We do have WebSeal backed by Tivoli in our legacy application. The new REST endpoints are built on top of the legacy EJB application. It is not an entirely new application. Slowly the HTML5/Rest layers will replace the legacy system. There could be others in the forum who have this setup. Any initial pointers ? Thanks, Mohan -----Original Message----- From: Stian Thorgersen [mailto:stian@redhat.com] Sent: Monday, February 02, 2015 1:43 PM To: Radhakrishnan, Mohan (Cognizant) Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Rest endpoint and AngularJS client ----- Original Message ----- An HTML5/JS application doesn't have any access control. All it can do is hide features a user can't access. The access control has to be done on the REST endpoints. This is a perfect fit for OpenID Connect. When you login to Keycloak your app is given a token, that includes the roles the user can access. These can then be used by the AngularJS app to enable/disable features. When invoking REST endpoints the token is passed along, which then allows the REST endpoints to verify if the user has access to the requested resource or not. In summary Keycloak and OpenID Connect are perfect fits for the type of application you're doing. This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.