Merge pull request #240 from k-tamura/fix_typos

Fix typos in Securing Apps
This commit is contained in:
Matthew Helmke 2017-11-16 06:20:04 -06:00 committed by GitHub
commit c1421d8350
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
18 changed files with 28 additions and 28 deletions

View file

@ -5,7 +5,7 @@ NOTE: Docker authentication is disabled by default. To enable see link:{installg
This section describes how you can configure a Docker registry to use {project_name} as its authentication server. This section describes how you can configure a Docker registry to use {project_name} as its authentication server.
Fore more information on how to set up and configure a Docker registry, see the link:https://docs.docker.com/registry/configuration/[Docker Registry Configuration Guide]. For more information on how to set up and configure a Docker registry, see the link:https://docs.docker.com/registry/configuration/[Docker Registry Configuration Guide].
@ -26,7 +26,7 @@ WARNING: Don't forget to configure the `rootcertbundle` field with the location
=== Docker Registry Environment Variable Override Installation === Docker Registry Environment Variable Override Installation
Often times it is appropriate to use a simple environment variable override for develop or POC Docker registries. While this apporach is usually not recommended for production use, it can be helpful when one requires quick-and-dirty way to stand up a registry. Simply use the _Variable Override_ Format Option from the client installation tab, and an output should appear like the one below: Often times it is appropriate to use a simple environment variable override for develop or POC Docker registries. While this approach is usually not recommended for production use, it can be helpful when one requires quick-and-dirty way to stand up a registry. Simply use the _Variable Override_ Format Option from the client installation tab, and an output should appear like the one below:
REGISTRY_AUTH_TOKEN_REALM: http://localhost:8080/auth/auth/realms/master/protocol/docker-v2/auth REGISTRY_AUTH_TOKEN_REALM: http://localhost:8080/auth/auth/realms/master/protocol/docker-v2/auth
REGISTRY_AUTH_TOKEN_SERVICE: docker-test REGISTRY_AUTH_TOKEN_SERVICE: docker-test

View file

@ -45,7 +45,7 @@ propagated by {project_name} to applications using cookie store. Hence it's reco
In deployment scenarios where {project_name} and the application is hosted on the same domain (through a reverse proxy or load balancer) it can be In deployment scenarios where {project_name} and the application is hosted on the same domain (through a reverse proxy or load balancer) it can be
convenient to use relative URI options in your client configuration. convenient to use relative URI options in your client configuration.
With relative URIs the URI is resolved as relative to the URL of the URL used to access {project_name}. With relative URIs the URI is resolved as relative to the URL used to access {project_name}.
For example if the URL to your application is `$$https://acme.org/myapp$$` and the URL to {project_name} is `$$https://acme.org/auth$$`, then you can use For example if the URL to your application is `$$https://acme.org/myapp$$` and the URL to {project_name} is `$$https://acme.org/auth$$`, then you can use
the redirect-uri `/myapp` instead of `$$https://acme.org/myapp$$`. the redirect-uri `/myapp` instead of `$$https://acme.org/myapp$$`.

View file

@ -2,7 +2,7 @@
===== Securing an Apache Camel Application ===== Securing an Apache Camel Application
You can secure Apache camel endpoints implemented with the http://camel.apache.org/jetty.html[camel-jetty] component by adding securityHandler with `KeycloakJettyAuthenticator` and the proper security constraints injected. You can add the `OSGI-INF/blueprint/blueprint.xml` file to your camel application with a similar configuration as below. The roles, security constraint mappings, and {project_name} adapter configuration might differ slightly depending on your environment and needs. You can secure Apache Camel endpoints implemented with the http://camel.apache.org/jetty.html[camel-jetty] component by adding securityHandler with `KeycloakJettyAuthenticator` and the proper security constraints injected. You can add the `OSGI-INF/blueprint/blueprint.xml` file to your Camel application with a similar configuration as below. The roles, security constraint mappings, and {project_name} adapter configuration might differ slightly depending on your environment and needs.
For example: For example:
@ -99,7 +99,7 @@ Camel RestDSL is a Camel feature used to define your REST endpoints in a fluent
The way to configure the integration mechanism depends on the Camel component for which you configure your RestDSL-defined routes. The way to configure the integration mechanism depends on the Camel component for which you configure your RestDSL-defined routes.
The following example shows how to configure integration using the jetty component, with references to some of the beans defined in previous Blueprint example. The following example shows how to configure integration using the Jetty component, with references to some of the beans defined in previous Blueprint example.
[source,xml] [source,xml]
---- ----

