[[_fuse_adapter_classic_war]] ===== Securing a Classic WAR Application The needed steps to secure your WAR application are: . In the `/WEB-INF/web.xml` file, declare the necessary: * security constraints in the element * login configuration in the element * security roles in the element. + For example: + [source,xml] ---- customer-portal index.html Customers /customers/* user BASIC does-not-matter admin user ---- . Add the `jetty-web.xml` file with the authenticator to the `/WEB-INF/jetty-web.xml` file. + For example: + [source,xml] ---- ---- . Within the `/WEB-INF/` directory of your WAR, create a new file, keycloak.json. The format of this configuration file is described in the <> section. It is also possible to make this file available externally as described in xref:config_external_adapter[Configuring the External Adapter]. . Ensure your WAR application imports `org.keycloak.adapters.jetty` and maybe some more packages in the `META-INF/MANIFEST.MF` file, under the `Import-Package` header. Using `maven-bundle-plugin` in your project properly generates OSGI headers in manifest. Note that "*" resolution for the package does not import the `org.keycloak.adapters.jetty` package, since it is not used by the application or the Blueprint or Spring descriptor, but is rather used in the `jetty-web.xml` file. + The list of the packages to import might look like this: + [source, subs="attributes"] ---- org.keycloak.adapters.jetty;version="{{book.project.versionMvn}}", org.keycloak.adapters;version="{{book.project.versionMvn}}", org.keycloak.constants;version="{{book.project.versionMvn}}", org.keycloak.util;version="{{book.project.versionMvn}}", org.keycloak.*;version="{{book.project.versionMvn}}", *;resolution:=optional ---- [[config_external_adapter]] ====== Configuring the External Adapter If you do not want the `keycloak.json` adapter configuration file to be bundled inside your WAR application, but instead made available externally and loaded based on naming conventions, use this configuration method. To enable the functionality, add this section to your `/WEB_INF/web.xml` file: [source,xml] ---- keycloak.config.resolver org.keycloak.adapters.osgi.PathBasedKeycloakConfigResolver ---- That component uses `keycloak.config` or `karaf.etc` java properties to search for a base folder to locate the configuration. Then inside one of those folders it searches for a file called `-keycloak.json`. So, for example, if your web application has context `my-portal`, then your adapter configuration is loaded from the `$FUSE_HOME/etc/my-portal-keycloak.json` file.