Uploaded image for project: 'Drools'
  1. Drools
  2. DROOLS-1350

401 Unauthorized kie-server rest api peflight call error -> change web.xml security constraints

XMLWordPrintable

    • NEW
    • NEW

      Using the kie-server REST API with a javascript framework like angular2 results in a CORS Preflight W3C response 401 :

      zone.js:1274 OPTIONS http://my-kie-server1-default.192.168.42.25.xip.io/kie-server/services/rest/server/containers/quickorder-kie/processes/quickorder/instances 

XMLHttpRequest cannot load http://my-kie-server1-default.192.168.42.25.xip.io/kie-server/services/rest/server/containers/quickorder-kie/processes/quickorder/instances. Response for preflight has invalid HTTP status code 401

      CORS Response Header are set, this is not the problem:

      # filter references
/subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Origin:add
/subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Methods:add
/subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Headers:add
/subsystem=undertow/server=default-server/host=default-host/filter-ref=Access-Control-Allow-Credentials:add

# filter
/subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Origin:add(header-name=Access-Control-Allow-Origin,header-value="*")
/subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Methods:add(header-name=Access-Control-Allow-Methods,header-value="GET, PUT, POST, OPTIONS, DELETE")
/subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Headers:add \
(header-name=Access-Control-Allow-Headers,header-value="accept, authorization, content-type, x-requested-with, X-KIE-ContentType")
/subsystem=undertow/configuration=filter/response-header=Access-Control-Allow-Credentials:add(header-name=Access-Control-Allow-Credentials,header-value="true")

      The problem occurs by the kie-server web descriptor security constraint:

      web.xml
      ...
<security-constraint>
    <web-resource-collection>
      <web-resource-name>REST web resources</web-resource-name>
      <url-pattern>/services/rest/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>kie-server</role-name>
    </auth-constraint>
</security-constraint>
...

      The security constraint should be active for all jax-rs HTTP methods, without the OPTIONS method:

      web.xml
      ...
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>REST web resources</web-resource-name>
      <url-pattern>/services/rest/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>PUT</http-method>
      <http-method>POST</http-method>
      <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>kie-server</role-name>
    </auth-constraint>
  </security-constraint>
...

      Tested with firefox and chrome.

        1. kie-server_cors_preflight_401.png
          kie-server_cors_preflight_401.png
          77 kB

            swiderski.maciej Maciej Swiderski (Inactive)
            kjemella_jira Kai Jemella (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: