eclipse-basyx
diff --git a/‎examples/BaSyxSecured/README.md‎
Lines changed: 16 additions & 3 deletions b/‎examples/BaSyxSecured/README.md‎
Lines changed: 16 additions & 3 deletions
diff --git a/‎examples/BaSyxSecured/basyx/aas-discovery.properties‎
Lines changed: 1 addition & 1 deletion b/‎examples/BaSyxSecured/basyx/aas-discovery.properties‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎examples/BaSyxSecured/basyx/aas-env.properties‎
Lines changed: 5 additions & 5 deletions b/‎examples/BaSyxSecured/basyx/aas-env.properties‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎examples/BaSyxSecured/docker-compose.yaml‎
Lines changed: 78 additions & 16 deletions b/‎examples/BaSyxSecured/docker-compose.yaml‎
Lines changed: 78 additions & 16 deletions
diff --git a/‎examples/BaSyxSecured/keycloak/Dockerfile‎
Lines changed: 0 additions & 15 deletions b/‎examples/BaSyxSecured/keycloak/Dockerfile‎
Lines changed: 0 additions & 15 deletions
@@ -3,20 +3,33 @@
 All BaSyx components support role-based access control by using Keycloak as identity provider.
 Access rules are defined based on roles. Roles are defined in the Keycloak server.
 
+In this setup, an nginx proxy is used to expose the different BaSyx services under dedicated subdomains.
+The main URLs are:
+
+AAS Web UI: http://aasgui.basyx.localhost
+
+Keycloak: http://keycloak.basyx.localhost
+
+Additional service URLs can be found in the docker-compose file.
+
+Modern browsers like Google Chrome, Firefox, and others automatically resolve any URL ending with .localhost to the local address 127.0.0.1.
+This means requests to these URLs are directly routed to your own machine, where the nginx instance running inside Docker forwards the requests to the corresponding BaSyx service.
+As an alternative for setups where .localhost handling might not work correctly, you could manually map the required domains to 127.0.0.1 by editing your /etc/hosts file.
+
 To start the secure setup execute the following command
 
 ```bash
 docker-compose up -d
 ```
 
-This will start the BaSyx components and the Keycloak server. The Keycloak server can be found at http://localhost:9097.
+This will start the BaSyx components and the Keycloak server. The Keycloak server can be found at http://keycloak.basyx.localhost.
 There you can login as admin with username `admin` and password `keycloak-admin`.
 ![BaSyx Realm User Overview](users.png)
 
 The example comes with an already configured realm `BaSyx` and a user `john.doe` with password `johndoe`.
 This user has the `admin` role and can access all BaSyx components and all information about each component.
 
-The entry point for accessing the Asset Administration Shells and their Submodels is the AAS Web UI running at http://localhost:3000.
+The entry point for accessing the Asset Administration Shells and their Submodels is the AAS Web UI running at http://aasgui.basyx.localhost.
 After opening the page you will be redirected to the Keycloak login page. Use the credentials of user `john.doe` to log in.
 ![Login to BaSyx using Keycloak](login.png)
 
@@ -25,7 +38,7 @@ The UI shows the login status in the top right corner.
 To end your session click on the logout button in the top right corner.
 ![Logout button in the AAS UI](logout.png)
 
-There are several other user accounts available, each with different roles. You can use them to test the different levels of access. The password for these users is their username without the dots. You can find them in the [Users](http://localhost:9097/admin/master/console/#/BaSyx/users) tab of the BaSyx realm in Keycloak.
+There are several other user accounts available, each with different roles. You can use them to test the different levels of access. The password for these users is their username without the dots. You can find them in the [Users](http://keycloak.basyx.localhost/admin/master/console/#/BaSyx/users) tab of the BaSyx realm in Keycloak.
 
