Hello, 

I am using a java servlet with keycloak filters, so no security constraints can be applied. I would like to know how can I block some HttpMethods for users of a certain role. I created roles in keycloak, I tried to define the auth-constraints within the security-constraints but it always returns error 403 Unauthorized. 

If I remove the auth constraint and security roles I am able to access the method. It seems that it is not recognizing keycloak roles or not mapping them between the servlet and keycloak.

I am blocking the method as shown below in the class:

@GET
@Path("/get")
@RolesAllowed("admin")
@Produces(MediaType.TEXT_PLAIN)
public String delU(@HeaderParam("user_id")) {
  ...
}

And I have the filters like the link below in the web.xml:

https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/servlet-filter-adapter.html

Best Regards