This article describes how to secure a JAVA App with RedHat SSO using OpenID. The application will have to authenticate against RedHat SSO.
It consists of the following steps:
-
Prerequisite:
- RH-SSO installed
- JBOss Application server installed
- RH-SSO dapater installed within JBOSS application Server
- Keycloak source examples compiled to leverage customer-portal example.
1.1 Java Web application:
-
Adding the relevant glue to the java webapp to connect to RH-SSO, by
-
updating the file WEB-INF/web.xml
-
adding WEB-INF/keycloak.xml
1.2. RH-SSO
- Registering the client application in RH-SSO
- configuration client authentification method (public, client secret, public key, jwt token) and redirect URI
- configuring the user (Role, password)
- exporting the XML data (to be registered in JBoss application server)
-
3 JBoss application server
- update the configuration/standalone.xml
- deploy the updated webapp
2. Java Web application
2.1 keycloak.json
The file keycloak.json is a new file added that has to be added the application as WEB-INF/keycloak.xml
The 3 types of authentication ofpossible authentication:
- client_secret
- public key
- Jwt bear token
In this example/article the only mode used is client secret. The other types are provided as keytool.json example.
Client secret { "realm": "demo", "resource": "customer-portal", "auth-server-url": "/auth", "ssl-required" : "external", "expose-token": true, "credentials": { "secret": "password" } Public key { "realm" : "demo", "resource" : "product-portal", "auth-server-url" : "/auth", "ssl-required" : "external", "credentials": { "jwt": { "client-keystore-file": "classpath:keystore-client.jks", "client-keystore-type": "JKS", "client-keystore-password": "storepass", "client-key-password": "keypass", "client-key-alias": "clientkey", "token-expiration": 10 } bearer only { "realm" : "demo", "resource" : "database-service", "auth-server-url": "/auth", "bearer-only" : true, "ssl-required" : "external" }
2.2 web.xml
You need to add to web.xml:
- Login authentication method used: KEYCLOAK
- Security roles of the user for this webapp (admin and user here)
<login-config> <auth-method>KEYCLOAK</auth-method> <realm-name>demo</realm-name> </login-config> <security-role> <role-name>admin</role-name> </security-role> <security-role> <role-name>user</role-name> </security-role>
3 Registering the client application in RH-SSO
3.1 Realm Creation – demo
Create a realm for the application to deployed in (demo in here).
3.2 Client Creation – customer portal
- Create a new client (name customer-portal)
- client-protocol is openid
- the client type is confidential
- redirect_uri: https://localhost:8080/customer-portal/*
- base URL: https://localhost:8080/customer-portal/customers/view.jsp
(The base URL is URL that will be used to access to teh customer portal)
3.3 Client customer-portal roles :
Create for this application 2 new roles:
- User
- admin
It means that only user with security privileges user or admin will eb able to log in.
3.4 create user within this application
You can create a new user:
username: user1 firstname: user1 lastname: test1 email: user1.test1@foo.com password: user1
Once created, assign the user and admin roles to user1.
3.5 Prepare export xml structure for JBoss application server
You can now prepare the export like structure that will be used used by Jboss application server to contact RH-SSO.
<secure-deployment name="WAR MODULE NAME.war"> <realm>demo</realm> <auth-server-url>https://localhost:8180/auth</auth-server-url> <ssl-required>EXTERNAL</ssl-required> <resource>customer-portal</resource> <credential name="secret">e8999adf-8001-4b49-8cce-04fb54ef09c6</credential> </secure-deployment>
4. Updating JBoss Application Server
4.1 Preparing standalone.xml
-
Open the standalone/configuration/standalone.xml file and search for the following text:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
-
Modify this to prepare it for pasting in your template from the Installation page:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"> </subsystem>
4.2 adding xml structure
You can now add teh XML structure prepared the step before to JBOSS standalone.xml file
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"> <secure-deployment name="customer-portal.war"> <realm>demo</realm> <auth-server-url>https://localhost:8180/auth</auth-server-url> <resource>customer-portal</resource> <credential name="secret">e8999adf-8001-4b49-8cce-04fb54ef09c6</credential> </secure-deployment> </subsystem>
You system is now ready to be tested.
5. Test
Go to URL:
https://localhost:8080/customer-portal/customers/view.jsp
You are redirect to RH-SSO login screen and you can log with username: user1 password: user1
- New Keycloak online training - 19 janvier 2022
- Sizing Keycloak or Redhat SSO projects - 8 juin 2021
- Keycloak.X Distribution - 28 janvier 2021