Tomcat 6, 7 and 8 Adapters

To be able to secure WAR apps deployed on Tomcat 6, 7 and 8 you must install the Keycloak Tomcat 6, 7 or 8 adapter into your Tomcat installation. You then have to provide some extra configuration in each WAR you deploy to Tomcat. Let’s go over these steps.

Adapter Installation

Adapters are no longer included with the appliance or war distribution. Each adapter is a separate download on the Keycloak download site. They are also available as a maven artifact.

You must unzip the adapter distro into Tomcat’s lib/ directory. Including adapter’s jars within your WEB-INF/lib directory will not work! The Keycloak adapter is implemented as a Valve and valve code must reside in Tomcat’s main lib/ directory.

$ cd $TOMCAT_HOME/lib
$ unzip
$ unzip
$ unzip
Required Per WAR Configuration

This section describes how to secure a WAR directly by adding config and editing files within your WAR package.

The first thing you must do is create a META-INF/context.xml file in your WAR package. This is a Tomcat specific config file and you must define a Keycloak specific Valve.

<Context path="/your-context-path">
    <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>

Next you must create a keycloak.json adapter config file within the WEB-INF directory of your WAR.

The format of this config file is describe in the Java adapter configuration

Finally you must specify both a login-config and use standard servlet security to specify role-base constraints on your URLs. Here’s an example:

<web-app xmlns=""



        <realm-name>this is ignored currently</realm-name>