 ## Upload AAS Environment files (AASX/JSON/XML) with RBAC
 
 
@@ -9,4 +9,4 @@ basyx.feature.authorization.enabled = true
 basyx.feature.authorization.type = rbac
 basyx.feature.authorization.jwtBearerTokenProvider = keycloak
 basyx.feature.authorization.rbac.file = file:/application/rbac_rules.json
-spring.security.oauth2.resourceserver.jwt.issuer-uri= http://keycloak:9097/realms/BaSyx
+spring.security.oauth2.resourceserver.jwt.issuer-uri= http://keycloak.basyx.localhost/realms/BaSyx
@@ -5,14 +5,14 @@ basyx.cors.allowed-origins=*
 basyx.cors.allowed-methods=GET,POST,PATCH,DELETE,PUT,OPTIONS,HEAD
 basyx.aasrepository.feature.registryintegration=http://aas-registry:8080
 basyx.submodelrepository.feature.registryintegration=http://sm-registry:8080
-basyx.externalurl=http://localhost:8081
+basyx.externalurl=http://aasenv.basyx.localhost
 
 basyx.feature.authorization.enabled = true
 basyx.feature.authorization.type = rbac
 basyx.feature.authorization.jwtBearerTokenProvider = keycloak
 basyx.feature.authorization.rbac.file = file:/application/rbac_rules.json
-spring.security.oauth2.resourceserver.jwt.issuer-uri= http://keycloak-rbac:8080/realms/BaSyx
-basyx.aasenvironment.authorization.preconfiguration.token-endpoint=http://keycloak-rbac:8080/realms/BaSyx/protocol/openid-connect/token
+spring.security.oauth2.resourceserver.jwt.issuer-uri= http://keycloak.basyx.localhost/realms/BaSyx
+basyx.aasenvironment.authorization.preconfiguration.token-endpoint=http://keycloak.basyx.localhost/realms/BaSyx/protocol/openid-connect/token
 basyx.aasenvironment.authorization.preconfiguration.grant-type = CLIENT_CREDENTIALS
 basyx.aasenvironment.authorization.preconfiguration.client-id=workstation-1
 basyx.aasenvironment.authorization.preconfiguration.client-secret=nY0mjyECF60DGzNmQUjL81XurSl8etom
@@ -23,12 +23,12 @@ spring.servlet.multipart.max-request-size=128MB
 spring.servlet.multipart.max-file-size=128MB
 
 basyx.aasrepository.feature.registryintegration.authorization.enabled=true
-basyx.aasrepository.feature.registryintegration.authorization.token-endpoint=http://keycloak-rbac:8080/realms/BaSyx/protocol/openid-connect/token
+basyx.aasrepository.feature.registryintegration.authorization.token-endpoint=http://keycloak.basyx.localhost/realms/BaSyx/protocol/openid-connect/token
 basyx.aasrepository.feature.registryintegration.authorization.grant-type = CLIENT_CREDENTIALS
 basyx.aasrepository.feature.registryintegration.authorization.client-id = workstation-1
 basyx.aasrepository.feature.registryintegration.authorization.client-secret = nY0mjyECF60DGzNmQUjL81XurSl8etom
 basyx.submodelrepository.feature.registryintegration.authorization.enabled=true
-basyx.submodelrepository.feature.registryintegration.authorization.token-endpoint=http://keycloak-rbac:8080/realms/BaSyx/protocol/openid-connect/token
+basyx.submodelrepository.feature.registryintegration.authorization.token-endpoint=http://keycloak.basyx.localhost/realms/BaSyx/protocol/openid-connect/token
 basyx.submodelrepository.feature.registryintegration.authorization.grant-type = CLIENT_CREDENTIALS
 basyx.submodelrepository.feature.registryintegration.authorization.client-id=workstation-1
 basyx.submodelrepository.feature.registryintegration.authorization.client-secret=nY0mjyECF60DGzNmQUjL81XurSl8etom
 
