=== Securing a WAR This section describes how to secure a WAR directly by adding config and editing files within your WAR package. Once `keycloak-saml.xml` is created and in the `WEB-INF` directory of your WAR, you must set the `auth-method` to `KEYCLOAK-SAML` in `web.xml`. You also have to use standard servlet security to specify role-base constraints on your URLs. Here's an example _web.xml_ file: [source,xml] ---- customer-portal Admins /admin/* admin CONFIDENTIAL Customers /customers/* user CONFIDENTIAL KEYCLOAK-SAML this is ignored currently admin user ---- All standard servlet settings except the `auth-method` setting.