To be able to secure WAR apps deployed on Tomcat 6, 7 and 8 you must install the Keycloak Tomcat 6, 7 or 8 adapter into your Tomcat installation. You then have to provide some extra configuration in each WAR you deploy to Tomcat. Let's go over these steps.

Adapters are no longer included with the appliance or war distribution. Each adapter is a separate download on the Keycloak download site. They are also available as a maven artifact. You must unzip the adapter distro into Tomcat's lib/ directory. Including adapter's jars within your WEB-INF/lib directory will not work! The Keycloak adapter is implemented as a Valve and valve code must reside in Tomcat's main lib/ directory. $ cd $TOMCAT_HOME/lib $ unzip keycloak-tomcat6-adapter-dist.zip or $ unzip keycloak-tomcat7-adapter-dist.zip or $ unzip keycloak-tomcat8-adapter-dist.zip

This section describes how to secure a WAR directly by adding config and editing files within your WAR package. The first thing you must do is create a META-INF/context.xml file in your WAR package. This is a Tomcat specific config file and you must define a Keycloak specific Valve. ]]> Next you must create a keycloak.json adapter config file within the WEB-INF directory of your WAR. The format of this config file is describe in the general adapter configuration section. Finally you must specify both a login-config and use standard servlet security to specify role-base constraints on your URLs. Here's an example: customer-portal Customers /* user BASIC this is ignored currently admin user ]]>