111 lines
4.2 KiB
Text
111 lines
4.2 KiB
Text
|
|
[[_fuse7_adapter_classic_war]]
|
|
===== Securing a Classic WAR Application
|
|
|
|
The needed steps to secure your WAR application are:
|
|
|
|
. In the `/WEB-INF/web.xml` file, declare the necessary:
|
|
* security constraints in the <security-constraint> element
|
|
* login configuration in the <login-config> element. Make sure that the `<auth-method>` is `KEYCLOAK`.
|
|
* security roles in the <security-role> element
|
|
+
|
|
For example:
|
|
+
|
|
[source,xml]
|
|
----
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
|
|
version="3.0">
|
|
|
|
<module-name>customer-portal</module-name>
|
|
|
|
<welcome-file-list>
|
|
<welcome-file>index.html</welcome-file>
|
|
</welcome-file-list>
|
|
|
|
<security-constraint>
|
|
<web-resource-collection>
|
|
<web-resource-name>Customers</web-resource-name>
|
|
<url-pattern>/customers/*</url-pattern>
|
|
</web-resource-collection>
|
|
<auth-constraint>
|
|
<role-name>user</role-name>
|
|
</auth-constraint>
|
|
</security-constraint>
|
|
|
|
<login-config>
|
|
<auth-method>KEYCLOAK</auth-method>
|
|
<realm-name>does-not-matter</realm-name>
|
|
</login-config>
|
|
|
|
<security-role>
|
|
<role-name>admin</role-name>
|
|
</security-role>
|
|
<security-role>
|
|
<role-name>user</role-name>
|
|
</security-role>
|
|
</web-app>
|
|
----
|
|
|
|
. Within the `/WEB-INF/` directory of your WAR, create a new file, keycloak.json. The format of this configuration file is described in the <<_java_adapter_config,Java Adapters Config>> section. It is also possible to make this file available externally as described in xref:config_external_adapter[Configuring the External Adapter].
|
|
+
|
|
For example:
|
|
+
|
|
[source,json]
|
|
----
|
|
{
|
|
"realm": "demo",
|
|
"resource": "customer-portal",
|
|
"auth-server-url": "http://localhost:8080/auth",
|
|
"ssl-required" : "external",
|
|
"credentials": {
|
|
"secret": "password"
|
|
}
|
|
}
|
|
----
|
|
|
|
. Contrary to the Fuse 6 adapter, there are no special OSGi imports needed in MANIFEST.MF.
|
|
|
|
[[_fuse7_config_external_adapter]]
|
|
====== Configuration Resolvers
|
|
|
|
The `keycloak.json` adapter configuration file can be stored inside a bundle,
|
|
which is default behaviour, or in a directory on a filesystem. To specify the
|
|
actual source of the configuration file, set the `keycloak.config.resolver` deployment parameter to the desired configuration resolver class.
|
|
For example, in a classic WAR application, set the `keycloak.config.resolver` context parameter in `web.xml` file like this:
|
|
|
|
[source,xml]
|
|
----
|
|
<context-param>
|
|
<param-name>keycloak.config.resolver</param-name>
|
|
<param-value>org.keycloak.adapters.osgi.PathBasedKeycloakConfigResolver</param-value>
|
|
</context-param>
|
|
----
|
|
|
|
The following resolvers are available for `keycloak.config.resolver`:
|
|
|
|
org.keycloak.adapters.osgi.BundleBasedKeycloakConfigResolver::
|
|
This is the default resolver. The configuration file is expected inside
|
|
the OSGi bundle that is being secured. By default, it loads file named `WEB-INF/keycloak.json` but this file name can be configured via `configLocation` property.
|
|
|
|
org.keycloak.adapters.osgi.PathBasedKeycloakConfigResolver::
|
|
This resolver searches for a file called `<your_web_context>-keycloak.json` inside a folder
|
|
that is specified by `keycloak.config` system property. If `keycloak.config` is
|
|
not set, `karaf.etc` system property is used instead.
|
|
+
|
|
For example, if your web application is deployed into context `my-portal`, then
|
|
your adapter configuration would be loaded either from the
|
|
`${keycloak.config}/my-portal-keycloak.json` file, or from `${karaf.etc}/my-portal-keycloak.json`.
|
|
|
|
org.keycloak.adapters.osgi.HierarchicalPathBasedKeycloakConfigResolver::
|
|
This resolver is similar to `PathBasedKeycloakConfigResolver` above, where
|
|
for given URI path, configuration locations are checked from most to least specific.
|
|
+
|
|
For example, for `/my/web-app/context` URI, the following configuration locations are searched for existence until the first one exists:
|
|
|
|
* `${karaf.etc}/my-web-app-context-keycloak.json`
|
|
* `${karaf.etc}/my-web-app-keycloak.json`
|
|
* `${karaf.etc}/my-keycloak.json`
|
|
* `${karaf.etc}/keycloak.json`
|