JAVA Same secured EAR, two different realm : sandbox and production

Continuing the discussion from Secure a distributable EAR application with keycloak:

I wrote this topic but could be difficult to understand and too long.
I’m writing it simpler…

I have an EAR and I use a keycloak.json in development/sandbox environment. Suppose I use SandRealm and SandClient in my configuration.
It is secured correctly.

Now I want to deploy this EAR in production environment, so it will point to a production realm ProdRealm and client ProdClient.

How can I pass the production’s keycloak.json avoiding to change the file to each production deployment?

Maybe I can do it with a parameter in maven compilation process, but how to do it if i have multiple production environment?

Does exists a way to standardize my EAR and avoid to create a lot of custom EAR?

external configuration like environment variables, cloud config, …

Hi, we have the very same problem and cannot find a solution. Have you been able to solve this and make it work?

I have done a workaround.

First of all, I install keycloak on the customer server. After that, I import realm and clients and I recreate the keys.

The keycloak.json inserted in my project has some variables:

"realm": "MyRealm",
"auth-server-url": "${auth.server.url}",
"ssl-required": "external",
"disable-trust-manager" : true,
"resource": "myclient",
"verify-token-audience": true,
"credentials": {
  "secret": "${secret}"
"use-resource-role-mappings": true,
"confidential-port": 0,
"enable-cors" : true,
"cors-max-age" : 1,
"cors-allowed-headers" : "accept, authorization, content-type, x-requested-with, type",
"cors-allowed-methods" : "POST, PUT, DELETE, GET, HEAD",
"cors-exposed-headers" : "ETag,Location",
"policy-enforcer": {
    "enforcement-mode" : "ENFORCING"


In maven i change the variables with some properties, so in the parent project i defined a profile for each customer and during compilation i’ll select the profile and Maven change the variable with values:


In pom.xml of my war:



  • in WAR only add a “generic” keycloak.json and add the filter in pom.xml;
  • in the EAR i did nothing
  • in the maven parent project create a profile for each installation
  • before the compilation, select the correct profile