[jboss-jira] [JBoss JIRA] (DROOLS-1350) 401 Unauthorized kie-server rest api peflight call error -> change web.xml security constraints
Kai Jemella (JIRA)
issues at jboss.org
Sat Oct 29 04:45:00 EDT 2016
[ https://issues.jboss.org/browse/DROOLS-1350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kai Jemella updated DROOLS-1350:
--------------------------------
Description:
Using the kie-server REST API with a javascript framework like angular2 results in a [CORS Preflight W3C|https://www.w3.org/TR/cors/#resource-preflight-requests] response 401 :
{code}
zone.js:1274 OPTIONS http://my-kie-server1-default.192.168.42.25.xip.io/kie-server/services/rest/server/containers/quickorder-kie/processes/quickorder/instances
XMLHttpRequest cannot load http://my-kie-server1-default.192.168.42.25.xip.io/kie-server/services/rest/server/containers/quickorder-kie/processes/quickorder/instances. Response for preflight has invalid HTTP status code 401
{code}
CORS Response Header are set, this is not the problem:
{code:xml}
# filter references
/subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Origin:add
/subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Methods:add
/subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Headers:add
/subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Credentials:add
# filter
/subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Origin:add(header-name=Access-Control-Allow-Origin,header-value="*")
/subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Methods:add(header-name=Access-Control-Allow-Methods,header-value="GET, PUT, POST, OPTIONS, DELETE")
/subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Headers:add \
(header-name=Access-Control-Allow-Headers,header-value="accept, authorization, content-type, x-requested-with, X-KIE-ContentType")
/subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Credentials:add(header-name=Access-Control-Allow-Credentials,header-value="true")
{code}
The problem occurs by the kie-server web descriptor security constraint:
{code:title=web.xml}
...
<security-constraint>
<web-resource-collection>
<web-resource-name>REST web resources</web-resource-name>
<url-pattern>/services/rest/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>kie-server</role-name>
</auth-constraint>
</security-constraint>
...
{code}
The security constraint should be active for all jax-rs HTTP methods, without the OPTIONS method:
{code:title=web.xml}
...
<security-constraint>
<web-resource-collection>
<web-resource-name>REST web resources</web-resource-name>
<url-pattern>/services/rest/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>kie-server</role-name>
</auth-constraint>
</security-constraint>
...
{code}
Tested with firefox and chrome.
was:
Using the kie-server REST API with a javascript framework like angular2 results in a [CORS Preflight W3C|https://www.w3.org/TR/cors/#resource-preflight-requests] response 401 :
{code}
zone.js:1274 OPTIONS http://my-kie-server1-default.192.168.42.25.xip.io/kie-server/services/rest/server/containers/quickorder-kie/processes/quickorder/instances
XMLHttpRequest cannot load http://my-kie-server1-default.192.168.42.25.xip.io/kie-server/services/rest/server/containers/quickorder-kie/processes/quickorder/instances. Response for preflight has invalid HTTP status code 401
{code}
CORS Response Header are set, this is not the problem:
{code:xml}
# filter references
/subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Origin:add
/subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Methods:add
/subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Headers:add
/subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Credentials:add
# filter
/subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Origin:add(header-name=Access-Control-Allow-Origin,header-value="*")
/subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Methods:add(header-name=Access-Control-Allow-Methods,header-value="GET, PUT, POST, OPTIONS, DELETE")
/subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Headers:add \
(header-name=Access-Control-Allow-Headers,header-value="accept, authorization, content-type, x-requested-with, X-KIE-ContentType")
/subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Credentials:add(header-name=Access-Control-Allow-Credentials,header-value="true")
{code}
The problem occurs by the kie-server web descriptor security constraint:
{code:title=web.xml}
...
<security-constraint>
<web-resource-collection>
<web-resource-name>REST web resources</web-resource-name>
<url-pattern>/services/rest/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>kie-server</role-name>
</auth-constraint>
</security-constraint>
...
{code}
The security constraint should be active for all jax-rs HTTP methods, EXPECT the OPTIONS mehtod:
{code:title=web.xml}
...
<security-constraint>
<web-resource-collection>
<web-resource-name>REST web resources</web-resource-name>
<url-pattern>/services/rest/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>kie-server</role-name>
</auth-constraint>
</security-constraint>
...
{code}
Tested with firefox and chrome.
> 401 Unauthorized kie-server rest api peflight call error -> change web.xml security constraints
> -----------------------------------------------------------------------------------------------
>
> Key: DROOLS-1350
> URL: https://issues.jboss.org/browse/DROOLS-1350
> Project: Drools
> Issue Type: Bug
> Components: kie server
> Affects Versions: 7.0.0.Beta2
> Reporter: Kai Jemella
> Assignee: Edson Tirelli
> Attachments: kie-server_cors_preflight_401.png
>
>
> Using the kie-server REST API with a javascript framework like angular2 results in a [CORS Preflight W3C|https://www.w3.org/TR/cors/#resource-preflight-requests] response 401 :
> {code}
> zone.js:1274 OPTIONS http://my-kie-server1-default.192.168.42.25.xip.io/kie-server/services/rest/server/containers/quickorder-kie/processes/quickorder/instances
> XMLHttpRequest cannot load http://my-kie-server1-default.192.168.42.25.xip.io/kie-server/services/rest/server/containers/quickorder-kie/processes/quickorder/instances. Response for preflight has invalid HTTP status code 401
> {code}
> CORS Response Header are set, this is not the problem:
> {code:xml}
> # filter references
> /subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Origin:add
> /subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Methods:add
> /subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Headers:add
> /subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Credentials:add
> # filter
> /subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Origin:add(header-name=Access-Control-Allow-Origin,header-value="*")
> /subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Methods:add(header-name=Access-Control-Allow-Methods,header-value="GET, PUT, POST, OPTIONS, DELETE")
> /subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Headers:add \
> (header-name=Access-Control-Allow-Headers,header-value="accept, authorization, content-type, x-requested-with, X-KIE-ContentType")
> /subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Credentials:add(header-name=Access-Control-Allow-Credentials,header-value="true")
> {code}
> The problem occurs by the kie-server web descriptor security constraint:
> {code:title=web.xml}
> ...
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>REST web resources</web-resource-name>
> <url-pattern>/services/rest/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>kie-server</role-name>
> </auth-constraint>
> </security-constraint>
> ...
> {code}
> The security constraint should be active for all jax-rs HTTP methods, without the OPTIONS method:
> {code:title=web.xml}
> ...
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>REST web resources</web-resource-name>
> <url-pattern>/services/rest/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>PUT</http-method>
> <http-method>POST</http-method>
> <http-method>DELETE</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>kie-server</role-name>
> </auth-constraint>
> </security-constraint>
> ...
> {code}
> Tested with firefox and chrome.
--
This message was sent by Atlassian JIRA
(v7.2.2#72004)
More information about the jboss-jira
mailing list