[jboss-jira] [JBoss JIRA] (DROOLS-1350) 401 Unauthorized kie-server rest api peflight call error -> change web.xml security constraints

Kai Jemella (JIRA) issues at jboss.org
Sat Oct 29 04:43:00 EDT 2016 

Kai Jemella created DROOLS-1350:
-----------------------------------

             Summary: 401 Unauthorized kie-server rest api peflight call error -> change web.xml security constraints
                 Key: DROOLS-1350
                 URL: https://issues.jboss.org/browse/DROOLS-1350
             Project: Drools
          Issue Type: Bug
          Components: kie server
    Affects Versions: 7.0.0.Beta2
            Reporter: Kai Jemella
            Assignee: Edson Tirelli
         Attachments: kie-server_cors_preflight_401.png


Using the kie-server REST API with a javascript framework like angular2 results in a [CORS Preflight W3C|https://www.w3.org/TR/cors/#resource-preflight-requests] response 401 :

{code}
zone.js:1274 OPTIONS http://my-kie-server1-default.192.168.42.25.xip.io/kie-server/services/rest/server/containers/quickorder-kie/processes/quickorder/instances 

XMLHttpRequest cannot load http://my-kie-server1-default.192.168.42.25.xip.io/kie-server/services/rest/server/containers/quickorder-kie/processes/quickorder/instances. Response for preflight has invalid HTTP status code 401
{code}

CORS Response Header are set, this is not the problem:
{code:xml}
# filter references
/subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Origin:add
/subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Methods:add
/subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Headers:add
/subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Credentials:add

# filter
/subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Origin:add(header-name=Access-Control-Allow-Origin,header-value="*")
/subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Methods:add(header-name=Access-Control-Allow-Methods,header-value="GET, PUT, POST, OPTIONS, DELETE")
/subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Headers:add \
(header-name=Access-Control-Allow-Headers,header-value="accept, authorization, content-type, x-requested-with, X-KIE-ContentType")
/subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Credentials:add(header-name=Access-Control-Allow-Credentials,header-value="true")

{code}

The problem occurs by the kie-server web descriptor security constraint:

{code:title=web.xml}
...
<security-constraint>
    <web-resource-collection>
      <web-resource-name>REST web resources</web-resource-name>
      <url-pattern>/services/rest/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>kie-server</role-name>
    </auth-constraint>
</security-constraint>
...
{code}

The security constraint should be active for all jax-rs HTTP methods, EXPECT the OPTIONS mehtod:
{code:title=web.xml}
...
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>REST web resources</web-resource-name>
      <url-pattern>/services/rest/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>PUT</http-method>
      <http-method>POST</http-method>
      <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>kie-server</role-name>
    </auth-constraint>
  </security-constraint>
...
{code}

Tested with firefox and chrome.




--
This message was sent by Atlassian JIRA
(v7.2.2#72004)

More information about the jboss-jira mailing list