Hi to all,
in my use case i have a typical web application made up on a frontend layer written completely with Angular js and a REST server layer wirtten with jersey 2.0.
Till now i made my test simply securing the REST layer using web.xml descriptor and registering it as webapplication client into keycloak realm. The security type was confidential.
Simply invoking a service REST url i was redirected to the keycloak login page where i could insert my credential and so on....
Now i want to go further... it's the turn of the angular js application.
It invokes obviously the rest services and it has to be secured. The keycloak CORS example shows a use case similar to the mine one, so i choose to follow it. I realize that it adds a javascript adapter to the Angular level without registering the service webapplication inside the CORS realm.
On keycloak guidelines i read that this is not the best way to follow as securing the application this way makes to loose the confidential data transport between client and server.
By the way... i try 2 approaches to the problem:
1)following exactly the CORS example: i added the js adapter to the angular js application; i configured only the client inside my realm as public, and eventually imported the keycloak.js. Result: when i run the application i'm redirected to the keycloak login page; i filled out the form but after the login i'm blocked by the browser because it does'nt find the access-control-allow-origin header in the get token request. The keycloak.json in the WEB-INF folder of the rest service specifies enabled-cors:true
2)i left the REST layer secured expecting that at the first angular REST request i should be redirected to the keycloak login page. But even in this case browser blocks me because it misses access control allow origin header. Even in this case the keycloak.json in the WEB-INF folder of the rest service specifies enabled-cors:true
So where am i wrong?
What is the right approach for securing my web application?
Why browser continues blocking my request?