This article describes how to secure a JAVA App with RedHat SSO using OpenID. The application will have to authenticate against RedHat SSO.

It consists of the following steps:

  1. Prerequisite:
  • RH-SSO installed
  • JBOss Application server installed
  • RH-SSO dapater installed within JBOSS application Server
  • Keycloak source examples compiled to leverage customer-portal example.
1.1 Java Web application:
  • Adding the relevant glue to the java webapp to connect to RH-SSO, by
  • updating the file WEB-INF/web.xml
  • adding WEB-INF/keycloak.xml
1.2. RH-SSO
  • Registering the client application in RH-SSO
  • configuration client authentification method (public, client secret, public key, jwt token) and redirect URI
  • configuring the user (Role, password)
  • exporting the XML data (to be registered in JBoss application server)
  1. 3 JBoss application server
  • update the configuration/standalone.xml
  • deploy the updated webapp
2. Java Web application
2.1  keycloak.json

The file keycloak.json is a new file added that has to be added the application as WEB-INF/keycloak.xml

The 3 types of authentication ofpossible authentication:

  • client_secret
  • public key
  • Jwt bear token

In this example/article the only mode used is client secret. The other types are provided as keytool.json example.

Client secret
"realm": "demo",
"resource": "customer-portal",
"auth-server-url": "/auth",
"ssl-required" : "external",
"expose-token": true,
"credentials": {
"secret": "password"

Public key
"realm" : "demo",
"resource" : "product-portal",
"auth-server-url" : "/auth",
"ssl-required" : "external",
"credentials": {
"jwt": {
"client-keystore-file": "classpath:keystore-client.jks",
"client-keystore-type": "JKS",
"client-keystore-password": "storepass",
"client-key-password": "keypass",
"client-key-alias": "clientkey",
"token-expiration": 10

bearer only

"realm" : "demo",
"resource" : "database-service",
"auth-server-url": "/auth",
"bearer-only" : true,
"ssl-required" : "external"
2.2 web.xml

You need to add to web.xml:

  • Login authentication method used: KEYCLOAK
  • Security roles of the user for this webapp (admin and user here)


3 Registering the client application in RH-SSO
3.1 Realm Creation – demo

Create a realm for the application to deployed in (demo in here).

3.2 Client Creation – customer portal
  • Create a new client (name customer-portal)
  • client-protocol is openid
  • the client type is confidential
  • redirect_uri: https://localhost:8080/customer-portal/*
  • base URL: https://localhost:8080/customer-portal/customers/view.jsp
    (The base URL is URL that will be used to access to teh customer portal)
3.3 Client customer-portal roles :

Create for this application 2 new roles:

  • User
  • admin

It means that only user with security privileges user or admin will eb able to log in.

3.4 create user within this application

You can create a new user:

username: user1
firstname: user1
lastname: test1
password: user1

Once created,  assign the user and admin roles to user1.

3.5 Prepare export xml structure for JBoss application server

You can now prepare the export like structure that will be used used by Jboss application server to contact RH-SSO.

<secure-deployment name="WAR MODULE NAME.war">
<credential name="secret">e8999adf-8001-4b49-8cce-04fb54ef09c6</credential>
4. Updating JBoss Application Server
4.1 Preparing standalone.xml
  • Open the standalone/configuration/standalone.xml file and search for the following text:

    <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
  • Modify this to prepare it for pasting in your template from the Installation page:

    <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
4.2 adding xml structure

You can now add teh XML structure prepared the step before to JBOSS standalone.xml file

<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="customer-portal.war">
<credential name="secret">e8999adf-8001-4b49-8cce-04fb54ef09c6</credential>

You system is now ready to be tested.

5. Test

Go to URL:
You are redirect to RH-SSO login screen and you can log with username: user1 password: user1




Les derniers articles par janua (tout voir)