Remove Jetty 9.4 adapters (#26261)
Only removing the distribution of the Jetty adapter for now, and leaving the rest for now. This is due to the complexity of removing all Jetty adapter code due to Spring, OSGI, Fuse, testsuite, etc. and it will be better to leave the rest of the clean-up to after 24 when we are removing most adapters Closes #26255 Signed-off-by: stianst <stianst@gmail.com>
This commit is contained in:
parent
ee5593a88f
commit
fea49765f0
21 changed files with 23 additions and 569 deletions
|
@ -1,56 +0,0 @@
|
||||||
<!--
|
|
||||||
~ Copyright 2016 Red Hat, Inc. and/or its affiliates
|
|
||||||
~ and other contributors as indicated by the @author tags.
|
|
||||||
~
|
|
||||||
~ Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
~ you may not use this file except in compliance with the License.
|
|
||||||
~ You may obtain a copy of the License at
|
|
||||||
~
|
|
||||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
~
|
|
||||||
~ Unless required by applicable law or agreed to in writing, software
|
|
||||||
~ distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
~ See the License for the specific language governing permissions and
|
|
||||||
~ limitations under the License.
|
|
||||||
-->
|
|
||||||
|
|
||||||
<assembly>
|
|
||||||
<id>war-dist</id>
|
|
||||||
|
|
||||||
<formats>
|
|
||||||
<format>zip</format>
|
|
||||||
<format>tar.gz</format>
|
|
||||||
</formats>
|
|
||||||
<includeBaseDirectory>false</includeBaseDirectory>
|
|
||||||
|
|
||||||
<fileSets>
|
|
||||||
<fileSet>
|
|
||||||
<directory></directory>
|
|
||||||
<includes>
|
|
||||||
<include>keycloak.mod</include>
|
|
||||||
</includes>
|
|
||||||
<outputDirectory>modules</outputDirectory>
|
|
||||||
</fileSet>
|
|
||||||
<fileSet>
|
|
||||||
<directory>${project.build.directory}/modules</directory>
|
|
||||||
<outputDirectory></outputDirectory>
|
|
||||||
</fileSet>
|
|
||||||
</fileSets>
|
|
||||||
<dependencySets>
|
|
||||||
<dependencySet>
|
|
||||||
<unpack>false</unpack>
|
|
||||||
<useTransitiveDependencies>true</useTransitiveDependencies>
|
|
||||||
<useTransitiveFiltering>true</useTransitiveFiltering>
|
|
||||||
<includes>
|
|
||||||
<include>org.keycloak:keycloak-jetty94-adapter</include>
|
|
||||||
</includes>
|
|
||||||
<excludes>
|
|
||||||
<exclude>org.eclipse.jetty:jetty-server</exclude>
|
|
||||||
<exclude>org.eclipse.jetty:jetty-util</exclude>
|
|
||||||
<exclude>org.eclipse.jetty:jetty-security</exclude>
|
|
||||||
</excludes>
|
|
||||||
<outputDirectory>lib/keycloak</outputDirectory>
|
|
||||||
</dependencySet>
|
|
||||||
</dependencySets>
|
|
||||||
</assembly>
|
|
|
@ -1,28 +0,0 @@
|
||||||
#
|
|
||||||
# Keycloak Jetty Adapter
|
|
||||||
#
|
|
||||||
|
|
||||||
[depend]
|
|
||||||
server
|
|
||||||
security
|
|
||||||
|
|
||||||
[lib]
|
|
||||||
<!--
|
|
||||||
~ Copyright 2016 Red Hat, Inc. and/or its affiliates
|
|
||||||
~ and other contributors as indicated by the @author tags.
|
|
||||||
~
|
|
||||||
~ Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
~ you may not use this file except in compliance with the License.
|
|
||||||
~ You may obtain a copy of the License at
|
|
||||||
~
|
|
||||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
~
|
|
||||||
~ Unless required by applicable law or agreed to in writing, software
|
|
||||||
~ distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
~ See the License for the specific language governing permissions and
|
|
||||||
~ limitations under the License.
|
|
||||||
-->
|
|
||||||
|
|
||||||
lib/keycloak/*.jar
|
|
||||||
|
|
|
@ -1,68 +0,0 @@
|
||||||
<!--
|
|
||||||
~ Copyright 2016 Red Hat, Inc. and/or its affiliates
|
|
||||||
~ and other contributors as indicated by the @author tags.
|
|
||||||
~
|
|
||||||
~ Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
~ you may not use this file except in compliance with the License.