View file

@ -4,7 +4,7 @@
To run your CXF endpoints secured by {project_name} on separate Jetty engines, complete the following steps: To run your CXF endpoints secured by {project_name} on separate Jetty engines, complete the following steps:
. Add `META-INF/spring/beans.xml` to your application, and in it, declare `httpj:engine-factory` with Jetty SecurityHandler with injected `KeycloakJettyAuthenticator`. The configuration for a CFX JAX-wS application might resemble this one: . Add `META-INF/spring/beans.xml` to your application, and in it, declare `httpj:engine-factory` with Jetty SecurityHandler with injected `KeycloakJettyAuthenticator`. The configuration for a CFX JAX-WS application might resemble this one:
+ +
[source,xml] [source,xml]
---- ----

View file

@ -6,7 +6,7 @@ You must first install the `keycloak` feature in the JBoss Fuse environment. The
====== Installing from the Maven Repository ====== Installing from the Maven Repository
As a prequisite, you must be online and have access to the Maven repository. As a prerequisite, you must be online and have access to the Maven repository.
ifeval::[{project_community}==true] ifeval::[{project_community}==true]
For community it's sufficient to be online as all the artifacts and 3rd party dependencies should be available in the maven central repository. For community it's sufficient to be online as all the artifacts and 3rd party dependencies should be available in the maven central repository.

View file

@ -34,7 +34,7 @@ which enables a smooth Web based SSO experience.
The client eventually receives the tokens (access_token, refresh_token, The client eventually receives the tokens (access_token, refresh_token,
id_token) which can then be used to call backend services. id_token) which can then be used to call backend services.
The `KeycloakInstalled` adapter provides support for reneval of stale tokens. The `KeycloakInstalled` adapter provides support for renewal of stale tokens.
[[_installed_adapter_installation]] [[_installed_adapter_installation]]
===== Adapter Installation ===== Adapter Installation
@ -54,7 +54,7 @@ The `KeycloakInstalled` adapter provides support for reneval of stale tokens.
===== Client Configuration ===== Client Configuration
The application needs to be configured as a `public` openid connect client with The application needs to be configured as a `public` OpenID Connect client with
`Standard Flow Enabled` and pass:[http://localhost:*] as an allowed `Valid Redirect URI`. `Standard Flow Enabled` and pass:[http://localhost:*] as an allowed `Valid Redirect URI`.
===== Usage ===== Usage

View file

@ -9,7 +9,7 @@ Let's go over these steps.
[[_jetty8_adapter_installation]] [[_jetty8_adapter_installation]]
===== Adapter Installation ===== Adapter Installation
Adapters are no longer included with the appliance or war distribution.Each adapter is a separate download on the Keycloak download site. Adapters are no longer included with the appliance or war distribution. Each adapter is a separate download on the Keycloak download site.
They are also available as a maven artifact. They are also available as a maven artifact.
You must unzip the Jetty 8.1.x distro into Jetty 8.1.x's root directory. You must unzip the Jetty 8.1.x distro into Jetty 8.1.x's root directory.

View file

@ -9,10 +9,10 @@ Let's go over these steps.
[[_jetty9_adapter_installation]] [[_jetty9_adapter_installation]]
===== Adapter Installation ===== Adapter Installation
Adapters are no longer included with the appliance or war distribution.Each adapter is a separate download on the Keycloak download site. Adapters are no longer included with the appliance or war distribution. Each adapter is a separate download on the Keycloak download site.
They are also available as a maven artifact. They are also available as a maven artifact.
You must unzip the Jetty 9.x distro into Jetty 9.x's link:https://www.eclipse.org/jetty/documentation/current/startup-base-and-home.html[base directory.] You must unzip the Jetty 9.x distro into Jetty 9.x's link:https://www.eclipse.org/jetty/documentation/current/startup-base-and-home.html[base directory].
Including adapter's jars within your WEB-INF/lib directory will not work! Including adapter's jars within your WEB-INF/lib directory will not work!
In the example below, the Jetty base is named `your-base`: In the example below, the Jetty base is named `your-base`:
@ -57,7 +57,7 @@ This is a Jetty specific config file and you must define a Keycloak specific aut
Next you must create a `keycloak.json` adapter config file within the `WEB-INF` directory of your WAR. Next you must create a `keycloak.json` adapter config file within the `WEB-INF` directory of your WAR.
The format of this config file is describe in the <<_java_adapter_config,Java adapter configuration>> section. The format of this config file is described in the <<_java_adapter_config,Java adapter configuration>> section.
WARNING: The Jetty 9.1.x adapter will not be able to find the `keycloak.json` file. WARNING: The Jetty 9.1.x adapter will not be able to find the `keycloak.json` file.
You will have to define all adapter settings within the `jetty-web.xml` file as described below. You will have to define all adapter settings within the `jetty-web.xml` file as described below.

View file

@ -23,7 +23,7 @@ To add it manually and if you are using Maven, add the following to your depende
---- ----
Make also sure to add the Adapter BOM dependency : Make also sure to add the Adapter POM dependency :
[source,xml,subs="attributes+"] [source,xml,subs="attributes+"]
---- ----

View file

@ -75,9 +75,9 @@ Spring Security's `SessionFixationProtectionStrategy` is currently not supported
If the session identifier changes, universal log out will not work because Keycloak is unaware of the new session identifier. If the session identifier changes, universal log out will not work because Keycloak is unaware of the new session identifier.
TIP: The `@KeycloakConfiguration` annotation is a metadata annotion that defines all annotations that are needed to integrate TIP: The `@KeycloakConfiguration` annotation is a metadata annotion that defines all annotations that are needed to integrate
KeyCloak in Spring security. If you have a complexe Spring security setup you can simply have a look ath the annotations of {project_name} in Spring Security. If you have a complexe Spring Security setup you can simply have a look ath the annotations of
the `@KeycloakConfiguration` annotation and create your own custom meta annotation or just use specific Spring annotations the `@KeycloakConfiguration` annotation and create your own custom meta annotation or just use specific Spring annotations
for the KeyCloak adapter. for the {project_name} adapter.
====== XML Configuration ====== XML Configuration

View file

@ -46,7 +46,7 @@ This is a Tomcat specific config file and you must define a Keycloak specific Va
Next you must create a `keycloak.json` adapter config file within the `WEB-INF` directory of your WAR. Next you must create a `keycloak.json` adapter config file within the `WEB-INF` directory of your WAR.
The format of this config file is describe in the <<_java_adapter_config,Java adapter configuration>> The format of this config file is described in the <<_java_adapter_config,Java adapter configuration>>
Finally you must specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs. Finally you must specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs.
Here's an example: Here's an example:

View file

@ -5,7 +5,7 @@ Keycloak has a separate SAML adapter for Jetty 8.1.x that you will have to insta
You then have to provide some extra configuration in each WAR you deploy to Jetty. You then have to provide some extra configuration in each WAR you deploy to Jetty.
Let's go over these steps. Let's go over these steps.
Adapters are no longer included with the appliance or war distribution.Each adapter is a separate download on the Keycloak download site. Adapters are no longer included with the appliance or war distribution. Each adapter is a separate download on the Keycloak download site.
They are also available as a maven artifact. They are also available as a maven artifact.
You must unzip the Jetty 8.1.x distro into Jetty 8.1.x's root directory. You must unzip the Jetty 8.1.x distro into Jetty 8.1.x's root directory.

View file

@ -6,7 +6,7 @@ Keycloak has a separate SAML adapter for Jetty 9.x.
You then have to provide some extra configuration in each WAR you deploy to Jetty. You then have to provide some extra configuration in each WAR you deploy to Jetty.
Let's go over these steps. Let's go over these steps.
Adapters are no longer included with the appliance or war distribution.Each adapter is a separate download on the Keycloak download site. Adapters are no longer included with the appliance or war distribution. Each adapter is a separate download on the Keycloak download site.
They are also available as a maven artifact. They are also available as a maven artifact.
You must unzip the Jetty 9.x distro into Jetty 9.x's root directory. You must unzip the Jetty 9.x distro into Jetty 9.x's root directory.

View file

@ -22,7 +22,7 @@ This is a Jetty specific config file and you must define a Keycloak specific aut
---- ----
Next you must create a `keycloak-saml.xml` adapter config file within the `WEB-INF` directory of your WAR. Next you must create a `keycloak-saml.xml` adapter config file within the `WEB-INF` directory of your WAR.
The format of this config file is describe in the <<_saml-general-config,General Adapter Config>> section. The format of this config file is described in the <<_saml-general-config,General Adapter Config>> section.
Finally you must specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs. Finally you must specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs.
Here's an example: Here's an example:

View file

@ -14,7 +14,7 @@ This is a Tomcat specific config file and you must define a Keycloak specific Va
---- ----
Next you must create a `keycloak-saml.xml` adapter config file within the `WEB-INF` directory of your WAR. Next you must create a `keycloak-saml.xml` adapter config file within the `WEB-INF` directory of your WAR.
The format of this config file is describe in the <<_saml-general-config,General Adapter Config>> section. The format of this config file is described in the <<_saml-general-config,General Adapter Config>> section.
Finally you must specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs. Finally you must specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs.
Here's an example: Here's an example:

View file

@ -191,7 +191,7 @@ To configure the IdP to supply the user's groups as as a SAML attribute, complet
. From the Mapper Type drop-down list select *Group list*. . From the Mapper Type drop-down list select *Group list*.
. Set Name to "group list." . Set Name to "group list."
. Set the SAML attribute name to "groups." . Set the SAML attribute name to "groups."
. Click *Save.* . Click *Save*.
The remaining steps are performed on $sp_host. The remaining steps are performed on $sp_host.

