In order to secure web services offered by the Java EE application, usually security on the servlet layer is used. This is the case for all technology that is built on top of servlets such as JAX-RS. Security features are configured using the servlet deployment descriptor, that is, the web.xml file.

This can happen in several ways such as form-based authentication, HTTP basic access authentication, or client certificates.

Similarly, security solutions such as Keycloak ship their own implementations of adapters and servlet filters. Developers usually just need to configure these components to use the security provider.