|
|
||||||
~ You may obtain a copy of the License at
|
|
||||||
~
|
|
||||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
~
|
|
||||||
~ Unless required by applicable law or agreed to in writing, software
|
|
||||||
~ distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
~ See the License for the specific language governing permissions and
|
|
||||||
~ limitations under the License.
|
|
||||||
-->
|
|
||||||
|
|
||||||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
||||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
|
|
||||||
<modelVersion>4.0.0</modelVersion>
|
|
||||||
<parent>
|
|
||||||
<artifactId>keycloak-parent</artifactId>
|
|
||||||
<groupId>org.keycloak</groupId>
|
|
||||||
<version>999.0.0-SNAPSHOT</version>
|
|
||||||
<relativePath>../../../pom.xml</relativePath>
|
|
||||||
</parent>
|
|
||||||
|
|
||||||
<artifactId>keycloak-jetty94-adapter-dist</artifactId>
|
|
||||||
<packaging>pom</packaging>
|
|
||||||
<name>Keycloak Jetty 9.4.x Adapter Distro</name>
|
|
||||||
<description/>
|
|
||||||
|
|
||||||
<dependencies>
|
|
||||||
<dependency>
|
|
||||||
<groupId>org.keycloak</groupId>
|
|
||||||
<artifactId>keycloak-jetty94-adapter</artifactId>
|
|
||||||
</dependency>
|
|
||||||
</dependencies>
|
|
||||||
<build>
|
|
||||||
<plugins>
|
|
||||||
<plugin>
|
|
||||||
<artifactId>maven-assembly-plugin</artifactId>
|
|
||||||
<executions>
|
|
||||||
<execution>
|
|
||||||
<id>assemble</id>
|
|
||||||
<phase>package</phase>
|
|
||||||
<goals>
|
|
||||||
<goal>single</goal>
|
|
||||||
</goals>
|
|
||||||
<configuration>
|
|
||||||
<descriptors>
|
|
||||||
<descriptor>assembly.xml</descriptor>
|
|
||||||
</descriptors>
|
|
||||||
<outputDirectory>
|
|
||||||
target
|
|
||||||
</outputDirectory>
|
|
||||||
<workDirectory>
|
|
||||||
target/assembly/work
|
|
||||||
</workDirectory>
|
|
||||||
<appendAssemblyId>false</appendAssemblyId>
|
|
||||||
</configuration>
|
|
||||||
</execution>
|
|
||||||
</executions>
|
|
||||||
</plugin>
|
|
||||||
</plugins>
|
|
||||||
</build>
|
|
||||||
|
|
||||||
</project>
|
|
|
@ -33,6 +33,5 @@
|
||||||
<modules>
|
<modules>
|
||||||
<module>wildfly-adapter</module>
|
<module>wildfly-adapter</module>
|
||||||
<module>tomcat-adapter-zip</module>
|
<module>tomcat-adapter-zip</module>
|
||||||
<module>jetty94-adapter-zip</module>
|
|
||||||
</modules>
|
</modules>
|
||||||
</project>
|
</project>
|
||||||
|
|
|
@ -1,10 +1,8 @@
|
||||||
mvn:keycloak-quarkus-dist:keycloak
|
mvn:keycloak-quarkus-dist:keycloak
|
||||||
mvn:keycloak-api-docs-dist:keycloak-api-docs
|
mvn:keycloak-api-docs-dist:keycloak-api-docs
|
||||||
|
|
||||||
mvn:keycloak-jetty94-adapter-dist:keycloak-oidc-jetty94-adapter
|
|
||||||
mvn:keycloak-tomcat-adapter-dist:keycloak-oidc-tomcat-adapter
|
mvn:keycloak-tomcat-adapter-dist:keycloak-oidc-tomcat-adapter
|
||||||
|
|
||||||
mvn:keycloak-saml-jetty94-adapter-dist:keycloak-saml-jetty94-adapter
|
|
||||||
mvn:keycloak-saml-tomcat-adapter-dist:keycloak-saml-tomcat-adapter
|
mvn:keycloak-saml-tomcat-adapter-dist:keycloak-saml-tomcat-adapter
|
||||||
|
|
||||||
mvn:documentation/keycloak-documentation:keycloak-documentation
|
mvn:documentation/keycloak-documentation:keycloak-documentation
|
||||||
|
|
|
@ -1,56 +0,0 @@
|
||||||
<!--
|
|
||||||
~ Copyright 2016 Red Hat, Inc. and/or its affiliates
|
|
||||||
~ and other contributors as indicated by the @author tags.
|
|
||||||
~
|
|
||||||
~ Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
~ you may not use this file except in compliance with the License.
