Hello Vagelis,
Please see my answer to exactly the same question:
http://lists.jboss.org/pipermail/keycloak-user/2018-October/016026.html
TL;DR: this is by design, but you shouldn't be worried. For unsecured URLs you can
simply return new KeycloakDeployment() from your resolver.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Tue, 2018-10-30 at 09:19 +0200, Vagelis Savvas wrote:
Hello,
in a multitenant app on Wildfly 14.0.1 with a bearer-only REST API to
protect I would like some URLs
to not be secured. So I would like my custom KeycloakConfigResolver
implementation
to not be called when those URLs are hit but it is. The reason I don't
want my KeycloakConfigResolver to be called is simply because
I have no clue as to what to return in that case: its a non-secured REST
endpoint so a Keycloak realm doesn't make sense in my understanding.
My setup follows the docs: I've installed the adapter for Wildfly and
the web.xml has the necessary setup for not securing some URLs (no
auth-constraint for those URLs)
Also in jboss-web.xml the security-domain element isn't defined,
although I don't know if that plays any role.
My final goal is to have some URLs secured by using the JBoss specific
@SecurityDomain and the standard @RolesAllowed etc annotations.
Can you please shed some light on this matter? I'd greatly appreciate
any detailed explanation of the mechanisms involved in this area.
Cheers,
Vagelis
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user