Generic JWT plugin policy
by Marc Savy
Hi,
I just pushed a (very simple) generic JWT plugin policy to master.
To try it out right now you will need to build it. Just check out the
apiman/apiman-plugins repo and execute `mvn clean install`. The plugin
coordinates will be G: io.apiman.plugins A: apiman-plugins-jwt-policy V:
1.2.9-SNAPSHOT.
It isn't yet as feature-rich as the Keycloak plugin, but you can:
- Require JWT.
- Require claims (e.g. sub = foo).
- Require transport security (TLS, SSL).
- Require JWT be cryptographically signed (aka. JWS).
- Validate JWT against a provided public key.
- Remove auth tokens (prevent them reaching the backend).
- Set maximum clock skew.
I'll expand on this shortly to add something that will hopefully add some
commonly-used features from the Keycloak plugin:
- Allow extraction of roles for authorization
- Forward token fields as headers (e.g. X-Sub = sub)
Regards,
Marc
7 years, 4 months
How to configure CORS in APIMan? Problems with Headers in ajax
by Celso Agra
Hi all,
It's me again!
So, I was looking for some solutions about my issue, and I found this:
https://issues.jboss.org/browse/APIMAN-516
It seems this issue still occurs with me. I tries to send some headers via
ajax, and get this response:
> XMLHttpRequest cannot load https://apiman.url. Response to preflight
> request doesn't pass access control check: No 'Access-Control-Allow-Origin'
> header is present on the requested resource. Origin '
> http://192.168.56.22:8080' is therefore not allowed access. The response
> had HTTP status code 500.
Here is the Response Headers:
> Connection:close
> Content-Type:application/json
> Date:Wed, 28 Dec 2016 13:54:08 GMT
> Server:Apache/2.4.18 (Ubuntu)
> Transfer-Encoding:chunked
> X-Gateway-Error:API not public.
> X-Powered-By:Undertow/1
and
Here is the Request Headers:
> Accept:*/*
> Accept-Encoding:gzip, deflate, sdch, br
> Accept-Language:pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4
> Access-Control-Request-Headers:authorization, x-api-key
> Access-Control-Request-Method:GET
> Connection:keep-alive
> Host: apiman.url
> Origin:http://192.168.56.22:8080
> Referer:http://192.168.56.22:8080/app
> User-Agent:Mozilla/5.0 ...
> Query String Parameters
> view source
> view URL encoded
Does anyone has the same problem?
Best regards,
--
---
*Celso Agra*
7 years, 4 months
No Access-Control-Allow-Origin header occurs when I call via Ajax
by Celso Agra
Hi all,
I'm new on apiman, and I'm trying to use some API calls with Jquery. But
unfortunatelly I got this error:
XMLHttpRequest cannot load
https://apigtw.url/apiman-gateway/<org>/<service>/1.0/<method>?apikey=9999999-8888-6666-33333-968a712ce68b.
> No 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'http://myapp.local' is therefore not allowed access.
> The response had HTTP status code 500.
So, Should I miss something on apiman configuration?
Please, need help
Best regards,
--
---
*Celso Agra*
7 years, 4 months