|
|
||||||
~ You may obtain a copy of the License at
|
|
||||||
~
|
|
||||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
~
|
|
||||||
~ Unless required by applicable law or agreed to in writing, software
|
|
||||||
~ distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
~ See the License for the specific language governing permissions and
|
|
||||||
~ limitations under the License.
|
|
||||||
-->
|
|
||||||
|
|
||||||
<assembly>
|
|
||||||
<id>war-dist</id>
|
|
||||||
|
|
||||||
<formats>
|
|
||||||
<format>zip</format>
|
|
||||||
<format>tar.gz</format>
|
|
||||||
</formats>
|
|
||||||
<includeBaseDirectory>false</includeBaseDirectory>
|
|
||||||
|
|
||||||
<fileSets>
|
|
||||||
<fileSet>
|
|
||||||
<directory></directory>
|
|
||||||
<includes>
|
|
||||||
<include>keycloak.mod</include>
|
|
||||||
</includes>
|
|
||||||
<outputDirectory>modules</outputDirectory>
|
|
||||||
</fileSet>
|
|
||||||
<fileSet>
|
|
||||||
<directory>${project.build.directory}/modules</directory>
|
|
||||||
<outputDirectory></outputDirectory>
|
|
||||||
</fileSet>
|
|
||||||
</fileSets>
|
|
||||||
<dependencySets>
|
|
||||||
<dependencySet>
|
|
||||||
<unpack>false</unpack>
|
|
||||||
<useTransitiveDependencies>true</useTransitiveDependencies>
|
|
||||||
<useTransitiveFiltering>true</useTransitiveFiltering>
|
|
||||||
<includes>
|
|
||||||
<include>org.keycloak:keycloak-saml-jetty94-adapter</include>
|
|
||||||
</includes>
|
|
||||||
<excludes>
|
|
||||||
<exclude>org.eclipse.jetty:jetty-server</exclude>
|
|
||||||
<exclude>org.eclipse.jetty:jetty-util</exclude>
|
|
||||||
<exclude>org.eclipse.jetty:jetty-security</exclude>
|
|
||||||
</excludes>
|
|
||||||
<outputDirectory>lib/keycloak</outputDirectory>
|
|
||||||
</dependencySet>
|
|
||||||
</dependencySets>
|
|
||||||
</assembly>
|
|
|
@ -1,28 +0,0 @@
|
||||||
#
|
|
||||||
# Keycloak Jetty Adapter
|
|
||||||
#
|
|
||||||
|
|
||||||
[depend]
|
|
||||||
server
|
|
||||||
security
|
|
||||||
|
|
||||||
[lib]
|
|
||||||
<!--
|
|
||||||
~ Copyright 2016 Red Hat, Inc. and/or its affiliates
|
|
||||||
~ and other contributors as indicated by the @author tags.
|
|
||||||
~
|
|
||||||
~ Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
~ you may not use this file except in compliance with the License.
|
|
||||||
~ You may obtain a copy of the License at
|
|
||||||
~
|
|
||||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
~
|
|
||||||
~ Unless required by applicable law or agreed to in writing, software
|
|
||||||
~ distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
~ See the License for the specific language governing permissions and
|
|
||||||
~ limitations under the License.
|
|
||||||
-->
|
|
||||||
|
|
||||||
lib/keycloak/*.jar
|
|
||||||
|
|
|
@ -1,68 +0,0 @@
|
||||||
<!--
|
|
||||||
~ Copyright 2016 Red Hat, Inc. and/or its affiliates
|
|
||||||
~ and other contributors as indicated by the @author tags.
|
|
||||||
~
|
|
||||||
~ Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
~ you may not use this file except in compliance with the License.
|
|
||||||
~ You may obtain a copy of the License at
|
|
||||||
~
|
|
||||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
~
|
|
||||||
~ Unless required by applicable law or agreed to in writing, software
|
|
||||||
~ distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
~ See the License for the specific language governing permissions and
|
|
||||||
~ limitations under the License.
