On 9/9/2014 5:47 PM, Marek Posolda wrote:
Hi,
I am sorry to not help more with the release as I needed to work
especially on some portal related stuff last weeks (hopefully it's gone
now)...
Found couple of things:
* AccountService is actually broken for me in Chrome due to latest CSRF
stuff. In FF it works fine, but in Chrome I can't update account or
password. For some reason Chrome is always adding "Origin" header to the
update requests (even if they are not ajax requests). So the newly added
condition for CSRF in AccountService.init will always fail. I have
Chrome 37.0.2062.94 (64-bit) .
Ok, I thought Origin header wasn't supposed to be sent with Browser
requests. I can probably fix this by allowing same origin.
* ServerInfo request (
http://localhost:8080/auth/admin/serverinfo)
is
not available with CORS . I've created JIRA
https://issues.jboss.org/browse/KEYCLOAK-670 and send PR
https://github.com/keycloak/keycloak/pull/683 for this, which is adding
authentication for ServerInfoAdminResource and then it use allowOrigins
from the authenticated bearer token. Admin console is already using
bearer token for sending ServerInfo requests, so no changes are needed
here. I believe that ServerInfoAdminResource should be authenticated
(don't know why stuff like available social providers or themes should
be publicly available). Let me know if you seeing issues with it. I did
not merge PR so far as version in master is already changed to 1.0-Final
so not sure what is the state of the release .
Merge it.
* Realm public resource (
http://localhost:8080/auth/realms/master)
is
also not available for CORS requests. Not sure if this is an issue or
not? Thing is that unauthenticated requests can't use CORS at this
moment as I don't know what allowedOrigins to use. Only option is to
allow it for all allowedOrigins (send same "Access-Control-Allow-Origin"
as original value of "Origin" header from the request)
* There is still quite a lot of INFO logging . For example when I send
product request from the cors-demo example I have 6 new INFO messages in
log (Mainly from org.keycloak.adapters package)
Ping me on your status tomorrow (Wednesday). I'll complete whatever you
don't finish above.
Thanks.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com