Hy @ll,
For my current project I use Docker and run each service in a own container, and spread
the services over multiple servers. All connected via REST.
For the security I found Keycloak, and I think it's a really cool tool. But I never
was the best friend of security... JASS/Spring Security...
My problem is, I try to use the cors example
(
https://github.com/keycloak/keycloak/tree/master/examples/cors). I also use AngularJS for
the frontend that consumes multiple REST Services.
But I don't get it to work. I always get the following error:
XMLHttpRequest cannot load
http://162.244.28.89:8080/BrandService/resources/brands/. No
'Access-Control-Allow-Origin' header is present on the requested resource. Origin
'http://162.244.28.89' is therefore not allowed access. The response had HTTP
status code 403.
Google Chrome give me the following output for the http request:
Remote Address:162.244.28.89:8080
Request URL:http://162.244.28.89:8080/BrandService/resources/brands/
Request Method:GET
Status Code:403 Forbidden
Request Headersview source
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Authorization:Bearer
eyJhbGciOiJSUzI1NiJ9....ay2Sr-GP0CYfSDV7O2Q8sNyx91RgHdhy2S600NYEHUFG2VoF5cRCDBJpkuPbcXVtz2liMy-80S3KY9lfII
Connection:keep-alive
Host:162.244.28.89:8080
Origin:http://162.244.28.89
Referer:http://162.244.28.89/
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/39.0.2171.99 Safari/537.36
Response Headersview source
Cache-Control:no-cache, no-store, must-revalidate
Connection:keep-alive
Content-Length:68
Content-Type:text/html;charset=UTF-8
Date:Fri, 23 Jan 2015 19:23:33 GMT
Expires:0
Pragma:no-cache
Server:WildFly/8
X-Powered-By:Undertow/1
ConsoleSearchEmulationRendering
What I don't get is the response header. Shouldn't there be the following header
settings:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:origin,accept,content-type
Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS, HEAD
Access-Control-Allow-Origin:*
Access-Control-Max-Age:151200
Allow:HEAD, POST, GET, OPTIONS, PUT
My keycloak.json looks like that:
{
"realm": "openPixx",
"realm-public-key": "...bmwCckE..gWjLQIDAQAB",
"ssl-required": "external",
"resource": "BrandService",
"bearer-only": true,
"cors-max-age" : 1000,
"enable-cors": true,
"cors-allowed-methods" : "POST, PUT, DELETE, GET"
}
In Keycloak I've defined the BrandFrontend:
Enabled: true
Client Protocol: openid-connect
Access Type: public
Redirect URL:
http://162.244.28.89/*
Web Origin:
http://162.244.28.89
For the AngularJS part I've used the authinterceptor from the example.
If you have read until here.
Thank you very much and sorry for my bad English :)
Greets
Rob