Chapter 5. Securing a web application using OpenID Connect
You can secure an application by either updating its deployment configuration or by configuring the elytron-oidc-client subsystem
.
If you use the application created in the procedure, Creating a web application, the value of the Principal comes from the ID token from the OpenID provider. By default, the Principal is the value of the "sub" claim from the token. You can specify which claim value from the ID token to use as the Principal in one of the following:
-
The
elytron-oidc-client
subsystem attributeprincipal-attribute
. -
The oidc.json file
.
Prerequisites
- You have deployed applications on JBoss EAP.
Procedure
Configure the application’s
web.xml
to protect the application resources.Syntax
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" > <web-app> <!-- Define the security constraints for the application resources. Specify the URL pattern for which a challenge is --> <security-constraint> <web-resource-collection> <web-resource-name><!-- Name of the resources to protect --></web-resource-name> <url-pattern> <!-- The URL to protect --></url-pattern> </web-resource-collection> <!-- Define the role that can access the protected resource --> <auth-constraint> <role-name> <!-- Role name as defined in the security domain --></role-name> <!-- To disable authentication you can use the wildcard * To authenticate but allow any role, use the wildcard **. --> </auth-constraint> </security-constraint> <login-config> <auth-method> <!-- The authentication method to use. Can be: BASIC CLIENT-CERT DIGEST FORM SPNEGO --> </auth-method> <realm-name><!-- The name of realm to send in the challenge --></realm-name> </login-config> </web-app>
Example
<?xml version="1.0" encoding="UTF-8"?> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" metadata-complete="false"> <security-constraint> <web-resource-collection> <web-resource-name>secured</web-resource-name> <url-pattern>/secured</url-pattern> </web-resource-collection> <auth-constraint> <role-name>Admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method></auth-method> </login-config> <security-role> <role-name>*</role-name> </security-role> </web-app>
In this example, only the users with the role
Admin
can access the application.To secure the application with OpenID Connect, either update the deployment configuration or configure the
elytron-oidc-client
subsystem.NoteIf you configure OpenID Connect in both the deployment configuration and the
elytron-oidc-client
subsystem, the configuration in theelytron-oidc-client
subsystemsecure-deployment
attribute takes precedence over the configuration in the application deployment descriptor.Updating the deployment configuration:
Create a file
oidc.json
in theWEB-INF
directory, like this:{ "provider-url" : "http://localhost:8180/auth/realms/example_realm", "ssl-required": "external", "client-id": "my_jbeap", "public-client": true, "confidential-port": 0 }
Update the deployment descriptor
web.xml
file with the following text to declare that this application uses OIDC:<login-config> <auth-method>OIDC</auth-method> </login-config>
Configuring the
elytron-oidc-client
subsystem:To secure your application, use the following management CLI command:
/subsystem=elytron-oidc-client/secure-deployment=simple-oidc-example.war/:add(client-id=my_jbeap,provider-url=http://localhost:8180/auth/realms/example_realm,public-client=true,ssl-required=external)
In the application root directory, compile your application with the following command:
$ mvn package
Deploy the application.
$ mvn wildfly:deploy
Verification
In a browser, navigate to
http://localhost:8080/simple-webapp-example/secured
.You are redirected to Red Hat Single Sign-On login page.
Log in with your credentials. For example:
username: user1 password: passwordUser1
You get the following output:
Forbidden
The redirection to Red Hat Single Sign-On login page confirms that the OIDC connection succeeds and the output confirms that users without the role Admin
cannot access the application. To add the role Admin
to the user user1
, see Creating and assigning user roles in Red Hat Single Sign-On.
Additional resources