This project demonstrates a modern, secure Java web application architecture using WildFly as the application server and Keycloak for authentication, all orchestrated with Kubernetes. The application features a responsive dashboard with user role-based access controls.
┌───────────┐
│ User │
└─────┬─────┘
│
│ HTTPS
▼
┌───────────────────────────────────────────────────────────┐
│ Kubernetes Cluster │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌──────────┐ │
│ │ Ingress │──────▶ WildFly │ │ │ │
│ │ (Nginx) │ │ (Java App) │◀───▶│Keycloak │ │
│ └─────────────┘ └─────────────┘ │ OIDC │ │
│ │ │ Provider │ │
│ │ └────┬─────┘ │
│ │ ┌─────────────┐ │ │
│ └────────────▶│ Keycloak │◀─────────┘ │
│ │ Admin │ │
│ └──────┬──────┘ │
│ │ │
│ ▼ │
│ ┌─────────────┐ │
│ │ PostgreSQL │ │
│ └─────────────┘ │
└───────────────────────────────────────────────────────────┘
- Secure Authentication: OpenID Connect (OIDC) authentication via Keycloak
- Responsive Dashboard: Mobile-friendly UI with dynamic content
- Role-Based Access Control: Different views and capabilities for admin and regular users
- Session Management: Tracks user activity and session duration
- TLS/SSL Security: End-to-end encryption with custom certificates
- Kubernetes Deployment: Complete containerized deployment setup
- Docker and Kubernetes (local or remote cluster)
- Java 11 or higher
- Maven
- kubectl CLI tool
- OpenSSL (for certificate generation)
- Local DNS configuration (add entries to hosts)
git clone https://github.com/brakmic/WildFly_Keycloak.git
cd WildFly_Keycloak./scripts/generate-certs.shcd app
mvn clean package
cd .../scripts/deploy.shAdd the following entries to your hosts file:
127.0.0.1 wildfly.local.com keycloak.local.com
- Application: https://wildfly.local.com/myapp
- Keycloak Admin: https://keycloak.local.com/admin/ (admin/admin)
- Test User: test-user/password
- app: Java web application (Jakarta EE) with servlets and JSPs
- wildfly: WildFly server configuration and Docker setup
- k8s: Kubernetes configuration files
- configmaps: Configuration for realm, proxy headers, and Keycloak
/ingress.yaml: Nginx ingress controller configuration
- scripts: Deployment and certificate generation scripts
- certs: Generated SSL certificates (gitignored)
The application uses a predefined realm configuration in realm-config.yaml. This includes:
- Test realm named "TestRealm"
- OpenID Connect client configuration
- User roles (admin, user)
- Test users with credentials
WildFly is configured with:
- Elytron OIDC client extension
- Undertow security domains
- Application deployment settings
- Advanced logging for troubleshooting
The project includes a VS Code DevContainer setup for consistent development environments:
# Open in VS Code with Dev Containers extension
code .When using this project with a local Kubernetes cluster running in Docker Desktop, you need to properly configure kubectl inside the devcontainer:
-
Copy Kubernetes Configuration:
# From your host machine, copy your .kube/config to the container mkdir -p /home/jdev/.kube cp ~/.kube/config /home/jdev/.kube/config
-
Modify Server Address: Edit the config file inside the container and replace server addresses that use
127.0.0.1withdocker-for-desktop:Before:
server: https://127.0.0.1:6443
After:
server: https://docker-for-desktop:6443
This change is necessary because inside the devcontainer,
127.0.0.1points to the container itself, not the host machine where Docker Desktop is running. -
Verify Host Resolution: The devcontainer is already configured with special host entries in devcontainer.json that make communication with the host machine's Kubernetes possible:
"runArgs": [ "--network=devnetwork", "--add-host=host.docker.internal:host-gateway", "--add-host=desktop-control-plane:host-gateway", "--add-host=docker-for-desktop:host-gateway" ]
-
Test the Connection:
kubectl get nodes
If configured correctly, you should see your Docker Desktop Kubernetes nodes.
Note: If you're using a different Kubernetes setup (minikube, KinD, etc.), you may need to adjust the server address accordingly. The devcontainer.json is already configured for both KinD (
desktop-control-plane) and Docker Desktop Kubernetes (docker-for-desktop).
- Modify the Java servlets in servlet
- Update JSP views in jsp
- Enhance CSS/JS in resources
- Build with Maven:
cd app mvn clean package
docker build -t yourusername/wildfly-myapp:latest -f wildfly/Dockerfile .
docker push yourusername/wildfly-myapp:latest- HTTPS communication with custom certificates
- Keycloak authentication with JWT tokens
- Session management and timeout
- Role-based access control
- Network policies restricting pod communication
# WildFly logs
kubectl logs -f -l app=wildfly -n wildfly-demo
# Keycloak logs
kubectl logs -f -l app=keycloak -n wildfly-demo- Invalid Redirect URI: Check Keycloak client configuration and ensure redirect URIs match your application URLs
- Certificate Issues: Regenerate certificates and ensure they're properly mounted
- Database Connection: Check PostgreSQL deployment and connection parameters in Keycloak configuration
- WildFly team for the application server
- Keycloak project for the identity provider
- Kubernetes community for the orchestration platform