Re: [keycloak-user] Policy Enforcement Mode cannot be changed.

Thanks Pedro, I think you are right. I would like to ask one more question. I want to let keycloak protect most of resources of my website. but I also want to expose some resources to anonymous, for example, let anonymous user can visit all files within /resources folder, then I do something like this. Tomcat web.xml <security-constraint> <web-resource-collection> <web-resource-name>All Resources</web-resource-name> <url-pattern>/user/login.action</url-pattern> <url-pattern>/jsp/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>All Resources</web-resource-name> <url-pattern>/resources/*</url-pattern> </web-resource-collection> </security-constraint> <login-config> <auth-method>KEYCLOAK</auth-method> <realm-name>master</realm-name> </login-config> <security-role> <role-name>admin</role-name> </security-role> Keycloak I don't create permission can control folder [/resources] or it's parent folder. But when I tried to visit a file in folder [/resources], I got http 500 error. java.lang.RuntimeException: Failed to enforce policy decisions. org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:149) org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(AuthenticatedActionsHandler.java:60) org.keycloak.adapters.tomcat.AuthenticatedActionsValve.invoke(AuthenticatedActionsValve.java:63) org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078) org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) java.lang.Thread.run(Thread.java:745) root cause java.lang.NullPointerException org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize(AbstractPolicyEnforcer.java:68) org.keycloak.adapters.authorization.PolicyEnforcer.enforce(PolicyEnforcer.java:76) org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:142) org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(AuthenticatedActionsHandler.java:60) org.keycloak.adapters.tomcat.AuthenticatedActionsValve.invoke(AuthenticatedActionsValve.java:63) Any suggest? thanks. Joey On Wed, Oct 26, 2016 at 7:55 PM, Pedro Igor Craveiro e Silva <psilva(a)redhat.com&gt; wrote: