Anonymous access to some webservice dinamycally

Hi to all.

I have an EJB module with an ejb exposing a restfull web service.
Its path is like ‘/webservice/country/*’.

This web service is activated from a WAR included in an EAR.

Now i need to call “/webservice/country/find” without authentication (as anonymous) and for example “/webservice/country/create” only if authenticated and with the correct scope.

If i put in the WAR’s web.xml the security constraint for “/webservice/country/*” i’ll protect everything. How can I specify a policy to free the findall service?

Other complication : i cannot use the web.xml to protect single path because they are dinamycally added to the war by the EAR. Now i read a file freeurls.json and using picketlink I put then in the unprotected urls. How can I do it on Keycloak?

Complication 2 : someone suggested to use policy-enforcer inside keycloak.json. My war is shared by different EAR so i cannot include a keycloak.json. Can I define policy-enforcer in the standalone.xml of Wildfly? How can I do that?