To be able to secure WAR apps deployed on Tomcat 7 you must install the Keycloak Tomcat 7 adapter into your Tomcat installation. You then have to provide some extra configuration in each WAR you deploy to Tomcat. Let's go over these steps.

There is a adapter zip file for Tomcat 7 in the adapters/ directory in the Keycloak appliance or war distribution. You must unzip this file into Tomcat's lib/ directory. Including adapter's jars within your WEB-INF/lib directory will not work! The Keycloak adapter is implemented as a Valve and valve code must reside in Tomcat's main lib/ directory. $ cd $TOMCAT_HOME/lib $ unzip keycloak-tomcat7-adapter-dist.zip

This section describes how to secure a WAR directly by adding config and editing files within your WAR package. The first thing you must do is create a META-INF/context.xml file in your WAR package. This is a Tomcat specific config file and you must define a Keycloak specific Valve. ]]> Next you must create a keycloak.json adapter config file within the WEB-INF directory of your WAR. The format of this config file is describe in the general adapter configuration section. Finally you must specify both a login-config and use standard servlet security to specify role-base constraints on your URLs. Here's an example: customer-portal Customers /* user /* CONFIDENTIAL BASIC this is ignored currently/realm-name> admin user ]]>