Hi, I created an application using tomcat 8 and keycloak. The application has some rest API that will call from the browser. So the application is both server and application. I believe with Jsessionid in a cookie, I do not need to pass authentication token if I'm talking to the same server in the same session. isn't it? Could someone clear this for me? or should I have to pass access token even if I'm talking to the same server? also, I want to use Orbeon in the same tomcat, I set up crosscontext as true. I want it to be secure, but without setup security-constraint, it seems like keycloak does not protect orbeon path. but it should be protected and should be able to access without passing access token. Is this make sense? I do not know if I'm right track or not. -- Sent from: http://keycloak-user.88327.x6.nabble.com/