[WFLY-15167] added simple-webbapp-oidc quickstart

istudens · istudens · commit 6184b4ea2b1c · 2023-06-28T14:09:26.000+02:00
diff --git a/oidc-webapp/README.adoc b/oidc-webapp/README.adoc
@@ -0,0 +1,70 @@
+include::../shared-doc/attributes.adoc[]
+
+= oidc-webapp: Securing an application deployed to WildFly with OpenID Connect (OIDC)
+:toc:               left
+:icons:             font
+:idprefix:
+:idseparator:       -
+:level: Beginner
+:technologies: OIDC
+:openshift: false
+
+[abstract]
+The `oidc-webapp` quickstart demonstrates a simple application, bundled and deployed as a WAR, secured with OpenID Connect (OIDC).
+
+:standalone-server-type: custom
+:serverArguments: -Djboss.socket.binding.port-offset=10
+:archiveType: war
+:mavenDeployArgs: wildfly:deploy -Dwildfly.port=10000
+
+== What is it?
+
+The `oidc-webapp` quickstart demonstrates how to secure an application deployed to {productNameFull} with OpenID Connect
+(OIDC) without needing to use the Keycloak client adapter.
+
+The OIDC configuration in this example is part of the deployment itself. Alternatively,
+this configuration could be specified via the `elytron-oidc-client` subsystem instead.
+For more details, take a look at the https://docs.wildfly.org/28/Admin_Guide.html#Elytron_OIDC_Client[documentation].
+
+// System Requirements
+include::../shared-doc/system-requirements.adoc[leveloffset=+1]
+// Use of {jbossHomeName}
+include::../shared-doc/use-of-jboss-home-name.adoc[leveloffset=+1]
+
+== Set up your Keycloak OpenID provider
+
+Follow the steps in this https://www.keycloak.org/getting-started/getting-started-docker[getting started guide] to
+start Keycloak, create a realm called `myrealm`, create a user called `myuser`, and register a client called `myclient`.
+
+After registering our client, `myclient`, we also need to configure valid redirect URIs. Simply click
+on `Clients` and then on `myclient`. In the `Valid Redirect URIs` field, enter http://localhost:8090/oidc-webapp/*.
+
+// build and run with standard server distribution
+[[build_and_run_the_quickstart_with_server_dist]]
+== Building and running the quickstart application with a {productName} server distribution
+
+First, we're going to start our WildFly instance (notice that we're specifying a port offset here
+since our Keycloak instance is already exposed on port 8080).
+
+// Start the {productName} Standalone Server
+include::../shared-doc/start-the-standalone-server.adoc[leveloffset=+2]
+// Build and Deploy the Quickstart
+include::../shared-doc/build-and-deploy-the-quickstart.adoc[leveloffset=+2]
+
+## Access the app
+
+We can access our application using `http://localhost:8090/oidc-webapp/`.
+
+Click on "Access Secured Servlet".
+
+Now, you'll be redirected to Keycloak to log in. Log in with `myuser` and the password that you
+set when configuring Keycloak.
+
+Next, you'll be redirected back to our application and you should see the "Secured Servlet" page.
+
+We were able to successfully log in to our application via the Keycloak OpenID provider!
+
+// Build and run sections for other environments/builds
+ifndef::ProductRelease,EAPXPRelease[]
+include::../shared-doc/build-and-run-the-quickstart-with-provisioned-server.adoc[leveloffset=+1]
+endif::[]
diff --git a/oidc-webapp/pom.xml b/oidc-webapp/pom.xml
@@ -0,0 +1,171 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    JBoss, Home of Professional Open Source
+    Copyright 2023, Red Hat, Inc. and/or its affiliates, and individual
+    contributors by the @authors tag. See the copyright.txt in the
+    distribution for a full listing of individual contributors.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.wildfly.quickstarts</groupId>
+        <artifactId>wildfly-quickstart-parent</artifactId>
+        <!--
+        Maintain separation between the artifact id and the version to help prevent
+        merge conflicts between commits changing the GA and those changing the V.
+        -->
+        <version>3</version>
+        <relativePath/>
+    </parent>
+    <artifactId>oidc-webapp</artifactId>
+    <version>29.0.0.Alpha1-SNAPSHOT</version>
+    <packaging>war</packaging>
+    <name>Quickstart: OIDC Webapp</name>
+    <description>This quickstart demonstrates how to secure an application with OpenID Connect (OIDC) without needing to use the Keycloak client adapter</description>
+
+    <licenses>
+        <license>
+            <name>Apache License, Version 2.0</name>
+            <url>http://www.apache.org/licenses/LICENSE-2.0.html</url>
+            <distribution>repo</distribution>
+        </license>
+    </licenses>
+
+    <properties>
+        <!-- The versions for BOMs, Dependencies and Plugins -->
+        <version.server.bom>28.0.0.Final</version.server.bom>
+        <version.server>28.0.0.Final</version.server>
+        <version.wildfly.maven.plugin>4.1.0.Final</version.wildfly.maven.plugin>
+        <version.cloud.fp>3.0.0.Final</version.cloud.fp>
+    </properties>
+
+    <repositories>
+        <repository>
+            <id>jboss-public-maven-repository</id>
+            <name>JBoss Public Maven Repository</name>
+            <url>https://repository.jboss.org/nexus/content/groups/public/</url>
+            <releases>
+                <enabled>true</enabled>
+                <updatePolicy>never</updatePolicy>
+            </releases>
+            <snapshots>
+                <enabled>true</enabled>
+                <updatePolicy>never</updatePolicy>
+            </snapshots>
+            <layout>default</layout>
+        </repository>
+        <repository>
+            <id>redhat-ga-maven-repository</id>
+            <name>Red Hat GA Maven Repository</name>
+            <url>https://maven.repository.redhat.com/ga/</url>
+            <releases>
+                <enabled>true</enabled>
+                <updatePolicy>never</updatePolicy>
+            </releases>
+            <snapshots>
+                <enabled>true</enabled>
+                <updatePolicy>never</updatePolicy>
+            </snapshots>
+            <layout>default</layout>
+        </repository>
+    </repositories>
+    <pluginRepositories>
+        <pluginRepository>
+            <id>jboss-public-maven-repository</id>
+            <name>JBoss Public Maven Repository</name>
+            <url>https://repository.jboss.org/nexus/content/groups/public/</url>
+            <releases>
+                <enabled>true</enabled>
+            </releases>
+            <snapshots>
+                <enabled>true</enabled>
+            </snapshots>
+        </pluginRepository>
+        <pluginRepository>
+            <id>redhat-ga-maven-repository</id>
+            <name>Red Hat GA Maven Repository</name>
+            <url>https://maven.repository.redhat.com/ga/</url>
+            <releases>
+                <enabled>true</enabled>
+            </releases>
+            <snapshots>
+                <enabled>true</enabled>
+            </snapshots>
+        </pluginRepository>
+    </pluginRepositories>
+
+    <dependencyManagement>
+        <dependencies>
+            <!-- importing the jakartaee-with-tools BOM adds specs and other useful artifacts as managed dependencies -->
+            <dependency>
+                <groupId>org.wildfly.bom</groupId>
+                <artifactId>wildfly-ee-with-tools</artifactId>
+                <version>${version.server.bom}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <dependencies>
+        <!-- Import the Servlet API, we use provided scope as the API is included
+        in JBoss EAP -->
+        <dependency>
+            <groupId>jakarta.servlet</groupId>
+            <artifactId>jakarta.servlet-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+    </dependencies>
+
+    <profiles>
+        <profile>
+            <id>provisioned-server</id>
+            <dependencies>
+                <dependency>
+                    <groupId>org.wildfly.arquillian</groupId>
+                    <artifactId>wildfly-arquillian-container-managed</artifactId>
+                    <scope>test</scope>
+                </dependency>
+            </dependencies>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.wildfly.plugins</groupId>
+                        <artifactId>wildfly-maven-plugin</artifactId>
+                        <version>${version.wildfly.maven.plugin}</version>
+                        <configuration>
+                            <feature-packs>
+                                <feature-pack>
+                                    <location>org.wildfly:wildfly-galleon-pack:${version.server}</location>
+                                </feature-pack>
+                            </feature-packs>
+                            <layers>
+                                <layer>cloud-server</layer>
+                                <layer>elytron-oidc-client</layer>
+                            </layers>
+                        </configuration>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>package</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
+
+</project>
diff --git a/oidc-webapp/src/main/java/org/wildfly/quickstarts/oidc/simplewebapp/SecuredServlet.java b/oidc-webapp/src/main/java/org/wildfly/quickstarts/oidc/simplewebapp/SecuredServlet.java
@@ -0,0 +1,56 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2017 Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.wildfly.quickstarts.oidc.simplewebapp;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.security.Principal;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.WebServlet;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+/**
+ * A simple secured HTTP servlet.
+ *
+ * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
+ */
+@WebServlet("/secured")
+public class SecuredServlet extends HttpServlet {
+
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        try (PrintWriter writer = resp.getWriter()) {
+            writer.println("<html>");
+            writer.println("  <head><title>Secured Servlet</title></head>");
+            writer.println("  <body>");
+            writer.println("    <h1>Secured Servlet</h1>");
+            writer.println("    <p>");
+            writer.print(" Current Principal '");
+            Principal user = req.getUserPrincipal();
+            writer.print(user != null ? user.getName() : "NO AUTHENTICATED USER");
+            writer.print("'");
+            writer.println("    </p>");
+            writer.println("  </body>");
+            writer.println("</html>");
+        }
+    }
+
+}
diff --git a/oidc-webapp/src/main/webapp/WEB-INF/oidc.json b/oidc-webapp/src/main/webapp/WEB-INF/oidc.json
@@ -0,0 +1,8 @@
+{
+    "client-id" : "myclient",
+    "provider-url" : "${env.OIDC_PROVIDER_URL:http://localhost:8080}/realms/myrealm",
+    "public-client" : "true",
+    "principal-attribute" : "preferred_username",
+    "ssl-required" : "EXTERNAL"
+}
+
diff --git a/oidc-webapp/src/main/webapp/WEB-INF/web.xml b/oidc-webapp/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
+   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+   metadata-complete="false">
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>secured</web-resource-name>
+            <url-pattern>/secured</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>   
+    </security-constraint>
+
+    <login-config>
+        <auth-method>OIDC</auth-method>
+    </login-config>
+
+    <security-role>
+        <role-name>*</role-name>
+    </security-role>
+</web-app>
diff --git a/oidc-webapp/src/main/webapp/index.html b/oidc-webapp/src/main/webapp/index.html
@@ -0,0 +1,6 @@
+<html>
+  <body>
+    <h2>Hello World!</h2>
+    <a href="./secured">Access Secured Servlet</a>
+  </body>
+</html>
diff --git a/pom.xml b/pom.xml
@@ -339,6 +339,7 @@
                 <module>microprofile-reactive-messaging-kafka</module>
                 <module>microprofile-rest-client</module>
                 <module>numberguess</module>
+                <module>oidc-webapp</module>
                 <module>remote-helloworld-mdb</module>
                 <module>security-domain-to-domain</module>
                 <module>servlet-async</module>
diff --git a/shared-doc/build-and-deploy-the-quickstart.adoc b/shared-doc/build-and-deploy-the-quickstart.adoc
@@ -20,6 +20,10 @@
 // * To override the Maven command, define the `mavenCommand` variable,
 //   for example:
 //    :mavenCommand: clean install wildfly:deploy
+//
+// * To override the Maven deploy command arguments, define the `mavenDeployArgs` variable,
+//   for example:
+//    :mavenDeployArgs: wildfly:deploy -Dwildfly.port=10000
 //******************************************************************************
 
 // The archive name defaults to the artifactId if not overridden
@@ -84,11 +88,15 @@ endif::reactive-messaging[]
 $ mvn {mavenCommand}
 ----
 
+ifndef::mavenDeployArgs[]
+:mavenDeployArgs: wildfly:deploy
+endif::mavenDeployArgs[]
+
 . Type the following command to deploy the quickstart.
 +
 [source,subs="attributes+",options="nowrap"]
 ----
-$ mvn wildfly:deploy
+$ mvn {mavenDeployArgs}
 ----
 
 ifdef::rest-client-qs[]

-Original file line number
+Diff line change
@@ @@ -0,0 +1,6 @@ @@
 +<html>
 +  <body>
 +    <h2>Hello World!</h2>
 +    <a href="./secured">Access Secured Servlet</a>
 +  </body>
 +</html>