Equivalent of keycloak.policy-enforcer-config.paths[1].enforcement-mode=DISABLED in web.xml

This issue is very specific to deploying the application in tomcat with web.xml

using application.properties


by defining an path (as above)i can DISABLE the authentication(& authorization) process for an path.

what’s equivalent in web.xml

The requirement is, There are certain paths (rest endpoints) that are unsecured, and should be access without being authenticated. (the payloads will have signatures, that can be verified)

e.g: receipts have to send based on URL (without being authenticated)

once we define web.xml with the login-config


every path requires authentication.

bypassing authorization (works), This is supposed to bypass authentication (according to web.xml definition), but it’s not.

		<!-- do not declare the auth-constraint -->

Even when not declaring the security-constraint for an path, the keycloak enforces authentication.

does anyone know how to solve this.

For deployment as webapp, i’ve followed the official guide Securing Applications and Services Guide