How to secure a Java App with RedHat SSO using OpenID

This article describes how to secure a JAVA App with RedHat SSO using OpenID. The application will have to authenticate against RedHat SSO.

It consists of the following steps:

  1. Prerequisite:
  • RH-SSO installed
  • JBOss Application server installed
  • RH-SSO dapater installed within JBOSS application Server
  • Keycloak source examples compiled to leverage customer-portal example.
1.1 Java Web application:
  • Adding the relevant glue to the java webapp to connect to RH-SSO, by
  • updating the file WEB-INF/web.xml
  • adding WEB-INF/keycloak.xml
1.2. RH-SSO
  • Registering the client application in RH-SSO
  • configuration client authentification method (public, client secret, public key, jwt token) and redirect URI
  • configuring the user (Role, password)
  • exporting the XML data (to be registered in JBoss application server)
  1. 3 JBoss application server
  • update the configuration/standalone.xml
  • deploy the updated webapp
2. Java Web application
2.1  keycloak.json

The file keycloak.json is a new file added that has to be added the application as WEB-INF/keycloak.xml

The 3 types of authentication ofpossible authentication:

  • client_secret
  • public key
  • Jwt bear token

In this example/article the only mode used is client secret. The other types are provided as keytool.json example.

2.2 web.xml

You need to add to web.xml:

  • Login authentication method used: KEYCLOAK
  • Security roles of the user for this webapp (admin and user here)

3 Registering the client application in RH-SSO
3.1 Realm Creation – demo

Create a realm for the application to deployed in (demo in here).

3.2 Client Creation – customer portal
  • Create a new client (name customer-portal)
  • client-protocol is openid
  • the client type is confidential
  • redirect_uri: http://localhost:8080/customer-portal/*
  • base URL: http://localhost:8080/customer-portal/customers/view.jsp
    (The base URL is URL that will be used to access to teh customer portal)
3.3 Client customer-portal roles :

Create for this application 2 new roles:

  • User
  • admin

It means that only user with security privileges user or admin will eb able to log in.

3.4 create user within this application

You can create a new user:

Once created,  assign the user and admin roles to user1.

3.5 Prepare export xml structure for JBoss application server

You can now prepare the export like structure that will be used used by Jboss application server to contact RH-SSO.

4. Updating JBoss Application Server
4.1 Preparing standalone.xml
  • Open the standalone/configuration/standalone.xml file and search for the following text:

  • Modify this to prepare it for pasting in your template from the Installation page:

4.2 adding xml structure

You can now add teh XML structure prepared the step before to JBOSS standalone.xml file

You system is now ready to be tested.

5. Test

Go to URL:
http://localhost:8080/customer-portal/customers/view.jsp
You are redirect to RH-SSO login screen and you can log with username: user1 password: user1

 

 

 

Olivier Rivat

Olivier Rivat

Senior Software Engineer with over 25 years of experience doing Software Development, Support and Consulting in Identity and Access Management Solutions.
Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
Olivier Rivat