[[_fuse7_adapter_classic_war]]
===== Securing a Classic WAR Application

The needed steps to secure your WAR application are:

. In the `/WEB-INF/web.xml` file, declare the necessary:
* security constraints in the <security-constraint> element
* login configuration in the <login-config> element. Make sure that the `<auth-method>` is `KEYCLOAK`.
* security roles in the <security-role> element
+
For example:
+
[source,xml]
----
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">

    <module-name>customer-portal</module-name>

    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
    </welcome-file-list>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Customers</web-resource-name>
            <url-pattern>/customers/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>KEYCLOAK</auth-method>
        <realm-name>does-not-matter</realm-name>
    </login-config>

    <security-role>
        <role-name>admin</role-name>
    </security-role>
    <security-role>
        <role-name>user</role-name>
    </security-role>
</web-app>
----

. Within the `/WEB-INF/` directory of your WAR, create a new file, keycloak.json. The format of this configuration file is described in the <<_java_adapter_config,Java Adapters Config>> section. It is also possible to make this file available externally as described in xref:config_external_adapter[Configuring the External Adapter].
+
For example:
+
[source,json]
----
{
    "realm": "demo",
    "resource": "customer-portal",
    "auth-server-url": "http://localhost:8080/auth",
    "ssl-required" : "external",
    "credentials": {
        "secret": "password"
    }
}
----

. Contrary to the Fuse 6 adapter, there are no special OSGi imports needed in MANIFEST.MF. 

[[_fuse7_config_external_adapter]]
====== Configuration Resolvers

The `keycloak.json` adapter configuration file can be stored inside a bundle,
which is default behaviour, or in a directory on a filesystem. To specify the
actual source of the configuration file, set the `keycloak.config.resolver` deployment parameter to the desired configuration resolver class.
For example, in a classic WAR application, set the `keycloak.config.resolver` context parameter in `web.xml` file like this:

[source,xml]
----
<context-param>
    <param-name>keycloak.config.resolver</param-name>
    <param-value>org.keycloak.adapters.osgi.PathBasedKeycloakConfigResolver</param-value>
</context-param>
----

The following resolvers are available for `keycloak.config.resolver`:

org.keycloak.adapters.osgi.BundleBasedKeycloakConfigResolver::
  This is the default resolver. The configuration file is expected inside
  the OSGi bundle that is being secured. By default, it loads file named `WEB-INF/keycloak.json` but this file name can be configured via `configLocation` property.

org.keycloak.adapters.osgi.PathBasedKeycloakConfigResolver::
  This resolver searches for a file called `<your_web_context>-keycloak.json` inside a folder
  that is specified by `keycloak.config` system property. If `keycloak.config` is
  not set, `karaf.etc` system property is used instead.
+
For example, if your web application is deployed into context `my-portal`, then
  your adapter configuration would be loaded either from the 
  `${keycloak.config}/my-portal-keycloak.json` file, or from `${karaf.etc}/my-portal-keycloak.json`.

org.keycloak.adapters.osgi.HierarchicalPathBasedKeycloakConfigResolver::
  This resolver is similar to `PathBasedKeycloakConfigResolver` above, where
  for given URI path, configuration locations are checked from most to least specific.
+
For example, for `/my/web-app/context` URI, the following configuration locations are searched for existence until the first one exists:
  
  * `${karaf.etc}/my-web-app-context-keycloak.json`
  * `${karaf.etc}/my-web-app-keycloak.json`
  * `${karaf.etc}/my-keycloak.json`
  * `${karaf.etc}/keycloak.json`