"Forbidden" after logging into DCM4CHEE via Keycloak

[in...@linuxfabrik.ch]

My setup:

• DCM4CHEE v5.10.2
• WildFly 10.1.0 Final
  
• Keycloak v3.1.0 Final (both WildFly Adapter and Overlay)
• Users are maintained wihin Keycloak, not in LDAP
• MariaDB 10.1.24
  

Without authentication, DCM4CHEE works fine - I am able to store and retrieve studies as expected.

With authentication I am able to login, but after that I get a "Forbidden": if I call http://myip:8080/dcm4chee-arc/ui2/, it redirects me to the login page, where I am successfully authenticated. I increased the root log level to "ALL", which looks fine - except that I do not see why I get the "Forbidden" message:

2017-06-02 13:18:18,198 DEBUG [io.undertow.request.security] (default task-24) Authentication result was AUTHENTICATED for HttpServerExchange{ GET /dcm4chee-arc/ui2/ request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8], Accept-Language=[en-US,en;q=0.8], Cache-Control=[max-age=0], Accept-Encoding=[gzip, deflate, sdch], User-Agent=[Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36], Connection=[keep-alive], Cookie=[JSESSIONID=tjXPup...pacs], Referer=[http://myip:8080/auth/realms/dcm4che/protocol/openid-connect/auth?response_type=code&client_id=dcm4chee-arc-ui&redirect_uri=http%3A%2F%2Fmyip%3A8080%2Fdcm4chee-arc%2Fui2%2F&state=59ae2...378&login=true&scope=openid], Upgrade-Insecure-Requests=[1], Host=[myip:8080]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-Powered-By=[Undertow/1], Server=[WildFly/10], Pragma=[no-cache]}}
2017-06-02 13:18:18,199 DEBUG [org.keycloak.adapters.KeycloakDeployment] (default task-24) resolveUrls
2017-06-02 13:18:18,199 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-24) AuthenticatedActionsValve.invoke http://myip:8080/dcm4chee-arc/ui2/
2017-06-02 13:18:18,199 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-24) Policy enforcement is disabled.
2017-06-02 13:18:18,199 TRACE [io.undertow.server.HttpServerExchange] (default task-24) Starting to write response for HttpServerExchange{ GET /dcm4chee-arc/ui2/ request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8], Accept-Language=[en-US,en;q=0.8], Cache-Control=[max-age=0], Accept-Encoding=[gzip, deflate, sdch], User-Agent=[Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36], Connection=[keep-alive], Cookie=[JSESSIONID=tjXPu...pacs], Referer=[http://myip:8080/auth/realms/dcm4che/protocol/openid-connect/auth?response_type=code&client_id=dcm4chee-arc-ui&redirect_uri=http%3A%2F%2Fmyip%3A8080%2Fdcm4chee-arc%2Fui2%2F&state=59ae2c...a2a378&login=true&scope=openid], Upgrade-Insecure-Requests=[1], Host=[myip:8080]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-Powered-By=[Undertow/1], Server=[WildFly/10], Pragma=[no-cache], Date=[Fri, 02 Jun 2017 11:18:18 GMT], Connection=[keep-alive], Content-Type=[text/html;charset=UTF-8], Content-Length=[68]}}

My browser gets redirected to redirected to http://myip:8080/dcm4chee-arc/ui2/, which leads to the "Forbidden" message.

How do I resolve the "Forbidden" problem?

[in...@linuxfabrik.ch]

I got it. In Keycloak, the user "admin" has to belong to both roles "admin" AND "user", not just to the role "admin" (as stated in the documentation), which was my fault.