Hy @ll,

 

For my current project I use Docker and run each service in a own container, and spread the services over multiple servers. All connected via REST.

 

For the security I found Keycloak, and I think it’s a really cool tool. But I never was the best friend of security… JASS/Spring Security…

 

My problem is, I try to use the cors example (https://github.com/keycloak/keycloak/tree/master/examples/cors). I also use AngularJS for the frontend that consumes multiple REST Services.

But I don’t get it to work. I always get the following error:

XMLHttpRequest cannot load http://162.244.28.89:8080/BrandService/resources/brands/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://162.244.28.89' is therefore not allowed access. The response had HTTP status code 403.

 

Google Chrome give me the following output for the http request:

Remote Address:162.244.28.89:8080

Request URL:http://162.244.28.89:8080/BrandService/resources/brands/

Request Method:GET

Status Code:403 Forbidden

Request Headersview source

Accept:application/json, text/plain, */*

Accept-Encoding:gzip, deflate, sdch

Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4

Authorization:Bearer eyJhbGciOiJSUzI1NiJ9….ay2Sr-GP0CYfSDV7O2Q8sNyx91RgHdhy2S600NYEHUFG2VoF5cRCDBJpkuPbcXVtz2liMy-80S3KY9lfII

Connection:keep-alive

Host:162.244.28.89:8080

Origin:http://162.244.28.89

Referer:http://162.244.28.89/

User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36

Response Headersview source

Cache-Control:no-cache, no-store, must-revalidate

Connection:keep-alive

Content-Length:68

Content-Type:text/html;charset=UTF-8

Date:Fri, 23 Jan 2015 19:23:33 GMT

Expires:0

Pragma:no-cache

Server:WildFly/8

X-Powered-By:Undertow/1

ConsoleSearchEmulationRendering

 

What I don’t get is the response header. Shouldn’t there be the following header settings:

Access-Control-Allow-Credentials:true

Access-Control-Allow-Headers:origin,accept,content-type

Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS, HEAD

Access-Control-Allow-Origin:*

Access-Control-Max-Age:151200

Allow:HEAD, POST, GET, OPTIONS, PUT

 

My keycloak.json looks like that:

{

  "realm": "openPixx",

  "realm-public-key": "…bmwCckE..gWjLQIDAQAB",

  "ssl-required": "external",

  "resource": "BrandService",

  "bearer-only": true,

  "cors-max-age" : 1000,

  "enable-cors": true,

  "cors-allowed-methods" : "POST, PUT, DELETE, GET"

}

 

In Keycloak I’ve defined the BrandFrontend:

Enabled: true

Client Protocol: openid-connect

Access Type: public

Redirect URL: http://162.244.28.89/*

Web Origin: http://162.244.28.89

 

For the AngularJS part I’ve used the authinterceptor from the example.

 

If you have read until here.

Thank you very much and sorry for my bad English J

 

Greets

Rob