[keycloak-user] How to secure JAX-WS SOAP services with Keycloak

[Tihomir Mescic]

Hi all,

I have some SOAP services running on WildFly 13. These services are
implemented by using the @javax.jws.WebService annotation, and are deployed
as JAR file containing the services and the EJBs with the backing
implementation. The services are currently unsecured (public). I also have
Keycloak 5.0 running on a different server.

What I want to achieve:
 - add Keycloak integration to my SOAP layer, so that every SOAP request is
validated - ie. JWT token that is sent in the Authorization header is
validated
- the validation is done offline (i.e. Keycloak REST endpoint for token
validation is not called every time)

I tried using the WildFly Keycloak adapter:
https://www.keycloak.org/docs/5.0/securing_apps/index.html#jboss-eap-wildfly-adapter

However, it looks like this adapter can only work with WAR deployments (I
have a JAR file and don't have the web.xml file at all).

I'm also aware that I could use a SOAP Interceptor and validate the token
online (by calling the REST endpoint on Keycloak), however, I'd like to
avoid this for performance reasons.

My question is:
1. Is it possible to achieve what I need using the WildFly keycloak adapter?
2. If not, what would be the preferred way to do ti?

Thanks in advance,
Tihomir