From db37053f585665b0ec721e22310cb66a378b690a Mon Sep 17 00:00:00 2001 From: Bill Burke Date: Tue, 25 Feb 2014 16:23:29 -0500 Subject: [PATCH] cors docs --- docbook/reference/en/en-US/master.xml | 2 ++ .../en/en-US/modules/adapter-config.xml | 2 +- docbook/reference/en/en-US/modules/cors.xml | 25 +++++++++++++++++++ .../en/en-US/modules/javascript-adapter.xml | 2 +- .../as7/AuthenticatedActionsValve.java | 2 +- .../undertow/AuthenticatedActionsHandler.java | 2 +- 6 files changed, 31 insertions(+), 4 deletions(-) create mode 100755 docbook/reference/en/en-US/modules/cors.xml diff --git a/docbook/reference/en/en-US/master.xml b/docbook/reference/en/en-US/master.xml index ca2a5490a4..7ee614f4ad 100755 --- a/docbook/reference/en/en-US/master.xml +++ b/docbook/reference/en/en-US/master.xml @@ -18,6 +18,7 @@ + ]> @@ -94,6 +95,7 @@ &Email; &Roles; + &CORS; &Timeouts; &Migration; diff --git a/docbook/reference/en/en-US/modules/adapter-config.xml b/docbook/reference/en/en-US/modules/adapter-config.xml index 29b03b5bd6..64878a7cd4 100755 --- a/docbook/reference/en/en-US/modules/adapter-config.xml +++ b/docbook/reference/en/en-US/modules/adapter-config.xml @@ -18,7 +18,7 @@ "bearer-only" : false, "expose-token" : true, "credentials" : { - "password" : "password" + "secret" : "234234-234234-234234" } "connection-pool-size" : 20, diff --git a/docbook/reference/en/en-US/modules/cors.xml b/docbook/reference/en/en-US/modules/cors.xml new file mode 100755 index 0000000000..f04c535fad --- /dev/null +++ b/docbook/reference/en/en-US/modules/cors.xml @@ -0,0 +1,25 @@ + + CORS + + CORS stands for Cross-Origin Resource Sharing. If executing browser Javascript tries to make an AJAX HTTP request + to a server's whose domain is different than the one the Javascript code came from, then the request uses the + CORS protocol. The server must handle CORS requests in a special + way, otherwise the browser will not display or allow the request to be processed. This protocol exists to protect + against XSS and other Javascript-based attacks. Keycloak has support for validated CORS requests. + + + Keycloak's CORS support is configured per application and oauth client. You specify the allowed origins + in the application's or oauth client's configuration page in the admin console. You can add as many you want. The value + must be what the browser would send as a value in the Origin header. For example http://example.com + is what you must specify to allow CORS requests from example.com. When an access token is + created for the application or OAuth client, these allowed origins are embedded within the token. On authenticated + CORS requests, your application's Keycloak adapter will handle the CORS protocol and validate the Origin + header against the allowed origins embedded in the token. If there is no match, then the request is denied. + + + To enable CORS processing in your application's server, you must set the enable-cors setting + to true in your adapter's configuration file. When this + setting is enabled, the Keycloak adapter will handle all CORS preflight requests. It will validate authenticated + requests (protected resource requests), but will let unauthenticated requests (unprotected resource requests) pass through. + + \ No newline at end of file diff --git a/docbook/reference/en/en-US/modules/javascript-adapter.xml b/docbook/reference/en/en-US/modules/javascript-adapter.xml index 45c41d1add..8a16a89da6 100755 --- a/docbook/reference/en/en-US/modules/javascript-adapter.xml +++ b/docbook/reference/en/en-US/modules/javascript-adapter.xml @@ -10,7 +10,7 @@ disadvantage of using this approach is that you end up having a non-confidential, public client. This can be mitigated by registering valid redirect URLs. You are still vulnerable if somebody hijacks the IP/DNS name of your pure HTML/Javascript application though. - + startAsync To use this adapter, you first must load and initialize the keycloak javascript library into your application.