77 lines
2.7 KiB
Text
Executable file
77 lines
2.7 KiB
Text
Executable file
[[_spring_boot_adapter]]
|
|
==== Spring Boot Adapter
|
|
|
|
To be able to secure Spring Boot apps you must add the Keycloak Spring Boot adapter JAR to your app.
|
|
You then have to provide some extra configuration via normal Spring Boot configuration (`application.properties`). Let's go over these steps.
|
|
|
|
[[_spring_boot_adapter_installation]]
|
|
===== Adapter Installation
|
|
|
|
The Keycloak Spring Boot adapter takes advantage of Spring Boot's autoconfiguration so all you need to do is add the Keycloak Spring Boot adapter JAR to your project.
|
|
Depending on what container you are using with Spring Boot, you also need to add the appropriate Keycloak container adapter.
|
|
If you are using Maven, add the following to your pom.xml (using Tomcat as an example):
|
|
|
|
|
|
[source,xml,subs="attributes+"]
|
|
----
|
|
|
|
|
|
<dependency>
|
|
<groupId>org.keycloak</groupId>
|
|
<artifactId>keycloak-spring-boot-adapter</artifactId>
|
|
<version>{{book.project.versionMvn}}</version>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.keycloak</groupId>
|
|
<artifactId>keycloak-tomcat8-adapter</artifactId>
|
|
<version>{{book.project.versionMvn}}</version>
|
|
</dependency>
|
|
----
|
|
|
|
Currently the following embedded containers are supported :
|
|
|
|
* Tomcat
|
|
* Undertow
|
|
* Jetty
|
|
|
|
[[_spring_boot_adapter_configuration]]
|
|
===== Required Spring Boot Adapter Configuration
|
|
|
|
This section describes how to configure your Spring Boot app to use Keycloak.
|
|
|
|
Instead of a `keycloak.json` file, you configure the realm for the Spring Boot Keycloak adapter via the normal Spring Boot configuration.
|
|
For example:
|
|
|
|
[source]
|
|
----
|
|
|
|
|
|
keycloak.realm = demorealm
|
|
keycloak.auth-server-url = http://127.0.0.1:8080/auth
|
|
keycloak.ssl-required = external
|
|
keycloak.resource = demoapp
|
|
keycloak.credentials.secret = 11111111-1111-1111-1111-111111111111
|
|
keycloak.use-resource-role-mappings = true
|
|
----
|
|
|
|
You can disable the Keycloak Spring Boot Adapter (for example in tests) by setting `keycloak.enabled = false`.
|
|
|
|
To configure a Policy Enforcer, unlike keycloak.json, `policy-enforcer-config` must be used instead of just `policy-enforcer`.
|
|
|
|
You also need to specify the Java EE security config that would normally go in the `web.xml`.
|
|
The Spring Boot Adapter will set the `login-method` to `KEYCLOAK` and configure the `security-constraints` at startup time.
|
|
Here's an example configuration:
|
|
|
|
[source]
|
|
----
|
|
|
|
|
|
keycloak.securityConstraints[0].authRoles[0] = admin
|
|
keycloak.securityConstraints[0].authRoles[1] = user
|
|
keycloak.securityConstraints[0].securityCollections[0].name = insecure stuff
|
|
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /insecure
|
|
|
|
keycloak.securityConstraints[1].authRoles[0] = admin
|
|
keycloak.securityConstraints[1].securityCollections[0].name = admin stuff
|
|
keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
|
|
----
|