Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-2284

CORS support for KIE-SERVER secured by RH SSO

    XMLWordPrintable

Details

    • Documentation (Ref Guide, User Guide, etc.)
    • Hide

      https://github.com/jboss-container-images/jboss-eap-modules/blob/c3e80444b1e7f1aa3c5e683d1a170f8d32682dbb/os-eap-sso/added/keycloak.sh#L304

      Just add an environment variable to the KIE-SERVER build config:

      SSO_ENABLE_CORS = true

      Show
      https://github.com/jboss-container-images/jboss-eap-modules/blob/c3e80444b1e7f1aa3c5e683d1a170f8d32682dbb/os-eap-sso/added/keycloak.sh#L304 Just add an environment variable to the KIE-SERVER build config: SSO_ENABLE_CORS = true
    • Hide

      1. Create a Red Hat SSO + KIE-SERVER integration environment in OCP.
      2. Create a client in Red Hat SSO for the external application (standard-flow-enabled) in the same realm securing the kie-server
      3. Clone and download the following project: https://github.com/barhte2019/hiring-app-internal
      3. Edit the Dockerfile to setup the KIE-SERVER and RH-SSO endpoints to your external routes available from steps 1 and 2.
      4. Create an image using the Dockerfile and create a container based in that image.
      5. After logging in the client application resulting from step 4: monitor the javascript console in your browser. – CORS error is present.

      Show
      1. Create a Red Hat SSO + KIE-SERVER integration environment in OCP. 2. Create a client in Red Hat SSO for the external application (standard-flow-enabled) in the same realm securing the kie-server 3. Clone and download the following project: https://github.com/barhte2019/hiring-app-internal 3. Edit the Dockerfile to setup the KIE-SERVER and RH-SSO endpoints to your external routes available from steps 1 and 2. 4. Create an image using the Dockerfile and create a container based in that image. 5. After logging in the client application resulting from step 4: monitor the javascript console in your browser. – CORS error is present.
    • 2020 Week 43-45 (from Okt 19), 2020 Week 46-48 (from Nov 9), 2020 Week 49-51 (from Nov 30)

    Description

      When integrating RH-SSO with KIE-SERVER, the KIE-SERVER container results with a standalone-openshift.xml configuration that contains the following section:

      <subsystem xmlns="urn:jboss:domain:keycloak:1.1"><realm name="kie-realm"><!-- ##KEYCLOAK_PUBLIC_KEY## -><auth-server-url>https://sso-rhsso-sso0.apps-8735.generic.opentlc.com/auth</auth-server-url><register-node-at-startup>true</register-node-at-startup><register-node-period>600</register-node-period><ssl-required>external</ssl-required><disable-trust-manager>true</disable-trust-manager><!- ##KEYCLOAK_TRUSTSTORE## --><allow-any-hostname>false</allow-any-hostname></realm> <secure-deployment name="ROOT.war"><realm>kie-realm</realm><resource>kie-server</resource><auth-server-url>https://sso-rhsso-sso0.apps-8735.generic.opentlc.com/auth</auth-server-url><enable-basic-auth>true</enable-basic-auth><credential name="secret">252793ed-7118-4ca8-8dab-5622fa97d892</credential><enable-cors>false</enable-cors><bearer-only>false</bearer-only></secure-deployment></subsystem>

      Note the use of <enable-cors>false</enable-cors>; when connecting a client application that sends a request to the kie-server; some browsers will send an "OPTIONS" request for pre-flight for the security configuration. The `false` value configured here causes that pre-flight to don't include any of the configured web-origins in the "Access-Control-Allow-Origin" Header; thus the CORS fails to fill the pre-flight:

      No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'example://example.ex' is therefore not allowed access.

      To delegate the addition of these headers to Red Hat SSO it is required to set <enable-cors>true</enable-cors> in the configuration.

      Attachments

        Issue Links

          is documented by

          Task - Represents a small unit of work that is not end-user facing. BXMSDOC-6683 Document configuring CORS, in particular with RHSSO

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-support-fspolti Filippe Spolti
              rhn-gpte-dtorresf Diego Torres Fuerte
              Jakub Schwan Jakub Schwan
              Mikhail Ramendik Mikhail Ramendik
              Jakub Schwan Jakub Schwan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: