I'm currently trying to configure a Tomcat 8 web application to use Keycloak as it's identity provider. I followed the instructions on the official keycloak documentation and also added the user roles 'user' to my Keycloak Realm that the user should have to get access to the web-app. In the web.xml i also added this role to the auth-constraint. Here's my web.xml

 <security-constraint>
    <web-resource-collection>
        <web-resource-name>Customers</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>this is ignored currently</realm-name>
</login-config>

<security-role>
    <role-name>user</role-name>
</security-role>

When i try to access a path (/*) tomcat successfully redirects me to the keycloak login page. But after logging in with an user that has the user role assigned, i only get the following error in my browser:

HTTP Status 403 – Forbidden - The server understood the request but refuses to authorize it

I'm expecting to be successfully redirected as the logged in user has the role that is given in the web.xml.

CodePudding user response：

I fixed it by myself. If anyone else has this problem, in my keycloak.json file "use-resource-role-mappings" was set to true. After setting it to false everything worked.