We are using Apache TOMCAT v. 8.0.18. We have a Javascript application that we would like to configure web.xml using KEYCLOAK to protect all root URI's '/' except '/tracking'. Is there a way to exclude '/tracking' from being protected either in the KEYCLOAK admin console or in the WEB.XML itself. Some additional information is for the tracking URL we will use both HTTP and WEBSOCKETS protocols. Our current approach was to specifically protect all URI except for '/tracking' but that doesn't seem to be working as a solution.

We have attached our example WEB.XML attempting to specifically protect URLs:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">
    <module-name>ROOT</module-name>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>APP</web-resource-name>
            <url-pattern>/app/*</url-pattern>
        </web-resource-collection>
        <!--API-->
        <web-resource-collection>
            <web-resource-name>API</web-resource-name>
            <url-pattern>/api/*</url-pattern>
        </web-resource-collection>
        <!--HTML-->
        <web-resource-collection>
            <web-resource-name>HTML</web-resource-name>
            <url-pattern>*.html</url-pattern>
        </web-resource-collection>
<auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
    </security-constraint>
 <login-config>
        <auth-method>KEYCLOAK</auth-method>
        <realm-name>worktrac</realm-name>
    </login-config>
    <security-role>
        <role-name>user</role-name>
    </security-role>
</web-app>

We appreciate your feedback and thoughts on a solution.
- Chris