In this document you will learn how to integrate security for Wildfly Administration Console with Keycloak using Elytron subsystem.
When running Wildfly, it must be using port 8080 (default port). The following command can be used to start the server:
For Keycloak, use the following command to start the server on port 8180:
Keycloak integration is only possible when using Keycloak Wildfly Elytron Adapter. This adapter is fully integrated with the new security infrastructure in Wildfly provided by Elytron and its subsystem.
Download the latest version of Wildfly Client Adapters and follow the instructions in this document to extract/install the adapters in your Wildfly installation. Make sure you run the following script when installing the adapter:
We'll be protecting both administration console and HTTP management interface in Wildfly. For that, we need to create a Keycloak realm and two client applications, where these clients will be used to configure security for both administration console and HTTP management interface.
Start your Keycloak server using the following command:
After running the command above you should be able to access Keycloak Administration Console at http://localhost:8180/auth and log in.
|If you are running the server for the first name, you will be prompted to create an initial admin user to get started. Once you provide the username and password for the admin user you'll be redirected to Keycloak Administration Console login page.|
Create a realm with a name wildfly-infra.
Create a client application with a name wildfly-console and configure it as follows:
- Select public in the Access Type field
- Add a new Valid Redirect URI with a value http://localhost:9990/console/*
- Add a new Web Origins with a value http://localhost:9990
Save changes for client wildfly-console and make sure it is properly updated. The client should have a configuration similar to following:
Create another client application with a name wildfly-management and configure it as follows:
- Select bearer-only in the Access Type field
Save changes for client wildfly-management and make sure it is properly updated. The client should have a configuration similar to following:
Create a Realm Role with a name ADMINISTRATOR. It is important to keep the name in uppercase.
|For example purposes, we are only using the ADMINISTRATOR role to grant users access to the administration console. However, Wildfly also supports other roles with different access scopes. For more details, please take a look at https://docs.jboss.org/author/display/WFLY/RBAC.|
As a last configuration step, you need to configure Keycloak, Elytron and core subsystems to protect both management services.
Copy and paste the following commands to a new file with a name protect-wildfly-mgmt-services.cli:Before saving the new file, you need to obtain the public key of jboss-infra realm and replace [REALM_PUBLIC_KEY] in the first command above with the value of the public key. To obtain realm's public key, go to Keycloak Administration Console, select Realm Settings on the left side menu and than click on the Keys tab. You should see a page as follows:
For last, execute the protect-wildfly-mgmt-services.cli script using JBoss CLI. Make sure your Wildfly instance is running before running the script:
If everything is correct you should be able to access the Wildfly Administration Console now after authenticating in Keycloak.
Try to access Wildfly Administration Console and you should be redirected to a login page in Keycloak. You should be able to log in as the admin user you created in the jboss-infra realm.