Hi all,

Maybe someone can help me out with the following;
I'm trying to secure my Jax-RS services with Keycloak 1.7.0.Final. I configured for this a client in Keycloak with access type 'bearer-only'.
Since I am using GlassFish 3.1 (no adapter available), I use the 'keycloak-servlet-filter-adapter'.
When accessing one of the Jax-RS services with a valid token, GlassFish will throw an exception (with no relevant info in it). I debugged it, and found out that the HttpServletRequestWrapper, which is returned by the servlet filter, has no account property in it (see also FilterSessionStore.buildWrapper(HttpSession, KeycloakAccount)). And when GlassFish will try to access, for example the wrapper's principal, this will cause a NPE.
It seems that FilterRequestAuthenticator.completeBearerAuthentication(KeycloakPrincipal<RefreshableKeycloakSecurityContext>, String) does not store the account in the tokenStore.
Should I use this feature differently? Or is access type 'bearer-only' simply not supported by the servlet filter?

Thanks!

Ramon Rockx