Keycloak Security
This guide describes the configuration of the Keycloak implementation of Apache Isis' Authenticator and `Authorizor APIs.
Maven pom.xml
Dependency Management
If your application inherits from the Apache Causeway starter app (org.apache.causeway.app:causeway-app-starter-parent) then that will define the version automatically:
<parent>
<groupId>org.apache.causeway.app</groupId>
<artifactId>causeway-app-starter-parent</artifactId>
<version>2.0.0-RC1</version>
<relativePath/>
</parent>Alternatively, import the core BOM. This is usually done in the top-level parent pom of your application:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.causeway.core</groupId>
<artifactId>causeway-core</artifactId>
<version>2.0.0-RC1</version>
<scope>import</scope>
<type>pom</type>
</dependency>
</dependencies>
</dependencyManagement>Update AppManifest
In your application’s AppManifest (top-level Spring @Configuration used to bootstrap the app), import the
@Configuration
@Import({
...
IsisModuleSecurityKeycloak.class,
...
})
public class AppManifest {
}Make sure that no other IsisModuleSecurityXxx module is imported.
Design
The module configures a filter that expects Keycloak to set three X-Auth-Xxx headers:
-
X-Auth-Userid- is used as the username -
X-Auth-Roles- is a comma-separated set of roles.The
org.apache.isis.viewer.wicket.roles.USERrole — as required by Web UI (Wicket viewer) — is automatically added to this list of roles. -
X-Auth-Subject- is unused
The user and roles are accessible programmatically from the UserMemento obtained from UserService domain service.