-
Bug
-
Resolution: Done
-
Major
-
7.0.0.Beta2
-
None
-
NEW
-
NEW
Using the kie-server REST API with a javascript framework like angular2 results in a CORS Preflight W3C response 401 :
zone.js:1274 OPTIONS http://my-kie-server1-default.192.168.42.25.xip.io/kie-server/services/rest/server/containers/quickorder-kie/processes/quickorder/instances XMLHttpRequest cannot load http://my-kie-server1-default.192.168.42.25.xip.io/kie-server/services/rest/server/containers/quickorder-kie/processes/quickorder/instances. Response for preflight has invalid HTTP status code 401
CORS Response Header are set, this is not the problem:
# filter references /subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Origin:add /subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Methods:add /subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Headers:add /subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Credentials:add # filter /subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Origin:add(header-name=Access-Control-Allow-Origin,header-value="*") /subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Methods:add(header-name=Access-Control-Allow-Methods,header-value="GET, PUT, POST, OPTIONS, DELETE") /subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Headers:add \ (header-name=Access-Control-Allow-Headers,header-value="accept, authorization, content-type, x-requested-with, X-KIE-ContentType") /subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Credentials:add(header-name=Access-Control-Allow-Credentials,header-value="true")
The problem occurs by the kie-server web descriptor security constraint:
web.xml
...
<security-constraint>
<web-resource-collection>
<web-resource-name>REST web resources</web-resource-name>
<url-pattern>/services/rest/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>kie-server</role-name>
</auth-constraint>
</security-constraint>
...
The security constraint should be active for all jax-rs HTTP methods, without the OPTIONS method:
web.xml
...
<security-constraint>
<web-resource-collection>
<web-resource-name>REST web resources</web-resource-name>
<url-pattern>/services/rest/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>kie-server</role-name>
</auth-constraint>
</security-constraint>
...
Tested with firefox and chrome.