|
|
||||||
-->
|
|
||||||
|
|
||||||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
||||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
|
|
||||||
<modelVersion>4.0.0</modelVersion>
|
|
||||||
<parent>
|
|
||||||
<artifactId>keycloak-parent</artifactId>
|
|
||||||
<groupId>org.keycloak</groupId>
|
|
||||||
<version>999.0.0-SNAPSHOT</version>
|
|
||||||
<relativePath>../../../pom.xml</relativePath>
|
|
||||||
</parent>
|
|
||||||
|
|
||||||
<artifactId>keycloak-saml-jetty94-adapter-dist</artifactId>
|
|
||||||
<packaging>pom</packaging>
|
|
||||||
<name>Keycloak SAML Jetty 9.4.x Adapter Distro</name>
|
|
||||||
<description/>
|
|
||||||
|
|
||||||
<dependencies>
|
|
||||||
<dependency>
|
|
||||||
<groupId>org.keycloak</groupId>
|
|
||||||
<artifactId>keycloak-saml-jetty94-adapter</artifactId>
|
|
||||||
</dependency>
|
|
||||||
</dependencies>
|
|
||||||
<build>
|
|
||||||
<plugins>
|
|
||||||
<plugin>
|
|
||||||
<artifactId>maven-assembly-plugin</artifactId>
|
|
||||||
<executions>
|
|
||||||
<execution>
|
|
||||||
<id>assemble</id>
|
|
||||||
<phase>package</phase>
|
|
||||||
<goals>
|
|
||||||
<goal>single</goal>
|
|
||||||
</goals>
|
|
||||||
<configuration>
|
|
||||||
<descriptors>
|
|
||||||
<descriptor>assembly.xml</descriptor>
|
|
||||||
</descriptors>
|
|
||||||
<outputDirectory>
|
|
||||||
target
|
|
||||||
</outputDirectory>
|
|
||||||
<workDirectory>
|
|
||||||
target/assembly/work
|
|
||||||
</workDirectory>
|
|
||||||
<appendAssemblyId>false</appendAssemblyId>
|
|
||||||
</configuration>
|
|
||||||
</execution>
|
|
||||||
</executions>
|
|
||||||
</plugin>
|
|
||||||
</plugins>
|
|
||||||
</build>
|
|
||||||
|
|
||||||
</project>
|
|
|
@ -32,7 +32,6 @@
|
||||||
|
|
||||||
<modules>
|
<modules>
|
||||||
<module>wildfly-adapter</module>
|
<module>wildfly-adapter</module>
|
||||||
<module>jetty94-adapter-zip</module>
|
|
||||||
<module>tomcat-adapter-zip</module>
|
<module>tomcat-adapter-zip</module>
|
||||||
</modules>
|
</modules>
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,24 @@
|
||||||
|
= Java adapter deprecation and removal
|
||||||
|
|
||||||
|
Back in 2022 we announced the https://www.keycloak.org/2022/02/adapter-deprecation.html[deprecation of Keycloak adapters in Keycloak 19].
|
||||||
|
To give the community more time to adopt this https://www.keycloak.org/2023/03/adapter-deprecation-update.html[was delayed].
|
||||||
|
|
||||||
|
With that in mind this will be the last major release of Keycloak to include OpenID Connect and SAML adapters.
|
||||||
|
As Jetty 9.x has not been supported since 2022 the Jetty adapter has been removed already in this release.
|
||||||
|
|
||||||
|
The generic Authorization Client library will continue to be supported, and aims to be used in combination with any
|
||||||
|
other OAuth 2.0 or OpenID Connect libraries.
|
||||||
|
|
||||||
|
The only adapter we will continue to deliver is the SAML adapter for latest releases of WildFly and EAP 8.x. Reasoning
|
||||||
|
for continuing to support this is down to the fact that the majority of the SAML codebase in Keycloak was a contribution
|
||||||
|
from WildFly. As part of this contribution we agreed to maintain SAML adapters for WildFly and EAP in the long run.
|
||||||
|
|
||||||
|
== Jetty adapter removed
|
||||||
|
|
||||||
|
Jetty 9.4 has not been supported in the community for a long time, and reached end-of-life in 2022. At the same time the
|
||||||
|
adapter has not been updated or tested with more recent versions of Jetty. For these reasons the Jetty adapter has been
|
||||||
|
removed from this release.
|
||||||
|
|
||||||
= New Welcome Page
|
= New Welcome Page
|
||||||
|
|
||||||
The 'welcome' page that is shown when a user starts Keycloak for the first time, has been redesigned to provide a better setup experience and has been upgraded to the latest version of https://www.patternfly.org/[PatternFly]. The page layout has been simplified and now includes only a form to register the administrative user. After completing the registration, the user is redirected directly to the Administration Console.
|
The 'welcome' page that is shown when a user starts Keycloak for the first time, has been redesigned to provide a better setup experience and has been upgraded to the latest version of https://www.patternfly.org/[PatternFly]. The page layout has been simplified and now includes only a form to register the administrative user. After completing the registration, the user is redirected directly to the Administration Console.
