Skip to content

Latest commit

 

History

History
98 lines (80 loc) · 3.35 KB

README.md

File metadata and controls

98 lines (80 loc) · 3.35 KB

KumuluzEE Security Keycloak

Maven Central

KumuluzEE Security extension for the Keycloak authentication server

Usage

You can enable the KumuluzEE Security authentication with Keycloak by adding the following dependencies:

<dependency>
    <groupId>com.kumuluz.ee.security</groupId>
    <artifactId>kumuluzee-security-keycloak</artifactId>
    <version>${kumuluzee-security.version}</version>
</dependency>
<dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-jetty94-adapter</artifactId>
    <version>${keycloak.version}</version>
</dependency>

The keycloak.version property should match the version of Keycloak Server that is used.

Keycloak configuration

Keycloak configuration (keycloak.json) has to be provided with configuration key kumuluzee.security.keycloak.json. The configuration key can be defined as an environment variable, file property or config server entry (if using the KumuluzEE Config project with support for etcd/Consul). Please refer to KumuluzEE Config for more information. Optionally you can also provide the configuration in code using the @Keycloak annotation.

Example of configuration with keycloak.json as string value:

security:
    keycloak:
        json: '{
            "realm": "master",
            "bearer-only": true,
            "auth-server-url": "http://localhost:8082/auth",
            "ssl-required": "external",
            "resource": "customers-api",
            "confidential-port": 0
        }'

Using keycloak.json fields directly in yaml is also supported:

security:
    keycloak:
      realm: "master"
      bearer-only: true
      auth-server-url: "http://localhost:8082/auth"
      ssl-required: "external"
      resource: "customers-api"

Example of security configuration with configuration override:

@DeclareRoles({"user", "admin"})
@Keycloak(json =
        "{"  
        "  \"realm\": \"customers\","  
        "  \"bearer-only\": true,"  
        "  \"auth-server-url\": \"https://localhost:8082/auth\","  
        "  \"ssl-required\": \"external\","  
        "  \"resource\": \"customers-api\""  
        "}"
)
@ApplicationPath("v1")
public class CustomerApplication extends Application {
}

You can set a custom config resolver class (see here) to be able to tweak Keycloak configuration at runtime for each request (for multitenant or purposes). Note that this class must implement org.keycloak.adapters.KeycloakConfigResolver.

Example custom config resolver configuration:

kumuluzee:
  security:
    keycloak:
      config-resolver: foo.bar.MyKeycloakConfigResolver

Realm and client based roles

By default, realm roles are evaluated and client roles are ignored. You can change the configuration to use client roles instead by using roles-from-resources config key and an array of clients.

security:
    keycloak:
      roles-from-resources:
        - "customers-api"

It is not possible to evaluate realm and client roles at the same time since @RolesAllowed accepts a plain string and has no knowledge of role origin. The choice is exclusive.