> adapter config file within the <literal>WEB-INF</literal> directory
|
||
|
|
of your WAR. The format of this config file is describe in the <link linkend='adapter-config'>general adapter configuration</link>
|
||
|
|
section.
|
||
|
|
</para>
|
||
|
|
<para>
|
||
|
|
Finally you must specify both a <literal>login-config</literal> and use standard servlet security to specify
|
||
|
|
role-base constraints on your URLs. Here's an example:
|
||
|
|
</para>
|
||
|
|
<para>
|
||
|
|
<programlisting>
|
||
|
|
<![CDATA[
|
||
|
|
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
|
||
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||
|
|
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
|
||
|
|
version="3.0">
|
||
|
|
|
||
|
|
<module-name>customer-portal</module-name>
|
||
|
|
|
||
|
|
<security-constraint>
|
||
|
|
<web-resource-collection>
|
||
|
|
<web-resource-name>Customers</web-resource-name>
|
||
|
|
<url-pattern>/*</url-pattern>
|
||
|
|
</web-resource-collection>
|
||
|
|
<auth-constraint>
|
||
|
|
<role-name>user</role-name>
|
||
|
|
</auth-constraint>
|
||
|
|
</security-constraint>
|
||
|
|
|
||
|
|
<security-constraint>
|
||
|
|
<web-resource-collection>
|
||
|
|
<url-pattern>/*</url-pattern>
|
||
|
|
</web-resource-collection>
|
||
|
|
<user-data-constraint>
|
||
|
|
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
|
||
|
|
</user-data-constraint>
|
||
|
|
</security-constraint>
|
||
|
|
|
||
|
|
<login-config>
|
||
|
|
<auth-method>BASIC</auth-method>
|
||
|
|
<realm-name>this is ignored currently/realm-name>
|
||
|
|
</login-config>
|
||
|
|
|
||
|
|
<security-role>
|
||
|
|
<role-name>admin</role-name>
|
||
|
|
</security-role>
|
||
|
|
<security-role>
|
||
|
|
<role-name>user</role-name>
|
||
|
|
</security-role>
|
||
|
|
</web-app>
|
||
|
|
]]>
|
||
|
|
</programlisting>
|
||
|
|
</para>
|
||
|
|
</section>
|
||
|
|
</section>
|