libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions
keycloak-scim/securing_apps/topics/oidc/java/fuse7/classic-war.adoc

111 lines
4.2 KiB
Text
Raw Blame History

[[_fuse7_adapter_classic_war]]
===== Securing a Classic WAR application
.Procedure
. In the `/WEB-INF/web.xml` file, declare the necessary:
* security constraints in the <security-constraint> element
* login configuration in the <login-config> element. Make sure that the `<auth-method>` is `KEYCLOAK`.
* security roles in the <security-role> element
+
For example:
+
[source,xml]
----
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>customer-portal</module-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>Customers</web-resource-name>
<url-pattern>/customers/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>does-not-matter</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
----
. Within the `/WEB-INF/` directory of your WAR, create a new file, keycloak.json. The format of this configuration file is described in the <<_java_adapter_config,Java Adapters Config>> section. It is also possible to make this file available externally as described in xref:config_external_adapter[Configuring the External Adapter].
+
For example:
+
[source,json]
----
{
"realm": "demo",
"resource": "customer-portal",
"auth-server-url": "http://localhost:8080/auth",
"ssl-required" : "external",
"credentials": {
"secret": "password"
}
}
----
. Contrary to the Fuse 6 adapter, there are no special OSGi imports needed in MANIFEST.MF.
[[_fuse7_config_external_adapter]]
====== Configuration resolvers
The `keycloak.json` adapter configuration file can be stored inside a bundle,
which is default behaviour, or in a directory on a filesystem. To specify the
actual source of the configuration file, set the `keycloak.config.resolver` deployment parameter to the desired configuration resolver class.
For example, in a classic WAR application, set the `keycloak.config.resolver` context parameter in `web.xml` file like this:
[source,xml]
----
<context-param>
<param-name>keycloak.config.resolver</param-name>
<param-value>org.keycloak.adapters.osgi.PathBasedKeycloakConfigResolver</param-value>
</context-param>
----
The following resolvers are available for `keycloak.config.resolver`:
org.keycloak.adapters.osgi.BundleBasedKeycloakConfigResolver::
This is the default resolver. The configuration file is expected inside
the OSGi bundle that is being secured. By default, it loads file named `WEB-INF/keycloak.json` but this file name can be configured via `configLocation` property.
org.keycloak.adapters.osgi.PathBasedKeycloakConfigResolver::
This resolver searches for a file called `<your_web_context>-keycloak.json` inside a folder
that is specified by `keycloak.config` system property. If `keycloak.config` is
not set, `karaf.etc` system property is used instead.
+
For example, if your web application is deployed into context `my-portal`, then
your adapter configuration would be loaded either from the
`${keycloak.config}/my-portal-keycloak.json` file, or from `${karaf.etc}/my-portal-keycloak.json`.
org.keycloak.adapters.osgi.HierarchicalPathBasedKeycloakConfigResolver::
This resolver is similar to `PathBasedKeycloakConfigResolver` above, where
for given URI path, configuration locations are checked from most to least specific.
+
For example, for `/my/web-app/context` URI, the following configuration locations are searched for existence until the first one exists:
* `${karaf.etc}/my-web-app-context-keycloak.json`
* `${karaf.etc}/my-web-app-keycloak.json`
* `${karaf.etc}/my-keycloak.json`
* `${karaf.etc}/keycloak.json`
Reference in a new issue View git blame Copy permalink