<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">Hi,</span><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">I&#39;m currently using beta2 of keycloak, and we are building a new application with keycloak as our security platform.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">In our web module, all pages are located under the path src/main/webapps/views. Navigation to the index.xhtml file under this path triggers keycloack login, as expected. We&#39;ve enabled self-registration and assigned the default realm role to be &quot;user&quot;, so a new user automatically obtains the &quot;user&quot; role.  Here is a snippet of our web.xml file.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><div>&lt;security-constraint&gt;</div>
<div>        &lt;web-resource-collection&gt;</div><div>            &lt;web-resource-name&gt;Users&lt;/web-resource-name&gt;</div><div>            &lt;url-pattern&gt;/views/*&lt;/url-pattern&gt;</div><div>        &lt;/web-resource-collection&gt;</div>
<div>        &lt;auth-constraint&gt;</div><div>            &lt;role-name&gt;user&lt;/role-name&gt;</div><div>        &lt;/auth-constraint&gt;</div><div>    &lt;/security-constraint&gt;</div></div><div style="font-family:arial,sans-serif;font-size:13px">
<div>&lt;security-constraint&gt;</div><div>        &lt;web-resource-collection&gt;</div><div>            &lt;web-resource-name&gt;Supervisor&lt;/web-resource-name&gt;</div><div>            &lt;url-pattern&gt;/views/supervisor/*&lt;/url-pattern&gt;</div>
<div>        &lt;/web-resource-collection&gt;</div><div>        &lt;auth-constraint&gt;</div><div>            &lt;role-name&gt;supervisor&lt;/role-name&gt;</div><div>        &lt;/auth-constraint&gt;</div><div>    &lt;/security-constraint&gt;</div>
</div><div style="font-family:arial,sans-serif;font-size:13px"><div>...</div><div><br></div><div>In effect any person with &quot;user&quot; role can view any content directly under /views/*. However, the newly enrolled user is able to navigate to other subpaths under the /views like the /views/supervisor/* which should normally require the user to have the additional &quot;supervisor&quot; role in addition to being &quot;user&quot;.</div>
<div><br></div><div>So I have 2 questions.</div><div>1. Am I doing something wrong with regards to this setup? Does each registered application also need to have roles specified, or should the realm roles be enough. Or is my understanding wrong?</div>
<div>2. Is there an a means to obtain the roles that a user has after logging in? The IDToken doesn&#39;t seem to contain any such information so I can use that with some other security implementation like DeltaSpike&#39;s security support in case the above is not supported.</div>
<div><br></div><div>Looking forward to your response. Cheers.</div></div><div><br></div><br></div>