c7a8742a36
Source code headers
59 lines
No EOL
3.4 KiB
XML
59 lines
No EOL
3.4 KiB
XML
<!--
|
|
~ Copyright 2016 Red Hat, Inc. and/or its affiliates
|
|
~ and other contributors as indicated by the @author tags.
|
|
~
|
|
~ Licensed under the Apache License, Version 2.0 (the "License");
|
|
~ you may not use this file except in compliance with the License.
|
|
~ You may obtain a copy of the License at
|
|
~
|
|
~ http://www.apache.org/licenses/LICENSE-2.0
|
|
~
|
|
~ Unless required by applicable law or agreed to in writing, software
|
|
~ distributed under the License is distributed on an "AS IS" BASIS,
|
|
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
~ See the License for the specific language governing permissions and
|
|
~ limitations under the License.
|
|
-->
|
|
|
|
<section id="jaas-adapter">
|
|
<title>JAAS plugin</title>
|
|
<para>
|
|
It's generally not needed to use JAAS for most of the applications, especially if they are HTTP based, but directly choose one of our adapters.
|
|
However some applications and systems may still rely on pure legacy JAAS solution. Keycloak provides couple of login modules
|
|
to help with such use cases. Some login modules provided by Keycloak are:
|
|
</para>
|
|
<para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule</term>
|
|
<listitem>
|
|
<para>
|
|
This login module allows to authenticate with username/password from Keycloak database. It's using
|
|
<link linkend="direct-access-grants">Direct Access Grants</link> Keycloak endpoint to validate on Keycloak side if provided username/password is valid.
|
|
It's useful especially for non-web based systems, which need to rely on JAAS and want to use Keycloak credentials, but can't use classic browser based
|
|
authentication flow due to their non-web nature. Example of such application could be messaging application or SSH system.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>org.keycloak.adapters.jaas.BearerTokenLoginModule</term>
|
|
<listitem>
|
|
<para>
|
|
This login module allows to authenticate with Keycloak access token passed to it through CallbackHandler as password.
|
|
It may be useful for example in case, when you have Keycloak access token from classic web based authentication flow
|
|
and your web application then needs to talk to external non-web based system, which rely on JAAS. For example to JMS/messaging system.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</para>
|
|
<para>
|
|
Both login modules have configuration property <literal>keycloak-config-file</literal> where you need to provide location of keycloak.json configuration file.
|
|
It could be either provided from filesystem or from classpath (in that case you may need value like <literal>classpath:/folder-on-classpath/keycloak.json</literal> ).
|
|
</para>
|
|
<para>
|
|
Second property <literal>role-principal-class</literal> allows to specify alternative class for Role principals attached to JAAS Subject. Default
|
|
value for Role principal is <literal>org.keycloak.adapters.jaas.RolePrincipal</literal> . Note that class should have constructor
|
|
with single String argument.
|
|
</para>
|
|
</section> |