このコンテンツは選択した言語では利用できません。

Chapter 5. Securing a web application using OpenID Connect

You can secure an application by either updating its deployment configuration or by configuring the elytron-oidc-client subsystem.

If you use the application created in the procedure, Creating a web application, the value of the Principal comes from the ID token from the OpenID provider. By default, the Principal is the value of the "sub" claim from the token. You can specify which claim value from the ID token to use as the Principal in one of the following:

The elytron-oidc-client subsystem attribute principal-attribute.
The oidc.json file.

Prerequisites

You have deployed applications on JBoss EAP.

Procedure

Configure the application’s web.xml to protect the application resources.

Syntax

<!DOCTYPE web-app PUBLIC
 "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 "http://java.sun.com/dtd/web-app_2_3.dtd" >

<web-app>

 <!-- Define the security constraints for the application resources.
      Specify the URL pattern for which a challenge is -->

 <security-constraint>
        <web-resource-collection>
            <web-resource-name><!-- Name of the resources to protect --></web-resource-name>
            <url-pattern> <!-- The URL to protect  --></url-pattern>
        </web-resource-collection>

        <!-- Define the role that can access the protected resource -->
        <auth-constraint>
            <role-name> <!-- Role name as defined in the security domain --></role-name>
            <!-- To disable authentication you can use the wildcard *
            	 To authenticate but allow any role, use the wildcard **. -->
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>
        	<!-- The authentication method to use. Can be:
        		BASIC
        		CLIENT-CERT
        		DIGEST
        		FORM
        		SPNEGO
        	 -->
        </auth-method>

        <realm-name><!-- The name of realm to send in the challenge  --></realm-name>
    </login-config>
 </web-app>

<!DOCTYPE web-app PUBLIC
 "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 "http://java.sun.com/dtd/web-app_2_3.dtd" >

<web-app>

 <!-- Define the security constraints for the application resources.
      Specify the URL pattern for which a challenge is -->

 <security-constraint>
        <web-resource-collection>
            <web-resource-name><!-- Name of the resources to protect --></web-resource-name>
            <url-pattern> <!-- The URL to protect  --></url-pattern>
        </web-resource-collection>

        <!-- Define the role that can access the protected resource -->
        <auth-constraint>
            <role-name> <!-- Role name as defined in the security domain --></role-name>
            <!-- To disable authentication you can use the wildcard *
            	 To authenticate but allow any role, use the wildcard **. -->
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>
        	<!-- The authentication method to use. Can be:
        		BASIC
        		CLIENT-CERT
        		DIGEST
        		FORM
        		SPNEGO
        	 -->
        </auth-method>

        <realm-name><!-- The name of realm to send in the challenge  --></realm-name>
    </login-config>
 </web-app>

Copy to Clipboard

Toggle word wrap

Example

<?xml version="1.0" encoding="UTF-8"?>

<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    metadata-complete="false">

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>secured</web-resource-name>
            <url-pattern>/secured</url-pattern>
        </web-resource-collection>

        <auth-constraint>
            <role-name>Admin</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method></auth-method>
    </login-config>

    <security-role>
        <role-name>*</role-name>
    </security-role>
</web-app>

<?xml version="1.0" encoding="UTF-8"?>

<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    metadata-complete="false">

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>secured</web-resource-name>
            <url-pattern>/secured</url-pattern>
        </web-resource-collection>

        <auth-constraint>
            <role-name>Admin</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method></auth-method>
    </login-config>

    <security-role>
        <role-name>*</role-name>
    </security-role>
</web-app>

Copy to Clipboard

Toggle word wrap

In this example, only the users with the role Admin can access the application.

To secure the application with OpenID Connect, either update the deployment configuration or configure the elytron-oidc-client subsystem.

Note

If you configure OpenID Connect in both the deployment configuration and the elytron-oidc-client subsystem, the configuration in the elytron-oidc-client subsystem secure-deployment attribute takes precedence over the configuration in the application deployment descriptor.

Updating the deployment configuration:

Create a file oidc.json in the WEB-INF directory, like this:

{
  "provider-url" : "http://localhost:8180/auth/realms/example_realm",
  "ssl-required": "external",
  "client-id": "my_jbeap",
  "public-client": true,
  "confidential-port": 0
}

{
  "provider-url" : "http://localhost:8180/auth/realms/example_realm",
  "ssl-required": "external",
  "client-id": "my_jbeap",
  "public-client": true,
  "confidential-port": 0
}

Copy to Clipboard

Toggle word wrap

Update the deployment descriptor web.xml file with the following text to declare that this application uses OIDC:
```
<login-config>
    <auth-method>OIDC</auth-method>
</login-config>
```
```
<login-config>
    <auth-method>OIDC</auth-method>
</login-config>
```
Copy to Clipboard Toggle word wrap

Configuring the elytron-oidc-client subsystem:

To secure your application, use the following management CLI command:

/subsystem=elytron-oidc-client/secure-deployment=simple-oidc-example.war/:add(client-id=my_jbeap,provider-url=http://localhost:8180/auth/realms/example_realm,public-client=true,ssl-required=external)

/subsystem=elytron-oidc-client/secure-deployment=simple-oidc-example.war/:add(client-id=my_jbeap,provider-url=http://localhost:8180/auth/realms/example_realm,public-client=true,ssl-required=external)

Copy to Clipboard

Toggle word wrap

In the application root directory, compile your application with the following command:
```
mvn package
```
```
$ mvn package
```
Copy to Clipboard Toggle word wrap
Deploy the application.
```
mvn wildfly:deploy
```
```
$ mvn wildfly:deploy
```
Copy to Clipboard Toggle word wrap

Verification

In a browser, navigate to http://localhost:8080/simple-webapp-example/secured.
You are redirected to Red Hat Single Sign-On login page.
Log in with your credentials. For example:
```
username: user1
password: passwordUser1
```
```
username: user1
password: passwordUser1
```
Copy to Clipboard Toggle word wrap
You get the following output:
```
Forbidden
```
```
Forbidden
```
Copy to Clipboard Toggle word wrap

The redirection to Red Hat Single Sign-On login page confirms that the OIDC connection succeeds and the output confirms that users without the role Admin cannot access the application. To add the role Admin to the user user1, see Creating and assigning user roles in Red Hat Single Sign-On.

このコンテンツは選択した言語では利用できません。

Chapter 5. Securing a web application using OpenID Connect

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

多様性を受け入れるオープンソースの強化

会社概要

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links