Chapter 5. Securing a web application using OpenID Connect

You can secure an application by either updating its deployment configuration or by configuring the elytron-oidc-client subsystem.

If you use the application created in the procedure, Creating a web application, the value of the Principal comes from the ID token from the OpenID provider. By default, the Principal is the value of the "sub" claim from the token. You can specify which claim value from the ID token to use as the Principal in one of the following:

  • The elytron-oidc-client subsystem attribute principal-attribute.
  • The oidc.json file.


  • You have deployed applications on JBoss EAP.


  1. Configure the application’s web.xml to protect the application resources.


    <!DOCTYPE web-app PUBLIC
     "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
     "" >
     <!-- Define the security constraints for the application resources.
          Specify the URL pattern for which a challenge is -->
                <web-resource-name><!-- Name of the resources to protect --></web-resource-name>
                <url-pattern> <!-- The URL to protect  --></url-pattern>
            <!-- Define the role that can access the protected resource -->
                <role-name> <!-- Role name as defined in the security domain --></role-name>
                <!-- To disable authentication you can use the wildcard *
                	 To authenticate but allow any role, use the wildcard **. -->
            	<!-- The authentication method to use. Can be:
            <realm-name><!-- The name of realm to send in the challenge  --></realm-name>


    <?xml version="1.0" encoding="UTF-8"?>
    <web-app version="2.5" xmlns=""

    In this example, only the users with the role Admin can access the application.

  2. To secure the application with OpenID Connect, either update the deployment configuration or configure the elytron-oidc-client subsystem.


    If you configure OpenID Connect in both the deployment configuration and the elytron-oidc-client subsystem, the configuration in the elytron-oidc-client subsystem secure-deployment attribute takes precedence over the configuration in the application deployment descriptor.

    • Updating the deployment configuration:

      1. Create a file oidc.json in the WEB-INF directory, like this:

          "provider-url" : "http://localhost:8180/auth/realms/example_realm",
          "ssl-required": "external",
          "client-id": "my_jbeap",
          "public-client": true,
          "confidential-port": 0
      2. Update the deployment descriptor web.xml file with the following text to declare that this application uses OIDC:

    • Configuring the elytron-oidc-client subsystem:

      • To secure your application, use the following management CLI command:

  3. In the application root directory, compile your application with the following command:

    $ mvn package
  4. Deploy the application.

    $ mvn wildfly:deploy


  1. In a browser, navigate to http://localhost:8080/simple-webapp-example/secured.

    You are redirected to Red Hat Single Sign-On login page.

  2. Log in with your credentials. For example:

    username: user1
    password: passwordUser1

    You get the following output:


The redirection to Red Hat Single Sign-On login page confirms that the OIDC connection succeeds and the output confirms that users without the role Admin cannot access the application. To add the role Admin to the user user1, see Creating and assigning user roles in Red Hat Single Sign-On.