This issue is very specific to deploying the application in tomcat with web.xml
using application.properties
keycloak.policy-enforcer-config.paths[1].path=/receipt/*
keycloak.policy-enforcer-config.paths[1].name=public
keycloak.policy-enforcer-config.paths[1].enforcement-mode=DISABLED
by defining an path (as above)i can DISABLE the authentication(& authorization) process for an path.
what’s equivalent in web.xml
The requirement is, There are certain paths (rest endpoints) that are unsecured, and should be access without being authenticated. (the payloads will have signatures, that can be verified)
e.g: receipts have to send based on URL (without being authenticated)
once we define web.xml with the login-config
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>ignored</realm-name>
</login-config>
every path requires authentication.
bypassing authorization (works), This is supposed to bypass authentication (according to web.xml definition), but it’s not.
<security-constraint>
<web-resource-collection>
<web-resource-name>public</web-resource-name>
<url-pattern>/receipt/*</url-pattern>
</web-resource-collection>
<!-- do not declare the auth-constraint -->
</security-constraint>
Even when not declaring the security-constraint for an path, the keycloak enforces authentication.
does anyone know how to solve this.
For deployment as webapp, i’ve followed the official guide Securing Applications and Services Guide