@@ -1,15 +1,35 @@
 services:
+
+  # nginx reverse proxy to support dns lookup
+  # nginx-proxy:
+  #   image: nginxproxy/nginx-proxy:1.6.0-alpine
+  #   container_name: proxy
+  #   restart: always
+  #   ports:
+  #     - "80:80"
+  #   volumes:
+  #     - /var/run/docker.sock:/tmp/docker.sock:ro
+  #   environment:
+  #     DEFAULT_HOST: aasgui.basyx.localhost
+  #   networks:
+  #     - basyx-java-server-sdk
+
   # AAS Environment
   aas-env:
     image: eclipsebasyx/aas-environment:$BASYX_VERSION
     container_name: aas-env-rbac
+    extra_hosts:
+      - "keycloak.basyx.localhost:host-gateway" 
     volumes:
       - ./aas:/application/aas
       - ./basyx/aas-env.properties:/application/application.properties
       - ./basyx/rules/aas_env_rbac_rules.json:/application/rbac_rules.json
     ports:
       - '8081:8081'
     restart: always
+    environment:
+      VIRTUAL_HOST: aasenv.basyx.localhost
+      VIRTUAL_PORT: "8081"
     depends_on:
       aas-registry:
         condition: service_healthy
@@ -22,54 +42,76 @@ services:
   aas-registry:
     image: eclipsebasyx/aas-registry-log-mem:$BASYX_VERSION
     container_name: secured-aas-registry-log-mem-rbac
+    extra_hosts:
+      - "keycloak.basyx.localhost:host-gateway" 
     ports:
       - "8082:8080"
     environment:
+      VIRTUAL_HOST: aasreg.basyx.localhost
+      VIRTUAL_PORT: "8080"
       SERVER_SERVLET_CONTEXT_PATH: /
       BASYX_CORS_ALLOWED_ORIGINS: '*'
       BASYX_CORS_ALLOWED_METHODS: GET,POST,PATCH,DELETE,PUT,OPTIONS,HEAD
       BASYX_FEATURE_AUTHORIZATION_ENABLED: true
       BASYX_FEATURE_AUTHORIZATION_TYPE: rbac
       BASYX_FEATURE_AUTHORIZATION_JWTBEARERTOKENPROVIDER: keycloak
-      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI: http://keycloak-rbac:8080/realms/BaSyx
+      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI: http://keycloak.basyx.localhost/realms/BaSyx
       BASYX_FEATURE_AUTHORIZATION_RBAC_FILE: file:/workspace/config/rbac_rules.json
     volumes:
       - ./basyx/rules/aas_registry_rbac_rules.json:/workspace/config/rbac_rules.json
     restart: always
+    depends_on:
+      keycloak-healthcheck:
+        condition: service_completed_successfully
     networks:
       - basyx-java-server-sdk
 
   # Submodel Registry
   sm-registry:
     image: eclipsebasyx/submodel-registry-log-mem:$BASYX_VERSION
     container_name: secured-sm-registry-log-mem-rbac
+    extra_hosts:
+      - "keycloak.basyx.localhost:host-gateway" 
     environment:
+      VIRTUAL_HOST: smreg.basyx.localhost
+      VIRTUAL_PORT: "8080"
       SERVER_SERVLET_CONTEXT_PATH: /
       BASYX_CORS_ALLOWED_ORIGINS: '*'
       BASYX_CORS_ALLOWED_METHODS: GET,POST,PATCH,DELETE,PUT,OPTIONS,HEAD
       BASYX_FEATURE_AUTHORIZATION_ENABLED: true
       BASYX_FEATURE_AUTHORIZATION_TYPE: rbac
       BASYX_FEATURE_AUTHORIZATION_JWTBEARERTOKENPROVIDER: keycloak
-      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI: http://keycloak-rbac:8080/realms/BaSyx
+      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI: http://keycloak.basyx.localhost/realms/BaSyx
       BASYX_FEATURE_AUTHORIZATION_RBAC_FILE: file:/workspace/config/rbac_rules.json
     ports:
       - "8083:8080"
     volumes:
       - ./basyx/rules/sm_registry_rbac_rules.json:/workspace/config/rbac_rules.json
     restart: always
+    depends_on:
+      keycloak-healthcheck:
+        condition: service_completed_successfully
     networks:
       - basyx-java-server-sdk
 
