8:59 a.m.
Sure thing! The problem is that the web.xml file in the
apiman-gateway-api.war web application is too restrictive. This is what
I mean:
https://github.com/apiman/apiman/blob/master/gateway/platforms/war/wildfl...
That security constraint is too restrictive. The
<web-resource-collection> should specify which http methods to secure.
Because it doesn't do this, *all* of the http methods are secured by
default. Here is an example that does it correctly with respect to CORS:
https://github.com/apiman/apiman/blob/master/manager/api/war/wildfly8/src...
So here's what you need to do:
1) unpack WILDFLY/standalone/deployments/apiman-gateway-api.war
2) open the WEB-INF/web.xml file in a text editor
3) add the following XML markup after line 43:
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
4) save the web.xml changes
5) re-zip everything, resulting in a new version of
apiman-gateway-api.war
6) deploy the new version of apiman-gateway-api.war to Wildfly,
replacing the old version
7) start wildfly
8) profit!
-Eric
On 7/22/2016 8:23 AM, Jairo Junior wrote:
I would like the workaround. =)
On Fri, Jul 22, 2016 at 9:15 AM Eric Wittmann <eric.wittmann(a)redhat.com
<mailto:eric.wittmann@redhat.com>> wrote:
Thanks for the info. You've hit a bug in apiman, unfortunately. I have
created a ticket for this bug here:
https://issues.jboss.org/browse/APIMAN-1209
You can resolve (workaround) this issue locally (without rebuilding
apiman) or you can wait for us to fix the bug and release a new version.
If you would like instructions on how to workaround the bug locally
let me know.
-Eric
On 7/22/2016 7:55 AM, Jairo Junior wrote:
> EAP 7.0 + apiman 1.2.7 overlay, but I've also tried with docker image
> apiman/on-wildfly10:1.2.7.Final
>
> /apiman-gateway/org/service/1.0 with Keycloak OAuth Policy
>
> On Fri, Jul 22, 2016 at 8:29 AM Eric Wittmann
<eric.wittmann(a)redhat.com <mailto:eric.wittmann@redhat.com>
> <mailto:eric.wittmann@redhat.com
<mailto:eric.wittmann@redhat.com>>> wrote:
>
> Apiman should allow OPTIONS requests without requiring
authorization.
> What is your setup/configuration (which app server, etc)?
Also what
> apiman REST endpoints are you trying to access?
>
> -Eric
>
> On 7/22/2016 7:22 AM, Jairo Junior wrote:
> > I've been trying to setup apiman + keycloak-oauth-plugin +
keycloak +
> > keycloak.js with a client-side angularjs app and a REST API.
It's a
> > scenario very similar to
> >
>
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/a...,
> > but with apiman and CORS.
> >
> > My test are going well with curl, but using my javascript
app the
> > browser it is performing a CORS preflight OPTIONS request
without
> > authorization header.
> >
> > OPTIONS request works well with authorization header using curl,
> > therefore, I'm not sure whether the browser should include
> authorization
> > header or apiman should allows CORS preflight requests (OPTIONS)
> without
> > authorization header.
> >
> >
> > _______________________________________________
> > Apiman-user mailing list
> > Apiman-user(a)lists.jboss.org
<mailto:Apiman-user@lists.jboss.org>
<mailto:Apiman-user@lists.jboss.org
<mailto:Apiman-user@lists.jboss.org>>
> > https://lists.jboss.org/mailman/listinfo/apiman-user
> >
>