libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions

update spring's documentation

Browse source
This commit is contained in:
sebastienblanc 2017-01-20 09:38:00 +01:00
parent 5b47dd40b4
commit a36abc83b6
2 changed files with 62 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
topics/oidc/java/spring-boot-adapter.adoc
View file

@ -2,14 +2,14 @@
==== Spring Boot Adapter
To be able to secure Spring Boot apps you must add the Keycloak Spring Boot adapter JAR to your app.
You then have to provide some extra configuration via normal Spring Boot configuration (`application.properties`). Let's go over these steps.
You then have to provide some extra configuration via normal Spring Boot configuration (`application.properties`). Let's go over these steps.
[[_spring_boot_adapter_installation]]
===== Adapter Installation
The Keycloak Spring Boot adapter takes advantage of Spring Boot's autoconfiguration so all you need to do is add the Keycloak Spring Boot adapter JAR to your project.
Depending on what container you are using with Spring Boot, you also need to add the appropriate Keycloak container adapter.
If you are using Maven, add the following to your pom.xml (using Tomcat as an example):
If you are using Maven, add the following to your pom.xml (using Tomcat as an example):
[source,xml,subs="attributes+"]
@ -26,15 +26,21 @@ If you are using Maven, add the following to your pom.xml (using Tomcat as an ex
<artifactId>keycloak-tomcat8-adapter</artifactId>
<version>{{book.project.versionMvn}}</version>
</dependency>
----
----
Currently the following embedded containers are supported :
* Tomcat
* Undertow
* Jetty
[[_spring_boot_adapter_configuration]]
===== Required Spring Boot Adapter Configuration
This section describes how to configure your Spring Boot app to use Keycloak.
This section describes how to configure your Spring Boot app to use Keycloak.
Instead of a `keycloak.json` file, you configure the realm for the Spring Boot Keycloak adapter via the normal Spring Boot configuration.
For example:
For example:
[source]
----
@ -48,8 +54,11 @@ keycloak.credentials.secret = 11111111-1111-1111-1111-111111111111
keycloak.use-resource-role-mappings = true
----
You also need to specify the J2EE security config that would normally go in the `web.xml`.
Here's an example configuration:
To configure a Policy Enforcer, unlike keycloak.json, `policy-enforcer-config` must be used instead of just `policy-enforcer`.
You also need to specify the Java EE security config that would normally go in the `web.xml`.
The Spring Boot Adapter will set the `login-method` to `KEYCLOAK` and configure the `security-constraints` at startup time.
Here's an example configuration:
[source]
----

