Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-2284

CORS support for KIE-SERVER secured by RH SSO

XMLWordPrintable

    • Documentation (Ref Guide, User Guide, etc.)
    • Hide

      https://github.com/jboss-container-images/jboss-eap-modules/blob/c3e80444b1e7f1aa3c5e683d1a170f8d32682dbb/os-eap-sso/added/keycloak.sh#L304

      Just add an environment variable to the KIE-SERVER build config:

      SSO_ENABLE_CORS = true

      Show
      https://github.com/jboss-container-images/jboss-eap-modules/blob/c3e80444b1e7f1aa3c5e683d1a170f8d32682dbb/os-eap-sso/added/keycloak.sh#L304 Just add an environment variable to the KIE-SERVER build config: SSO_ENABLE_CORS = true
    • Hide

      1. Create a Red Hat SSO + KIE-SERVER integration environment in OCP.
      2. Create a client in Red Hat SSO for the external application (standard-flow-enabled) in the same realm securing the kie-server
      3. Clone and download the following project: https://github.com/barhte2019/hiring-app-internal
      3. Edit the Dockerfile to setup the KIE-SERVER and RH-SSO endpoints to your external routes available from steps 1 and 2.
      4. Create an image using the Dockerfile and create a container based in that image.
      5. After logging in the client application resulting from step 4: monitor the javascript console in your browser. – CORS error is present.

      Show
      1. Create a Red Hat SSO + KIE-SERVER integration environment in OCP. 2. Create a client in Red Hat SSO for the external application (standard-flow-enabled) in the same realm securing the kie-server 3. Clone and download the following project: https://github.com/barhte2019/hiring-app-internal 3. Edit the Dockerfile to setup the KIE-SERVER and RH-SSO endpoints to your external routes available from steps 1 and 2. 4. Create an image using the Dockerfile and create a container based in that image. 5. After logging in the client application resulting from step 4: monitor the javascript console in your browser. – CORS error is present.
    • 2020 Week 43-45 (from Okt 19), 2020 Week 46-48 (from Nov 9), 2020 Week 49-51 (from Nov 30)

      When integrating RH-SSO with KIE-SERVER, the KIE-SERVER container results with a standalone-openshift.xml configuration that contains the following section:

      <subsystem xmlns="urn:jboss:domain:keycloak:1.1"><realm name="kie-realm"><!-- ##KEYCLOAK_PUBLIC_KEY## -><auth-server-url>https://sso-rhsso-sso0.apps-8735.generic.opentlc.com/auth</auth-server-url><register-node-at-startup>true</register-node-at-startup><register-node-period>600</register-node-period><ssl-required>external</ssl-required><disable-trust-manager>true</disable-trust-manager><!- ##KEYCLOAK_TRUSTSTORE## --><allow-any-hostname>false</allow-any-hostname></realm> <secure-deployment name="ROOT.war"><realm>kie-realm</realm><resource>kie-server</resource><auth-server-url>https://sso-rhsso-sso0.apps-8735.generic.opentlc.com/auth</auth-server-url><enable-basic-auth>true</enable-basic-auth><credential name="secret">252793ed-7118-4ca8-8dab-5622fa97d892</credential><enable-cors>false</enable-cors><bearer-only>false</bearer-only></secure-deployment></subsystem>

      Note the use of <enable-cors>false</enable-cors>; when connecting a client application that sends a request to the kie-server; some browsers will send an "OPTIONS" request for pre-flight for the security configuration. The `false` value configured here causes that pre-flight to don't include any of the configured web-origins in the "Access-Control-Allow-Origin" Header; thus the CORS fails to fill the pre-flight:

      No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'example://example.ex' is therefore not allowed access.

      To delegate the addition of these headers to Red Hat SSO it is required to set <enable-cors>true</enable-cors> in the configuration.

              rhn-support-fspolti Filippe Spolti
              rhn-gpte-dtorresf Diego Torres Fuerte
              Jakub Schwan Jakub Schwan
              Mikhail Ramendik Mikhail Ramendik
              Jakub Schwan Jakub Schwan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: