[[_tomcat_adapter]] === Tomcat 6, 7 and 8 Adapters To be able to secure WAR apps deployed on Tomcat 6, 7 and 8 you must install the Keycloak Tomcat 6, 7 or 8 adapter into your Tomcat installation. You then have to provide some extra configuration in each WAR you deploy to Tomcat. Let's go over these steps. [[_tomcat_adapter_installation]] ==== Adapter Installation Adapters are no longer included with the appliance or war distribution. Each adapter is a separate download on the Keycloak download site. They are also available as a maven artifact. You must unzip the adapter distro into Tomcat's `lib/` directory. Including adapter's jars within your WEB-INF/lib directory will not work! The Keycloak adapter is implemented as a Valve and valve code must reside in Tomcat's main lib/ directory. [source] ---- $ cd $TOMCAT_HOME/lib $ unzip keycloak-tomcat6-adapter-dist.zip or $ unzip keycloak-tomcat7-adapter-dist.zip or $ unzip keycloak-tomcat8-adapter-dist.zip ---- ==== Required Per WAR Configuration This section describes how to secure a WAR directly by adding config and editing files within your WAR package. The first thing you must do is create a `META-INF/context.xml` file in your WAR package. This is a Tomcat specific config file and you must define a Keycloak specific Valve. [source] ---- ---- Next you must create a `keycloak.json` adapter config file within the `WEB-INF` directory of your WAR. The format of this config file is describe in the <<_java_adapter_config,general adapter configuration>> section. Finally you must specify both a `login-config` and use standard servlet security to specify role-base constraints on your URLs. Here's an example: [source] ---- customer-portal Customers /* user BASIC this is ignored currently admin user ----