|
||||||
|
|
|
@ -21,7 +21,6 @@ include::spring-boot-adapter.adoc[]
|
||||||
|
|
||||||
ifeval::[{project_community}==true]
|
ifeval::[{project_community}==true]
|
||||||
include::tomcat-adapter.adoc[]
|
include::tomcat-adapter.adoc[]
|
||||||
include::jetty9-adapter.adoc[]
|
|
||||||
include::spring-security-adapter.adoc[]
|
include::spring-security-adapter.adoc[]
|
||||||
endif::[]
|
endif::[]
|
||||||
|
|
||||||
|
|
|
@ -1,141 +0,0 @@
|
||||||
|
|
||||||
[[_jetty9_adapter]]
|
|
||||||
==== Jetty 9.4 adapter
|
|
||||||
|
|
||||||
include::adapter-deprecation-notice.adoc[]
|
|
||||||
|
|
||||||
{project_name} has a separate adapter for Jetty 9.4 that you will have to install into your Jetty installation.
|
|
||||||
You then have to provide some extra configuration in each WAR you deploy to Jetty.
|
|
||||||
|
|
||||||
[[_jetty9_adapter_installation]]
|
|
||||||
===== Installing the adapter
|
|
||||||
|
|
||||||
Adapters are no longer included with the appliance or war distribution. Each adapter is a separate download on the {project_name} downloads site. They are also available as a maven artifact.
|
|
||||||
|
|
||||||
.Procedure
|
|
||||||
. Download the {project_name} Jetty 9.4 adapter ZIP archive from the link:https://www.keycloak.org/downloads[Keycloak Downloads] site.
|
|
||||||
|
|
||||||
. Unzip the Jetty 9.4 distro into Jetty 9.4's link:https://eclipse.dev/jetty/documentation/jetty-9/index.html[base directory]. In the example below, the Jetty base is named `your-base`:
|
|
||||||
+
|
|
||||||
[source, subs="attributes"]
|
|
||||||
----
|
|
||||||
$ cd your-base
|
|
||||||
$ unzip keycloak-jetty94-adapter-dist-{project_version}.Final.zip
|
|
||||||
----
|
|
||||||
|
|
||||||
. Enable the `keycloak` module for your Jetty base:
|
|
||||||
+
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
$ java -jar $JETTY_HOME/start.jar --add-to-startd=keycloak
|
|
||||||
----
|
|
||||||
+
|
|
||||||
====
|
|
||||||
[NOTE]
|
|
||||||
Including the adapter's jars within your WEB-INF/lib directory will not work.
|
|
||||||
====
|
|
||||||
|
|
||||||
[[_jetty9_per_war]]
|
|
||||||
===== Jetty 9 Securing a WAR
|
|
||||||
|
|
||||||
Use this procedure to secure a WAR directly by adding config and editing files within your WAR package.
|
|
||||||
|
|
||||||
.Procedure
|
|
||||||
|
|
||||||
. Create a `WEB-INF/jetty-web.xml` file in your WAR package. This is a Jetty specific config fil. You define a {project_name} specific authenticator within it.
|
|
||||||
+
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
<?xml version="1.0"?>
|
|
||||||
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
|
|
||||||
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
|
|
||||||
<Get name="securityHandler">
|
|
||||||
<Set name="authenticator">
|
|
||||||
<New class="org.keycloak.adapters.jetty.KeycloakJettyAuthenticator">
|
|
||||||
</New>
|
|
||||||
</Set>
|
|
||||||
</Get>
|
|
||||||
</Configure>
|
|
||||||
----
|
|
||||||
|
|
||||||
. Create a `keycloak.json` adapter config file within the `WEB-INF` directory of your WAR.
|
|
||||||
+
|
|
||||||
The format of this config file is described in the <<_java_adapter_config,Java adapter configuration>> section.
|
|
||||||
+
|
|
||||||
WARNING: The Jetty 9.4 adapter will not be able to find the `keycloak.json` file.
|
|
||||||
You will have to define all adapter settings within the `jetty-web.xml` file as described below.
|
|
||||||
Instead of using keycloak.json, you can define everything within the `jetty-web.xml`.
|
|
||||||
You'll just have to figure out how the json settings match to the `org.keycloak.representations.adapters.config.AdapterConfig` class.
