[jboss-jira] [JBoss JIRA] (DROOLS-1350) 401 Unauthorized kie-server rest api peflight call error -> change web.xml security constraints
Edson Tirelli (JIRA)
issues at jboss.org
Sat Oct 29 23:44:00 EDT 2016
[ https://issues.jboss.org/browse/DROOLS-1350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Edson Tirelli reassigned DROOLS-1350:
-------------------------------------
Assignee: Maciej Swiderski (was: Edson Tirelli)
> 401 Unauthorized kie-server rest api peflight call error -> change web.xml security constraints
> -----------------------------------------------------------------------------------------------
>
> Key: DROOLS-1350
> URL: https://issues.jboss.org/browse/DROOLS-1350
> Project: Drools
> Issue Type: Bug
> Components: kie server
> Affects Versions: 7.0.0.Beta2
> Reporter: Kai Jemella
> Assignee: Maciej Swiderski
> Attachments: kie-server_cors_preflight_401.png
>
>
> Using the kie-server REST API with a javascript framework like angular2 results in a [CORS Preflight W3C|https://www.w3.org/TR/cors/#resource-preflight-requests] response 401 :
> {code}
> zone.js:1274 OPTIONS http://my-kie-server1-default.192.168.42.25.xip.io/kie-server/services/rest/server/containers/quickorder-kie/processes/quickorder/instances
> XMLHttpRequest cannot load http://my-kie-server1-default.192.168.42.25.xip.io/kie-server/services/rest/server/containers/quickorder-kie/processes/quickorder/instances. Response for preflight has invalid HTTP status code 401
> {code}
> CORS Response Header are set, this is not the problem:
> {code:xml}
> # filter references
> /subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Origin:add
> /subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Methods:add
> /subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Headers:add
> /subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Credentials:add
> # filter
> /subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Origin:add(header-name=Access-Control-Allow-Origin,header-value="*")
> /subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Methods:add(header-name=Access-Control-Allow-Methods,header-value="GET, PUT, POST, OPTIONS, DELETE")
> /subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Headers:add \
> (header-name=Access-Control-Allow-Headers,header-value="accept, authorization, content-type, x-requested-with, X-KIE-ContentType")
> /subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Credentials:add(header-name=Access-Control-Allow-Credentials,header-value="true")
> {code}
> The problem occurs by the kie-server web descriptor security constraint:
> {code:title=web.xml}
> ...
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>REST web resources</web-resource-name>
> <url-pattern>/services/rest/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>kie-server</role-name>
> </auth-constraint>
> </security-constraint>
> ...
> {code}
> The security constraint should be active for all jax-rs HTTP methods, without the OPTIONS method:
> {code:title=web.xml}
> ...
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>REST web resources</web-resource-name>
> <url-pattern>/services/rest/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>PUT</http-method>
> <http-method>POST</http-method>
> <http-method>DELETE</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>kie-server</role-name>
> </auth-constraint>
> </security-constraint>
> ...
> {code}
> Tested with firefox and chrome.
--
This message was sent by Atlassian JIRA
(v7.2.2#72004)
More information about the jboss-jira
mailing list