[keycloak-user] Enabling a public rest service

Juan Diego juandiego83 at gmail.com
Thu Dec 8 19:48:57 EST 2016 

Hi,

Maybe I am looking at this the wrong way.  I have 2 web pages on separate
domains. One page is public, so you don't need to log and the other is
private and you need a user and a password.
Both should connect to my Rest API.
I am using java and wildfly 10 for my back end, and Angularjs for my
frontend.  In my private web page I dont have any problems connecting to my
backend.

In my public page I am getting cors error and I kind of know why it happens
but I do not know how to solve it.


I created this in my web.xml

<security-constraint>
        <web-resource-collection>
            <web-resource-name>ramonapublic</web-resource-name>
            <url-pattern>/listaPublica</url-pattern>
            <url-pattern>/listaPublica/*</url-pattern>
        </web-resource-collection>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>ramona</web-resource-name>
            <url-pattern>/</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>usuarios</role-name>
        </auth-constraint>
    </security-constraint>


ramonapublic is the public rest service.  If I use curl I get this and I
have no problem,
curl  http://ramona.localdomain:8080/ramona-backend/listaPublica -X POST -H
'ramonaclient.localdomain',

I get this

[{"codigo":1006,"titulo":"Avengers2.mp4","paths3":"archivos/1006/","nombreArchivo":"Avengers2.mp4","tamano":13977910,"bitrate":null,"duracion":null,"hash":null,"mimeType":"video/mp4","fechaSubida":1480518881829,"tipoArchivo":
..............

If I use firefox or chrome I get this

XMLHttpRequest cannot load http://localhost:8080/ramona-backend/listaPublica.
No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://ramonaclient.localdomain' is therefore not allowed
access.

For what I can tell the browsers are blocking the response because there
is no Access-Control. (This only happens with my public page, my private
page with keycloak works perfect)


So for what I can tell is that listaPublic is being called in the backend
but because it is a public security constrain that is not using keycloaks
tokens it is not getting a proper header.

If I add this to my JaxRxActivator

private Set<Object> singletons = new HashSet<Object>();
    private Set<Class<?>> classes = new HashSet<Class<?>>();

    public JaxRsActivator() {
        // no instance is created, just class is listed
        classes.add(PublicPlaylistRest.class);


        CorsFilter corsFilter = new CorsFilter();
        corsFilter.getAllowedOrigins().add("http://ramonaclient.localdomain
");
        corsFilter.setAllowedHeaders("Content-Type");
        singletons.add(corsFilter);
    }

    @Override
    public Set<Class<?>> getClasses() {
        return classes;
    }

    @Override
    public Set<Object> getSingletons() {
        return singletons;
    }

It works on the public side but it messes up the headers on the private
side so I cannot use this.  It interferes with keycloaks own cors.

More information about the keycloak-user mailing list