|
|
||||||
+
|
|
||||||
[source,subs="attributes+"]
|
|
||||||
----
|
|
||||||
<?xml version="1.0"?>
|
|
||||||
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
|
|
||||||
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
|
|
||||||
<Get name="securityHandler">
|
|
||||||
<Set name="authenticator">
|
|
||||||
<New class="org.keycloak.adapters.jetty.KeycloakJettyAuthenticator">
|
|
||||||
<Set name="adapterConfig">
|
|
||||||
<New class="org.keycloak.representations.adapters.config.AdapterConfig">
|
|
||||||
<Set name="realm">tomcat</Set>
|
|
||||||
<Set name="resource">customer-portal</Set>
|
|
||||||
<Set name="authServerUrl">http://localhost:8081{kc_base_path}</Set>
|
|
||||||
<Set name="sslRequired">external</Set>
|
|
||||||
<Set name="credentials">
|
|
||||||
<Map>
|
|
||||||
<Entry>
|
|
||||||
<Item>secret</Item>
|
|
||||||
<Item>password</Item>
|
|
||||||
</Entry>
|
|
||||||
</Map>
|
|
||||||
</Set>
|
|
||||||
</New>
|
|
||||||
</Set>
|
|
||||||
</New>
|
|
||||||
</Set>
|
|
||||||
</Get>
|
|
||||||
</Configure>
|
|
||||||
----
|
|
||||||
|
|
||||||
|
|
||||||
. Create the jetty-web.xml file in your webapps directory with the name of yourwar.xml.
|
|
||||||
Jetty should pick it up. You do not need to open your WAR to secure it with {project_name}.
|
|
||||||
In this mode, you declare keycloak.json configuration directly within the xml file.
|
|
||||||
|
|
||||||
. Specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs. Here's an example:
|
|
||||||
+
|
|
||||||
[source,xml]
|
|
||||||
----
|
|
||||||
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
|
|
||||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
||||||
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
|
|
||||||
version="3.0">
|
|
||||||
|
|
||||||
<module-name>customer-portal</module-name>
|
|
||||||
|
|
||||||
<security-constraint>
|
|
||||||
<web-resource-collection>
|
|
||||||
<web-resource-name>Customers</web-resource-name>
|
|
||||||
<url-pattern>/*</url-pattern>
|
|
||||||
</web-resource-collection>
|
|
||||||
<auth-constraint>
|
|
||||||
<role-name>user</role-name>
|
|
||||||
</auth-constraint>
|
|
||||||
<user-data-constraint>
|
|
||||||
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
|
|
||||||
</user-data-constraint>
|
|
||||||
</security-constraint>
|
|
||||||
|
|
||||||
<login-config>
|
|
||||||
<auth-method>BASIC</auth-method>
|
|
||||||
<realm-name>this is ignored currently</realm-name>
|
|
||||||
</login-config>
|
|
||||||
|
|
||||||
<security-role>
|
|
||||||
<role-name>admin</role-name>
|
|
||||||
</security-role>
|
|
||||||
<security-role>
|
|
||||||
<role-name>user</role-name>
|
|
||||||
</security-role>
|
|
||||||
</web-app>
|
|
||||||
----
|
|
|
@ -55,7 +55,6 @@ Currently the following embedded containers are supported and do not require any
|
||||||
|
|
||||||
* Tomcat
|
* Tomcat
|
||||||
* Undertow
|
* Undertow
|
||||||
* Jetty
|
|
||||||
|
|
||||||
[[_spring_boot_adapter_configuration]]
|
[[_spring_boot_adapter_configuration]]
|
||||||
===== Configuring the Spring Boot Adapter
|
===== Configuring the Spring Boot Adapter
|
||||||
|
|
|
@ -15,7 +15,6 @@ ifeval::[{project_community}==true]
|
||||||
* {quickstartRepo_link}/tree/latest/spring/rest-authz-resource-server[Spring Boot]
|
* {quickstartRepo_link}/tree/latest/spring/rest-authz-resource-server[Spring Boot]
|
||||||
* <<_jboss_adapter, {project_name} Wildfly Adapter>> (Deprecated)
|
* <<_jboss_adapter, {project_name} Wildfly Adapter>> (Deprecated)
|
||||||
* <<_tomcat_adapter,{project_name} Tomcat Adapter>> (Deprecated)
|
* <<_tomcat_adapter,{project_name} Tomcat Adapter>> (Deprecated)
|
||||||
* <<_jetty9_adapter,{project_name} Jetty 9>> (Deprecated)
|
|
||||||
* <<_servlet_filter_adapter,{project_name} Servlet Filter>> (Deprecated)
|
