Kai Jemella created DROOLS-1350: ----------------------------------- Summary: 401 Unauthorized kie-server rest api peflight call error -> change web.xml security constraints Key: DROOLS-1350 URL: https://issues.jboss.org/browse/DROOLS-1350 Project: Drools Issue Type: Bug Components: kie server Affects Versions: 7.0.0.Beta2 Reporter: Kai Jemella Assignee: Edson Tirelli Attachments: kie-server_cors_preflight_401.png Using the kie-server REST API with a javascript framework like angular2 results in a [CORS Preflight W3C|https://www.w3.org/TR/cors/#resource-preflight-requests] response 401 : {code} zone.js:1274 OPTIONS http://my-kie-server1-default.192.168.42.25.xip.io/kie-server/services/re... XMLHttpRequest cannot load http://my-kie-server1-default.192.168.42.25.xip.io/kie-server/services/re.... Response for preflight has invalid HTTP status code 401 {code} CORS Response Header are set, this is not the problem: {code:xml} # filter references /subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Origin:add /subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Methods:add /subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Headers:add /subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Credentials:add # filter /subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Origin:add(header-name=Access-Control-Allow-Origin,header-value="*") /subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Methods:add(header-name=Access-Control-Allow-Methods,header-value="GET, PUT, POST, OPTIONS, DELETE") /subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Headers:add \ (header-name=Access-Control-Allow-Headers,header-value="accept, authorization, content-type, x-requested-with, X-KIE-ContentType") /subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Credentials:add(header-name=Access-Control-Allow-Credentials,header-value="true") {code} The problem occurs by the kie-server web descriptor security constraint: {code:title=web.xml} ... <security-constraint> <web-resource-collection> <web-resource-name>REST web resources</web-resource-name> <url-pattern>/services/rest/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>kie-server</role-name> </auth-constraint> </security-constraint> ... {code} The security constraint should be active for all jax-rs HTTP methods, EXPECT the OPTIONS mehtod: {code:title=web.xml} ... <security-constraint> <web-resource-collection> <web-resource-name>REST web resources</web-resource-name> <url-pattern>/services/rest/*</url-pattern> <http-method>GET</http-method> <http-method>PUT</http-method> <http-method>POST</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>kie-server</role-name> </auth-constraint> </security-constraint> ... {code} Tested with firefox and chrome. -- This message was sent by Atlassian JIRA (v7.2.2#72004)