74
topics/oidc/java/spring-security-adapter.adoc
View file

@ -2,14 +2,14 @@
==== Spring Security Adapter
To secure an application with Spring Security and Keycloak, add this adapter as a dependency to your project.
You then have to provide some extra beans in your Spring Security configuration file and add the Keycloak security filter to your pipeline.
You then have to provide some extra beans in your Spring Security configuration file and add the Keycloak security filter to your pipeline.
Unlike the other Keycloak Adapters, you should not configure your security in web.xml.
However, keycloak.json is still required.
However, keycloak.json is still required.
===== Adapter Installation
Add Keycloak Spring Security adapter as a dependency to your Maven POM or Gradle build.
Add Keycloak Spring Security adapter as a dependency to your Maven POM or Gradle build.
[source,xml,subs="attributes+"]
@ -23,19 +23,19 @@ Add Keycloak Spring Security adapter as a dependency to your Maven POM or Gradle
===== Spring Security Configuration
The Keycloak Spring Security adapter takes advantage of Spring Security's flexible security configuration syntax.
The Keycloak Spring Security adapter takes advantage of Spring Security's flexible security configuration syntax.
====== Java Configuration
Keycloak provides a KeycloakWebSecurityConfigurerAdapter as a convenient base class for creating a http://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/config/annotation/web/WebSecurityConfigurer.html[WebSecurityConfigurer] instance.
The implementation allows customization by overriding methods.
While its use is not required, it greatly simplifies your security context configuration.
While its use is not required, it greatly simplifies your security context configuration.
[source]
----
@Configuration
@EnableWebSecurity
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
@ -69,22 +69,22 @@ public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter
.anyRequest().permitAll();
}
}
----
----
You must provide a session authentication strategy bean which should be of type `RegisterSessionAuthenticationStrategy` for public or confidential applications and `NullAuthenticatedSessionStrategy` for bearer-only applications.
You must provide a session authentication strategy bean which should be of type `RegisterSessionAuthenticationStrategy` for public or confidential applications and `NullAuthenticatedSessionStrategy` for bearer-only applications.
Spring Security's `SessionFixationProtectionStrategy` is currently not supported because it changes the session identifier after login via Keycloak.
If the session identifier changes, universal log out will not work because Keycloak is unaware of the new session identifier.
If the session identifier changes, universal log out will not work because Keycloak is unaware of the new session identifier.
====== XML Configuration
While Spring Security's XML namespace simplifies configuration, customizing the configuration can be a bit verbose.
While Spring Security's XML namespace simplifies configuration, customizing the configuration can be a bit verbose.
[source]
----
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
@ -144,7 +144,7 @@ While Spring Security's XML namespace simplifies configuration, customizing the
</security:http>
</beans>
----
----
===== Multi Tenancy
@ -155,23 +155,23 @@ More details on how to implement the `KeycloakConfigResolver` can be found in <<
===== Naming Security Roles
Spring Security, when using role-based authentication, requires that role names start with `ROLE_`.
For example, an administrator role must be declared in Keycloak as `ROLE_ADMIN` or similar, not simply `ADMIN`.
For example, an administrator role must be declared in Keycloak as `ROLE_ADMIN` or similar, not simply `ADMIN`.
The class `org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider` supports an optional `org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper` which can be used to map roles coming from Keycloak to roles recognized by Spring Security.
Use, for example, `org.springframework.security.core.authority.mapping.SimpleAuthorityMapper` to insert the `ROLE_` prefix and convert the role name to upper case.
The class is part of Spring Security Core module.
The class is part of Spring Security Core module.
===== Client to Client Support
To simplify communication between clients, Keycloak provides an extension of Spring's `RestTemplate` that handles bearer token authentication for you.
To enable this feature your security configuration must add the `KeycloakRestTemplate` bean.
Note that it must be scoped as a prototype to function correctly.
Note that it must be scoped as a prototype to function correctly.
For Java configuration:
For Java configuration:
[source]
----
@Configuration
@EnableWebSecurity
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
@ -190,24 +190,24 @@ public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
...
}
----
----
For XML configuration:
For XML configuration:
[source]
----
<bean id="keycloakRestTemplate" class="org.keycloak.adapters.springsecurity.client.KeycloakRestTemplate" scope="prototype">
<constructor-arg name="factory" ref="keycloakClientRequestFactory" />
</bean>
----
----
Your application code can then use `KeycloakRestTemplate` any time it needs to make a call to another client.
For example:
For example:
[source]
----
@Service
public class RemoteProductService implements ProductService {
@ -223,18 +223,36 @@ public class RemoteProductService implements ProductService {
return Arrays.asList(response.getBody());
}
}
----
----
===== Spring Boot Configuration
===== Spring Boot Integration
The Spring Boot and the Spring Security adapters can be combined.
====== Using Spring Boot Configuration
By Default, the Spring Security Adapter looks for a `keycloak.json` configuration file. You can make sure it looks at the configuration provided by the Spring Boot Adapter by adding this bean :
[source]
----
@Bean
public KeycloakConfigResolver KeycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
----
====== Avoid double Filter bean registration
Spring Boot attempts to eagerly register filter beans with the web application context.
Therefore, when running the Keycloak Spring Security adapter in a Spring Boot environment, it may be necessary to add two ``FilterRegistrationBean``s to your security configuration to prevent the Keycloak filters from being registered twice.
Therefore, when running the Keycloak Spring Security adapter in a Spring Boot environment, it may be necessary to add two ``FilterRegistrationBean``s to your security configuration to prevent the Keycloak filters from being registered twice.
[source]
----
@Configuration
@EnableWebSecurity
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter
@ -259,4 +277,4 @@ public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter
...
}
----
----