[keycloak-user] Programmatic access control with no <security-constraints/> in web.xml

Hello, Is it possible to apply programmatic access control i.e. retrieve KeycloakSecurityContext, get token, roles etc, when the <security-contraint/> elements have been removed from web.xml? The reason for that is that when <security-constraints/> are present the requests get dropped by the keycloak adapter before reaching the REST endpoints implementation in case they are not carrying a token. I'm trying to support an alternative authorization mechanism using a custom API Key parameter in case the Oauth token header is missing. Regards Orestis