* <<_servlet_filter_adapter,{project_name} Servlet Filter>> (Deprecated)
|
||||||
* <<_spring_boot_adapter,{project_name} Spring Boot>> (Deprecated)
|
* <<_spring_boot_adapter,{project_name} Spring Boot>> (Deprecated)
|
||||||
* <<_spring_security_adapter,{project_name} Spring Security>> (Deprecated)
|
* <<_spring_security_adapter,{project_name} Spring Security>> (Deprecated)
|
||||||
|
@ -55,9 +54,6 @@ ifeval::[{project_community}==true]
|
||||||
* <<_saml-tomcat-adapter,Tomcat>>
|
* <<_saml-tomcat-adapter,Tomcat>>
|
||||||
endif::[]
|
endif::[]
|
||||||
* <<_java-servlet-filter-adapter,Servlet filter>>
|
* <<_java-servlet-filter-adapter,Servlet filter>>
|
||||||
ifeval::[{project_community}==true]
|
|
||||||
* <<_jetty_saml_adapter,Jetty>>
|
|
||||||
endif::[]
|
|
||||||
|
|
||||||
===== Apache HTTP Server
|
===== Apache HTTP Server
|
||||||
|
|
||||||
|
|
|
@ -27,9 +27,6 @@ include::tomcat-adapter.adoc[]
|
||||||
include::tomcat-adapter/tomcat_adapter_installation.adoc[]
|
include::tomcat-adapter/tomcat_adapter_installation.adoc[]
|
||||||
include::tomcat-adapter/tomcat_adapter_per_war_config.adoc[]
|
include::tomcat-adapter/tomcat_adapter_per_war_config.adoc[]
|
||||||
include::tomcat-adapter/tomcat-adapter-samesite-setting.adoc[]
|
include::tomcat-adapter/tomcat-adapter-samesite-setting.adoc[]
|
||||||
include::jetty-adapter.adoc[]
|
|
||||||
include::jetty-adapter/jetty9_installation.adoc[]
|
|
||||||
include::jetty-adapter/jetty9_per_war_config.adoc[]
|
|
||||||
endif::[]
|
endif::[]
|
||||||
|
|
||||||
include::servlet-filter-adapter.adoc[]
|
include::servlet-filter-adapter.adoc[]
|
||||||
|
|
|
@ -1,9 +0,0 @@
|
||||||
[[_jetty_saml_adapter]]
|
|
||||||
|
|
||||||
==== Jetty SAML adapters
|
|
||||||
|
|
||||||
WARNING: The {project_name} Jetty SAML adapter is deprecated. We recommend that you use another client adapter if possible.
|
|
||||||
|
|
||||||
To be able to secure WAR apps deployed on Jetty you must install the {project_name} Jetty 9.4 SAML adapter into your Jetty installation. You then provide some extra configuration in each WAR you deploy to Jetty.
|
|
||||||
|
|
||||||
Use the following installation and configuration procedures.
|
|
|
@ -1,30 +0,0 @@
|
||||||
[[_jetty9_saml_adapter_installation]]
|
|
||||||
|
|
||||||
===== Jetty 9 Installing the adapter
|
|
||||||
|
|
||||||
{project_name} has a separate SAML adapter for Jetty 9.4. Adapters are no longer included with the appliance or war distribution. Each adapter is a separate download on the Keycloak download site.
|
|
||||||
They are also available as a maven artifact.
|
|
||||||
|
|
||||||
.Procedure
|
|
||||||
. Download the {project_name} Jetty 9.4 adapter ZIP archive from the link:https://www.keycloak.org/downloads[Keycloak Downloads] site.
|
|
||||||
|
|
||||||
. Unzip the Jetty 9.4 distro into Jetty 9.4's root directory.
|
|
||||||
+
|
|
||||||
====
|
|
||||||
[NOTE]
|
|
||||||
Including adapter's jars within your WEB-INF/lib directory will not work.
|
|
||||||
====
|
|
||||||
+
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
$ cd $JETTY_HOME
|
|
||||||
$ unzip keycloak-saml-jetty94-adapter-dist.zip
|
|
||||||
----
|
|
||||||
|
|
||||||
. Enable the keycloak module for your jetty.base.
|
|
||||||
+
|
|
||||||
[source]
|
|
||||||
----
|
|
||||||
$ cd your-base
|
|
||||||
$ java -jar $JETTY_HOME/start.jar --add-to-startd=keycloak
|
|
||||||
----
|
|
|
@ -1,64 +0,0 @@
|
||||||
|
|
||||||
[[_saml-jetty9-per-war]]
|
|
||||||
===== Jetty 9 WAR Configuration
|
|
||||||
|
|
||||||
Use this procedure to secure a WAR directly.
|
|
||||||
|
|
||||||
.Procedure
|
|
||||||
. Create a `WEB-INF/jetty-web.xml` file in your WAR package.
|
|
||||||
This is a Jetty specific config file and you must define a Keycloak specific authenticator within it.
|
|
||||||
+
|
|
||||||
[source,xml]
|
|
||||||
----
|
|
||||||
<?xml version="1.0"?>
|
|
||||||
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
|
|
||||||
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
|
|
||||||
<Get name="securityHandler">
|
|
||||||
<Set name="authenticator">
|
|
||||||
<New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
|
|
||||||
</New>
|
|
||||||
</Set>
|
|
||||||
</Get>
|
|
||||||
</Configure>
|
|
||||||
----
|
|
||||||
|
|
||||||
. Create a `keycloak-saml.xml` adapter config file within the `WEB-INF` directory of your WAR.
|
|
||||||
The format of this config file is described in the <<_saml-general-config,General Adapter Config>> section.
|
|
||||||
|
|
||||||
. Specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs. Here's an example:
|
|
||||||
+
|
|
||||||
[source,xml]
|
|
||||||
----
|
|
||||||
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
|
|
||||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
||||||
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
|
|
||||||
version="3.0">
|
|
||||||
|
|
||||||
<module-name>customer-portal</module-name>
|
|
||||||
|
|
||||||
<security-constraint>
|
|
||||||
<web-resource-collection>
|
|
||||||
<web-resource-name>Customers</web-resource-name>
|
|
||||||
<url-pattern>/*</url-pattern>
|
|
||||||
</web-resource-collection>
|
|
||||||
<auth-constraint>
|
|
||||||
<role-name>user</role-name>
|
|
||||||
</auth-constraint>
|
|
||||||
<user-data-constraint>
|
|
||||||
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
|
|
||||||
</user-data-constraint>
|
|
||||||
</security-constraint>
|
|
||||||
|
|
||||||
<login-config>
|
|
||||||
<auth-method>BASIC</auth-method>
|
|
||||||
<realm-name>this is ignored currently</realm-name>
|
|
||||||
</login-config>
|
|
||||||
|
|
||||||
<security-role>
|
|
||||||
<role-name>admin</role-name>
|
|
||||||
</security-role>
|
|
||||||
<security-role>
|
|
||||||
<role-name>user</role-name>
|
|
||||||
</security-role>
|
|
||||||
</web-app>
|
|
||||||
----
|
|
|
@ -23,7 +23,7 @@
|
||||||
ifeval::[{project_community}==true]
|
ifeval::[{project_community}==true]
|
||||||
* Service Provider Interfaces (SPI) - A number of SPIs to enable customizing various aspects of the server. Authentication flows, user federation providers,
|
* Service Provider Interfaces (SPI) - A number of SPIs to enable customizing various aspects of the server. Authentication flows, user federation providers,
|
||||||
protocol mappers and many more.
|
protocol mappers and many more.
|
||||||
* Client adapters for JavaScript applications, WildFly, JBoss EAP, Tomcat, Jetty, Spring, etc.
|
* Client adapters for JavaScript applications, WildFly, JBoss EAP, Tomcat, Spring, etc.
|
||||||
endif::[]
|
endif::[]
|
||||||
ifeval::[{project_product}==true]
|
ifeval::[{project_product}==true]
|
||||||
* Client adapters for JavaScript applications, JBoss EAP, etc.
|
* Client adapters for JavaScript applications, JBoss EAP, etc.
|
||||||
|
|
|
@ -910,7 +910,7 @@ Same goes with mongo and Infinispan under modules keycloak-model-mongo and keycl
|
||||||
|
|
||||||
==== For adapters, session id changed after login
|
==== For adapters, session id changed after login
|
||||||
|
|
||||||
To plug a security attack vector, for platforms that support it (Tomcat 8, Undertow/WildFly, Jetty 9), the Keycloak OIDC and SAML adapters will change the session id after login.
|
To plug a security attack vector, for platforms that support it (Tomcat 8, Undertow/WildFly), the Keycloak OIDC and SAML adapters will change the session id after login.
|
||||||
You can turn off this behavior check adapter config switches.
|
You can turn off this behavior check adapter config switches.
|
||||||
|
|
||||||
==== SAML SP Client adapter changes
|
==== SAML SP Client adapter changes
|
||||||
|
|
6
pom.xml
6
pom.xml
|
@ -1461,12 +1461,6 @@
|
||||||
<version>${project.version}</version>
|
<version>${project.version}</version>
|
||||||
<type>zip</type>
|
<type>zip</type>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
|
||||||
<groupId>org.keycloak</groupId>
|
|
||||||
<artifactId>keycloak-jetty94-adapter-dist</artifactId>
|
|
||||||
<version>${project.version}</version>
|
|
||||||
<type>zip</type>
|
|
||||||
</dependency>
|
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>org.keycloak</groupId>
|
<groupId>org.keycloak</groupId>
|
||||||
<artifactId>keycloak-as7-adapter-dist</artifactId>
|
<artifactId>keycloak-as7-adapter-dist</artifactId>
|
||||||
|
|
Loading…
Reference in a new issue