For app-jee _keycloak-examples) or app-jee-jsp (keycloak-quickstarts) , if you attempt to login but the user does not have the proper roles (i.e. user) you get a Forbidden (as expected). But then if you go to xxx/app-jee or xxx/app-jsp it looks like you are logged in (page shows Logout and Account buttons). This is the case with keycloak-examples and keycloak-quickstarts. I suspect this is an issue with the example/quickstart app itself.