Hi Dmitry, I think what I am seeing now can be explained by this bug: https://issues.jboss.org/browse/KEYCLOAK-2784 Historically my application would allow non-authenticated users to browse most pages, but if you login you see more content. Before converting to Keycloak I was using the Java Servlet container managed security programmatic login. Now I have an anchor (link) to Keycloak. It seems I might need to setup some tricks as it appears the Wildfly client adapter doesn't support this use-case of tracking authenticated users on programmatically-protected (non-container protected) pages. Also, for completeness, I forgot to add in the last email that to get around the localhost proxy issue I actually had to add an Apache rule 'RequestHeader set X-Forwarded-Proto "https"' and also update Wildfly with the following commands on the CLI: /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true) /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443) /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https) I also had to configure a trust store in Wildfly (cacerts file) with my Keycloak server PKI certificate. If I navigate to one of the few fully container protected pages the username (principal) does become recognized - although it is an unfriendly format: "f:<user storage ID>:<username>" Ryan ----- Original Message ----- From: "Ryan Slominski" <ryans(a)jlab.org&gt; To: "Dmitry Telegin" <dt(a)acutus.pro&gt; Cc: "keycloak-user" <keycloak-user(a)lists.jboss.org&gt; Sent: Thursday, August 9, 2018 8:06:08 AM Subject: Re: [keycloak-user] Wildfly Container Managed Security Constraint Redirect localhost Hi Dmitry, Yes, that seems to be it. I am using Apache reverse proxy to get my Wildfly application on port 8080 accessible over port 443. My proxy rule was using localhost instead of myserver.example.com and after replacing localhost with actual hostname now it seems to be working. I say seems to be working because I now get past the localhost redirect issue, but it doesn't seem like the servlet container acknowledges I'm logged in. I am redirected back to the application with a parameter session_state=<long string of characters and numbers>. However, the EL expression on the return page: "${pageContext.request.userPrincipal eq null}" is showing true - suggesting that the Wildfly servlet container doesn't know I'm logged in. Does the Wildfly client adapter not integrate with container managed security? Thanks, Ryan ----- Original Message ----- From: "Dmitry Telegin" <dt(a)acutus.pro&gt; To: "Ryan Slominski" <ryans(a)jlab.org&gt;, "keycloak-user" <keycloak-user(a)lists.jboss.org&gt; Sent: Wednesday, August 8, 2018 7:23:54 PM Subject: Re: [keycloak-user] Wildfly Container Managed Security Constraint Redirect localhost Hi Ryan, Is your Wildfly (not Keycloak) behind a reverse proxy? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro On Wed, 2018-08-08 at 16:34 -0400, Ryan Slominski wrote: _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...