How to secure a JAXRS REST API running on JBoss EAP

Hello folks,

I’m trying to protect a REST API from a legacy system running on a JBoss EAP 6.4 server. The keycloak server available in my company is running in another machine. So, in Keycloak I’ve created a client (openid protocol, bearer only), I’ve installed the adapter according to the documentation and appended to my standalone the following section:

<subsystem xmlns="urn:jboss:domain:keycloak:1.2">
            <secure-deployment name="cad-seg-api.war">

And, the the web.xml:


The application can be deployed normally, without errors/warns, but when I follow the link http://app.local/api/oauth2/users I can access without any credentials supplied. I think should be sent an “unauthorized” message, or something like that. Even reading the examples (mostly for wildfly) I couldn’t figure out how to acess the mentioned link and got redirected to keycloak login page.

Any ideas?