   # AAS Discovery
   aas-discovery:
     image: eclipsebasyx/aas-discovery:$BASYX_VERSION
     container_name: aas-discovery
+    extra_hosts:
+      - "keycloak.basyx.localhost:host-gateway" 
+    environment:
+      VIRTUAL_HOST: discovery.basyx.localhost
+      VIRTUAL_PORT: "8081"
     volumes:
       - ./basyx/aas-discovery.properties:/application/application.properties
       - ./basyx/rules/aas_discovery_rbac_rules.json:/application/rbac_rules.json
     ports:
       - '8084:8081'
     restart: always
+    depends_on:
+      keycloak-healthcheck:
+        condition: service_completed_successfully
     networks:
       - basyx-java-server-sdk
 
@@ -78,17 +120,19 @@ services:
     image: eclipsebasyx/aas-gui:$AAS_WEBUI_VERSION
     container_name: aas-web-gui
     extra_hosts:
-      - "keycloak:127.0.0.1"
+      - "keycloak.basyx.localhost:host-gateway"
     ports:
       - '3000:3000'
     environment:
-      AAS_REGISTRY_PATH: http://localhost:8082/shell-descriptors
-      SUBMODEL_REGISTRY_PATH: http://localhost:8083/submodel-descriptors
-      AAS_REPO_PATH: http://localhost:8081/shells
-      SUBMODEL_REPO_PATH: http://localhost:8081/submodels
-      CD_REPO_PATH: http://localhost:8081/concept-descriptions
-      AAS_DISCOVERY_PATH: http://localhost:8084/lookup/shells
-      KEYCLOAK_URL: http://localhost:9097
+      VIRTUAL_HOST: aasgui.basyx.localhost
+      VIRTUAL_PORT: "3000"
+      AAS_REGISTRY_PATH: http://aasreg.basyx.localhost/shell-descriptors
+      SUBMODEL_REGISTRY_PATH: http://smreg.basyx.localhost/submodel-descriptors
+      AAS_REPO_PATH: http://aasenv.basyx.localhost/shells
+      SUBMODEL_REPO_PATH: http://aasenv.basyx.localhost/submodels
+      CD_REPO_PATH: http://aasenv.basyx.localhost/concept-descriptions
+      AAS_DISCOVERY_PATH: http://discovery.basyx.localhost/lookup/shells
+      KEYCLOAK_URL: http://keycloak.basyx.localhost
       KEYCLOAK_REALM: BaSyx
       KEYCLOAK_CLIENT_ID: basyx-web-ui
     restart: always
@@ -98,24 +142,42 @@ services:
     networks:
       - basyx-java-server-sdk
 
+
   keycloak:
-    image: eclipsebasyx/keycloak:0.0.1
-    build:
-      context: ./keycloak
-      dockerfile: Dockerfile
+    image: keycloak/keycloak:24.0.4
     container_name: keycloak-rbac
     environment:
-      KC_HOSTNAME: localhost
-      KC_SPI_INITIALIZER_ISSUER_BASE_URI: http://keycloak-rbac:8080
+      VIRTUAL_HOST: keycloak.basyx.localhost
+      VIRTUAL_PORT: "8080"
+      KC_HOSTNAME: keycloak.basyx.localhost
       KEYCLOAK_ADMIN: admin
       KEYCLOAK_ADMIN_PASSWORD: keycloak-admin
+      KC_HTTP_ENABLED: "true"
+      KC_HTTPS_ENABLED: "false"
+      KC_HEALTH_ENABLED: "true"
+      KC_IMPORT: /opt/keycloak/data/import/
     command: ["start-dev", "--import-realm"]
     ports:
       - 9097:8080
     volumes:
       - ./keycloak/realm:/opt/keycloak/data/import
     networks:
       - basyx-java-server-sdk
+      
+  keycloak-healthcheck:
+    image: curlimages/curl:latest
+    container_name: keycloak-healthcheck
+    command: >
+      sh -c "
+        echo 'Waiting for Keycloak to become ready...';
+        until curl -sf http://keycloak-rbac:8080/health/ready; do
+          sleep 5;
+        done;
+        echo 'Keycloak is ready!'"
+    depends_on:
+      - keycloak
+    networks:
+      - basyx-java-server-sdk
 
 networks:
   basyx-java-server-sdk: