tomcat7 docbook

docbook/reference/en/en-US/master.xml

@@ -11,6 +11,7 @@
                 <!ENTITY AdapterConfig SYSTEM "modules/adapter-config.xml">
                 <!ENTITY JBossAdapter SYSTEM "modules/jboss-adapter.xml">
                 <!ENTITY JavascriptAdapter SYSTEM "modules/javascript-adapter.xml">
+                <!ENTITY TomcatAdapter SYSTEM "modules/tomcat-adapter.xml">
                 <!ENTITY InstalledApplications SYSTEM "modules/installed-applications.xml">
                 <!ENTITY Logout SYSTEM "modules/logout.xml">
                 <!ENTITY SAML SYSTEM "modules/saml.xml">
@@ -83,6 +84,7 @@ This one is short
         </para>
         &AdapterConfig;
         &JBossAdapter;
+        &TomcatAdapter;
         &JavascriptAdapter;
         &InstalledApplications;
         &Logout;

docbook/reference/en/en-US/modules/Overview.xml

@@ -98,7 +98,7 @@
                 Multitenancy support.  You can host and manage multiple realms for multiple organizations.
             </listitem>
             <listitem>
-                Supports JBoss AS7, EAP 6.x, Wildfly and Pure JavaScript applications.  Plans to support Node.js, RAILS, GRAILS, and other non-Java deployments
+                Supports JBoss AS7, EAP 6.x, Wildfly, Tomcat 7 and Pure JavaScript applications.  Plans to support Node.js, RAILS, GRAILS, and other non-Java deployments
             </listitem>
         </itemizedlist>
     </para>

docbook/reference/en/en-US/modules/jboss-adapter.xml

@@ -10,7 +10,7 @@
     <section id="jboss-adapter-installation">
         <title>Adapter Installation</title>
     <para>
-        This is a adapter zip file for AS7, EAP, and Wildfly in the <literal>adapters/</literal> directory in the Keycloak
+        There is a adapter zip file for AS7, EAP, and Wildfly in the <literal>adapters/</literal> directory in the Keycloak
         distribution.
     </para>
     <para>
@@ -135,7 +135,7 @@ public class CustomerService {
 
     </section>
     <section>
-        <title>Per WAR Configuration</title>
+        <title>Required Per WAR Configuration</title>
         <para>
             This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
         </para>

docbook/reference/en/en-US/modules/tomcat-adapter.xml

@@ -0,0 +1,94 @@
+<section id="tomcat-adapter">
+    <title>Tomcat 7 Adapter</title>
+    <para>
+        To be able to secure WAR apps deployed on Tomcat 7 you must install the Keycloak Tomcat 7 adapter
+        into your Tomcat installation.  You then have to provide some extra configuration in each WAR you deploy to
+        Tomcat.  Let's go over these steps.
+    </para>
+    <section id="tomcat-adapter-installation">
+        <title>Adapter Installation</title>
+    <para>
+        There is a adapter zip file for Tomcat 7 in the <literal>adapters/</literal> directory in the Keycloak appliance
+        or war distribution.  You must unzip this file into Tomcat's <literal>lib/</literal> directory.  Including
+        adapter's jars within your WEB-INF/lib directory will not work!  The Keycloak adapter is implemented as a Valve
+        and valve code must reside in Tomcat's main lib/ directory.
+    </para>
+    <para>
+<programlisting>
+$ cd $TOMCAT_HOME/lib
+$ unzip keycloak-tomcat7-adapter-dist.zip
+</programlisting>
+    </para>
+    </section>
+
+    <section>
+        <title>Required Per WAR Configuration</title>
+        <para>
+            This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
+        </para>
+        <para>
+            The first thing you must do is create a <literal>META-INF/context.xml</literal> file in your WAR package.  This is
+            a Tomcat specific config file and you must define a Keycloak specific Valve.
+        </para>
+        <programlisting>
+<![CDATA[
+<Context path="/your-context-path">
+    <Valve className="org.keycloak.adapters.tomcat7.KeycloakAuthenticatorValve"/>
+</Context>]]>
+        </programlisting>
+        <para>
+            Next you must create
+            a <literal>keycloak.json</literal> adapter config file within the <literal>WEB-INF</literal> directory
+            of your WAR.  The format of this config file is describe in the <link linkend='adapter-config'>general adapter configuration</link>
+            section.
+        </para>
+        <para>
+            Finally you must specify both a <literal>login-config</literal> and use standard servlet security to specify
+            role-base constraints on your URLs.  Here's an example:
+        </para>
+        <para>
+<programlisting>
+<![CDATA[
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+      version="3.0">
+
+	<module-name>customer-portal</module-name>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Customers</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>user</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <security-constraint>
+        <web-resource-collection>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>this is ignored currently/realm-name>
+    </login-config>
+
+    <security-role>
+        <role-name>admin</role-name>
+    </security-role>
+    <security-role>
+        <role-name>user</role-name>
+    </security-role>
+</web-app>
+]]>
+</programlisting>
+        </para>
+    </section>
+</section>