diff --git a/examples/fuse/customer-app-fuse/src/main/webapp/customers/cxf-rs.jsp b/examples/fuse/customer-app-fuse/src/main/webapp/customers/cxf-rs.jsp
index b9e2f319b8..c8d3fd1fb1 100755
--- a/examples/fuse/customer-app-fuse/src/main/webapp/customers/cxf-rs.jsp
+++ b/examples/fuse/customer-app-fuse/src/main/webapp/customers/cxf-rs.jsp
@@ -4,6 +4,8 @@
 <%@ page import="org.keycloak.constants.ServiceUrlConstants" %>
 <%@ page import="org.keycloak.example.CxfRsClient" %>
 <%@ page import="org.keycloak.representations.IDToken" %>
+<%@ page import="org.keycloak.common.util.UriUtils"%>
+<%@ page import="org.keycloak.KeycloakSecurityContext"%>
 <%@ page session="false" %>
 <html>
 <head>
@@ -16,6 +18,7 @@
     String acctUri = KeycloakUriBuilder.fromUri("http://localhost:8080/auth").path(ServiceUrlConstants.ACCOUNT_SERVICE_PATH)
             .queryParam("referrer", "customer-portal").build("demo").toString();
     IDToken idToken = CxfRsClient.getIDToken(request);
+    KeycloakSecurityContext kSession = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
 %>
 <p>Goto: <a href="/product-portal">products</a> | <a href="<%=logoutUri%>">logout</a> | <a
         href="<%=acctUri%>">manage acct</a></p>
@@ -28,6 +31,7 @@ Servlet User Principal <b><%=request.getUserPrincipal().getName()%>
 <p>First: <%=idToken.getGivenName()%></p>
 <p>Last: <%=idToken.getFamilyName()%></p>
 <h2>Customer Listing</h2>
+<p><b>curl</b> -H "Authorization: Bearer <%=kSession.getTokenString()%>" <%=UriUtils.getOrigin(request.getRequestURL().toString()) + "/cxf/customerservice/customers"%></p>
 <%
     java.util.List<String> list = null;
     try {
diff --git a/examples/fuse/cxf-jaxrs-fuse7-undertow/src/main/resources/OSGI-INF/blueprint/blueprint.xml b/examples/fuse/cxf-jaxrs-fuse7-undertow/src/main/resources/OSGI-INF/blueprint/blueprint.xml
index 4c9d6cf9ff..ba2c111771 100644
--- a/examples/fuse/cxf-jaxrs-fuse7-undertow/src/main/resources/OSGI-INF/blueprint/blueprint.xml
+++ b/examples/fuse/cxf-jaxrs-fuse7-undertow/src/main/resources/OSGI-INF/blueprint/blueprint.xml
@@ -36,34 +36,4 @@
         </jaxrs:serviceBeans>
     </jaxrs:server>
 
-
-    <!-- Securing of whole /cxf context by unregister default cxf servlet from paxweb and re-register with applied security constraints -->
-    <bean id="cxfConstraintMapping" class="org.keycloak.adapters.osgi.PaxWebSecurityConstraintMapping">
-        <property name="roles">
-            <list>
-                <value>user</value>
-            </list>
-        </property>
-        <property name="url" value="/cxf/*" />
-        <property name="authentication" value="true"/>
-    </bean>
-
-    <bean id="cxfKeycloakPaxWebIntegration" class="org.keycloak.adapters.osgi.undertow.PaxWebIntegrationService"
-          init-method="start" destroy-method="stop">
-        <property name="bundleContext" ref="blueprintBundleContext" />
-        <property name="constraintMappings">
-            <list>
-                <ref component-id="cxfConstraintMapping" />
-            </list>
-        </property>
-    </bean>
-
-    <bean id="defaultCxfReregistration" class="org.keycloak.adapters.osgi.ServletReregistrationService" depends-on="cxfKeycloakPaxWebIntegration"
-          init-method="start" destroy-method="stop">
-        <property name="bundleContext" ref="blueprintBundleContext" />
-        <property name="managedServiceReference">
-            <reference interface="org.osgi.service.cm.ManagedService" filter="(service.pid=org.apache.cxf.osgi)" timeout="5000"  />
-        </property>
-    </bean>
-
 </blueprint>
diff --git a/testsuite/integration-arquillian/servers/app-server/karaf/fuse70/src/main/resources/cxf-customerservice-keycloak.json b/testsuite/integration-arquillian/servers/app-server/karaf/fuse70/src/main/resources/cxf-customerservice-keycloak.json
new file mode 100644
index 0000000000..d0e4ad4d32
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/app-server/karaf/fuse70/src/main/resources/cxf-customerservice-keycloak.json
@@ -0,0 +1,10 @@
+{
+    "realm": "demo",
+    "resource": "builtin-cxf-app",
+    "auth-server-url": "http://localhost:8080/auth",
+    "ssl-required" : "external",
+    "bearer-only": true,
+    "credentials": {
+        "secret": "password"
+    }
+}
diff --git a/testsuite/integration-arquillian/servers/app-server/karaf/fuse70/src/main/resources/update-config-auth.cli b/testsuite/integration-arquillian/servers/app-server/karaf/fuse70/src/main/resources/update-config-auth.cli
index 7e38734522..b8ac3643f8 100644
--- a/testsuite/integration-arquillian/servers/app-server/karaf/fuse70/src/main/resources/update-config-auth.cli
+++ b/testsuite/integration-arquillian/servers/app-server/karaf/fuse70/src/main/resources/update-config-auth.cli
@@ -1,3 +1,12 @@
+config:edit --factory --alias cxf org.ops4j.pax.web.context
+config:property-set bundle.symbolicName org.apache.cxf.cxf-rt-transports-http
+config:property-set context.id default
+config:property-set context.param.keycloak.config.resolver org.keycloak.adapters.osgi.HierarchicalPathBasedKeycloakConfigResolver
+config:property-set login.config.authMethod KEYCLOAK
+config:property-set security.cxf.url /cxf/customerservice/*
+config:property-set security.cxf.roles "admin, user"
+config:update
+
 config:edit org.apache.karaf.shell
 config:property-set sshRealm keycloak
 config:update
diff --git a/testsuite/integration-arquillian/servers/app-server/karaf/fuse70/src/main/resources/update-config.cli b/testsuite/integration-arquillian/servers/app-server/karaf/fuse70/src/main/resources/update-config.cli
index b1e19c0f6d..53968ecc46 100644
--- a/testsuite/integration-arquillian/servers/app-server/karaf/fuse70/src/main/resources/update-config.cli
+++ b/testsuite/integration-arquillian/servers/app-server/karaf/fuse70/src/main/resources/update-config.cli
@@ -1,11 +1,7 @@
 config:edit org.ops4j.pax.url.mvn
 config:property-set org.ops4j.pax.url.mvn.localRepository ${maven.repo.local}
 config:property-set org.ops4j.pax.url.mvn.settings ${maven.local.settings}
-config:property-append org.ops4j.pax.url.mvn.repositories ${repositories}
-config:update
-
-config:edit org.ops4j.pax.web
-config:property-set org.ops4j.pax.web.config.file '${karaf.etc}/undertow.xml'
+config:property-append org.ops4j.pax.url.mvn.repositories "${repositories}"
 config:update
 
 config:edit jmx.acl.org.apache.karaf.security.jmx
diff --git a/testsuite/integration-arquillian/servers/app-server/karaf/pom.xml b/testsuite/integration-arquillian/servers/app-server/karaf/pom.xml
index d2aeb5d0b8..efa903deaa 100644
--- a/testsuite/integration-arquillian/servers/app-server/karaf/pom.xml
+++ b/testsuite/integration-arquillian/servers/app-server/karaf/pom.xml
@@ -139,6 +139,7 @@
                                             <includes>
                                                 <include>users.properties</include>
                                                 <include>keycloak-bearer.json</include>
+                                                <include>cxf-customerservice-keycloak.json</include>
                                                 <include>keycloak-direct-access.json</include>
                                                 <include>keycloak-hawtio-client.json</include>
                                                 <include>keycloak-hawtio.json</include>
@@ -189,7 +190,7 @@
                                 </configuration>
                             </execution>
                         </executions>
-                    </plugin>                    
+                    </plugin>
                 </plugins>
             </build>
         </profile>
