Chapter 5. Securing a web application using OpenID Connect


You can secure an application by either updating its deployment configuration or by configuring the elytron-oidc-client subsystem.

If you use the application created in the procedure, Creating a web application, the value of the Principal comes from the ID token from the OpenID provider. By default, the Principal is the value of the "sub" claim from the token. You can specify which claim value from the ID token to use as the Principal in one of the following:

  • The elytron-oidc-client subsystem attribute principal-attribute.
  • The oidc.json file.

Prerequisites

  • You have deployed applications on JBoss EAP.

Procedure

  1. Configure the application’s web.xml to protect the application resources.

    Syntax

    <!DOCTYPE web-app PUBLIC
     "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
     "http://java.sun.com/dtd/web-app_2_3.dtd" >
    
    <web-app>
    
     <!-- Define the security constraints for the application resources.
          Specify the URL pattern for which a challenge is -->
    
     <security-constraint>
            <web-resource-collection>
                <web-resource-name><!-- Name of the resources to protect --></web-resource-name>
                <url-pattern> <!-- The URL to protect  --></url-pattern>
            </web-resource-collection>
    
            <!-- Define the role that can access the protected resource -->
            <auth-constraint>
                <role-name> <!-- Role name as defined in the security domain --></role-name>
                <!-- To disable authentication you can use the wildcard *
                	 To authenticate but allow any role, use the wildcard **. -->
            </auth-constraint>
        </security-constraint>
    
        <login-config>
            <auth-method>
            	<!-- The authentication method to use. Can be:
            		BASIC
            		CLIENT-CERT
            		DIGEST
            		FORM
            		SPNEGO
            	 -->
            </auth-method>
    
            <realm-name><!-- The name of realm to send in the challenge  --></realm-name>
        </login-config>
     </web-app>

    Example

    <?xml version="1.0" encoding="UTF-8"?>
    
    <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
        metadata-complete="false">
    
        <security-constraint>
            <web-resource-collection>
                <web-resource-name>secured</web-resource-name>
                <url-pattern>/secured</url-pattern>
            </web-resource-collection>
    
            <auth-constraint>
                <role-name>Admin</role-name>
            </auth-constraint>
        </security-constraint>
    
        <login-config>
            <auth-method></auth-method>
        </login-config>
    
        <security-role>
            <role-name>*</role-name>
        </security-role>
    </web-app>

    In this example, only the users with the role Admin can access the application.

  2. To secure the application with OpenID Connect, either update the deployment configuration or configure the elytron-oidc-client subsystem.

    Note

    If you configure OpenID Connect in both the deployment configuration and the elytron-oidc-client subsystem, the configuration in the elytron-oidc-client subsystem secure-deployment attribute takes precedence over the configuration in the application deployment descriptor.

    • Updating the deployment configuration:

      1. Create a file oidc.json in the WEB-INF directory, like this:

        {
          "provider-url" : "http://localhost:8180/auth/realms/example_realm",
          "ssl-required": "external",
          "client-id": "my_jbeap",
          "public-client": true,
          "confidential-port": 0
        }
      2. Update the deployment descriptor web.xml file with the following text to declare that this application uses OIDC:

        <login-config>
            <auth-method>OIDC</auth-method>
        </login-config>
    • Configuring the elytron-oidc-client subsystem:

      • To secure your application, use the following management CLI command:

        /subsystem=elytron-oidc-client/secure-deployment=simple-oidc-example.war/:add(client-id=my_jbeap,provider-url=http://localhost:8180/auth/realms/example_realm,public-client=true,ssl-required=external)
  3. In the application root directory, compile your application with the following command:

    $ mvn package
  4. Deploy the application.

    $ mvn wildfly:deploy

Verification

  1. In a browser, navigate to http://localhost:8080/simple-webapp-example/secured.

    You are redirected to Red Hat Single Sign-On login page.

  2. Log in with your credentials. For example:

    username: user1
    password: passwordUser1

    You get the following output:

    Forbidden

The redirection to Red Hat Single Sign-On login page confirms that the OIDC connection succeeds and the output confirms that users without the role Admin cannot access the application. To add the role Admin to the user user1, see Creating and assigning user roles in Red Hat Single Sign-On.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.