View file

@ -99,7 +99,7 @@ an additional `account-link-url` claim if the user does not have a link to an id
for a client initiated link request. for a client initiated link request.
NOTE: Token exchange setup requires knowledge of fine grain admin permissions (See the link:{adminguide_link}[{adminguide_name}] for more information). You will need to grant clients NOTE: Token exchange setup requires knowledge of fine grain admin permissions (See the link:{adminguide_link}[{adminguide_name}] for more information). You will need to grant clients
permission to exchange. This is discusssed more later in this chapter. permission to exchange. This is discussed more later in this chapter.
The rest of this chapter discusses the setup requirements and provides examples for different exchange scenarios. The rest of this chapter discusses the setup requirements and provides examples for different exchange scenarios.
For simplicity's sake, let's call a token minted by the current realm as an _internal_ token and a token minted by For simplicity's sake, let's call a token minted by the current realm as an _internal_ token and a token minted by
@ -212,7 +212,7 @@ image:{project_images}/exchange-idp-permission-unset.png[]
Toggle the `Permissions Enabled` switch to true. Toggle the `Permissions Enabled` switch to true.
.Identity Provier Permission .Identity Provider Permission
image:{project_images}/exchange-idp-permission-set.png[] image:{project_images}/exchange-idp-permission-set.png[]
You should see a `token-exchange` link on the page. Click that to start defining the permission. It will bring you You should see a `token-exchange` link on the page. Click that to start defining the permission. It will bring you
@ -284,7 +284,7 @@ this JSON document:
The `error` claim will be either `token_expired` or `not_linked`. The `account-link-url` claim is provided The `error` claim will be either `token_expired` or `not_linked`. The `account-link-url` claim is provided
so that the client can perform link:{developerguide_link}[Client Initiated Account Linking]. Most (all?) so that the client can perform link:{developerguide_link}[Client Initiated Account Linking]. Most (all?)
providers requiring linking through browser OAuth protocol. With the `account-link-url` just add a `redirect_uri` providers are requiring linking through browser OAuth protocol. With the `account-link-url` just add a `redirect_uri`
query parameter to it and you can forward browsers to perform the link. query parameter to it and you can forward browsers to perform the link.
=== External Token to Internal Token Exchange === External Token to Internal Token Exchange
@ -407,7 +407,7 @@ WARNING: It is very risky to enable direct naked impersonation for a client. If
If the `audience` parameter is provided, then the calling client must have permission to exchange to the client. How If the `audience` parameter is provided, then the calling client must have permission to exchange to the client. How
to set this up is discussed earlier in this chapter. to set this up is discussed earlier in this chapter.
Additionaly, the calling client must be granted permission to impersonate users. In the admin console, go to the Additionally, the calling client must be granted permission to impersonate users. In the admin console, go to the
`Users` screen and click on the `Permissions` tab. `Users` screen and click on the `Permissions` tab.
.Users Permission .Users Permission
@ -415,7 +415,7 @@ image:{project_images}/exchange-users-permission-unset.png[]
Toggle the `Permissions Enabled` switch to true. Toggle the `Permissions Enabled` switch to true.
.Identity Provier Permission .Identity Provider Permission
image:{project_images}/exchange-users-permission-set.png[] image:{project_images}/exchange-users-permission-set.png[]
You should see a `impersonation` link on the page. Click that to start defining the permission. It will bring you You should see a `impersonation` link on the page. Click that to start defining the permission. It will bring you

View file

@ -10,7 +10,7 @@ domains or realms. An existing account can be linked with one or more identities
based on the identity information obtained from them. based on the identity information obtained from them.
An identity provider is usually based on a specific protocol that is used to authenticate and communicate authentication and authorization information to their users. An identity provider is usually based on a specific protocol that is used to authenticate and communicate authentication and authorization information to their users.
It can be a social provider such as Facebook, Google or Twitter. It can be a business partner whose users need to access your services. Or it an be a cloud-based identity It can be a social provider such as Facebook, Google or Twitter. It can be a business partner whose users need to access your services. Or it can be a cloud-based identity
service that you want to integrate with. service that you want to integrate with.
Usually, identity providers are based on the following protocols: Usually, identity providers are based on the following protocols: