Jetty 9 Per WAR Configuration

This section describes how to secure a WAR directly by adding config and editing files within your WAR package.

The first thing you must do is create a WEB-INF/jetty-web.xml file in your WAR package. This is a Jetty specific config file and you must define a Keycloak specific authenticator within it.

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="securityHandler">
        <Set name="authenticator">
            <New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">

Next you must create a keycloak-saml.xml adapter config file within the WEB-INF directory of your WAR. The format of this config file is describe in the General Adapter Config section.

Finally you must specify both a login-config and use standard servlet security to specify role-base constraints on your URLs. Here’s an example:

<web-app xmlns=""



        <realm-name>this is ignored currently</realm-name>