Merge pull request #242 from patriot1burke/master

cors docs
This commit is contained in:
Bill Burke 2014-02-25 16:23:54 -05:00
commit deaf2f9273
6 changed files with 31 additions and 4 deletions

View file

@ -18,6 +18,7 @@
<!ENTITY Migration SYSTEM "modules/MigrationFromOlderVersions.xml"> <!ENTITY Migration SYSTEM "modules/MigrationFromOlderVersions.xml">
<!ENTITY Email SYSTEM "modules/email.xml"> <!ENTITY Email SYSTEM "modules/email.xml">
<!ENTITY Roles SYSTEM "modules/roles.xml"> <!ENTITY Roles SYSTEM "modules/roles.xml">
<!ENTITY CORS SYSTEM "modules/cors.xml">
<!ENTITY Timeouts SYSTEM "modules/timeouts.xml"> <!ENTITY Timeouts SYSTEM "modules/timeouts.xml">
]> ]>
@ -94,6 +95,7 @@
&Email; &Email;
</chapter> </chapter>
&Roles; &Roles;
&CORS;
&Timeouts; &Timeouts;
&Migration; &Migration;

View file

@ -18,7 +18,7 @@
"bearer-only" : false, "bearer-only" : false,
"expose-token" : true, "expose-token" : true,
"credentials" : { "credentials" : {
"password" : "password" "secret" : "234234-234234-234234"
} }
"connection-pool-size" : 20, "connection-pool-size" : 20,

View file

@ -0,0 +1,25 @@
<chapter id="cors">
<title>CORS</title>
<para>
CORS stands for Cross-Origin Resource Sharing. If executing browser Javascript tries to make an AJAX HTTP request
to a server's whose domain is different than the one the Javascript code came from, then the request uses the
<ulink url="http://www.w3.org/TR/cors/">CORS protocol</ulink>. The server must handle CORS requests in a special
way, otherwise the browser will not display or allow the request to be processed. This protocol exists to protect
against XSS and other Javascript-based attacks. Keycloak has support for validated CORS requests.
</para>
<para>
Keycloak's CORS support is configured per application and oauth client. You specify the allowed origins
in the application's or oauth client's configuration page in the admin console. You can add as many you want. The value
must be what the browser would send as a value in the <literal>Origin</literal> header. For example <literal>http://example.com</literal>
is what you must specify to allow CORS requests from <literal>example.com</literal>. When an access token is
created for the application or OAuth client, these allowed origins are embedded within the token. On authenticated
CORS requests, your application's Keycloak adapter will handle the CORS protocol and validate the <literal>Origin</literal>
header against the allowed origins embedded in the token. If there is no match, then the request is denied.
</para>
<para>
To enable CORS processing in your application's server, you must set the <literal>enable-cors</literal> setting
to <literal>true</literal> in your <link linkend='adapter-config'>adapter's configuration file</link>. When this
setting is enabled, the Keycloak adapter will handle all CORS preflight requests. It will validate authenticated
requests (protected resource requests), but will let unauthenticated requests (unprotected resource requests) pass through.
</para>
</chapter>

View file

@ -10,7 +10,7 @@
disadvantage of using this approach is that you end up having a non-confidential, public client. This can be mitigated disadvantage of using this approach is that you end up having a non-confidential, public client. This can be mitigated
by registering valid redirect URLs. You are still vulnerable if somebody hijacks the IP/DNS name of your pure by registering valid redirect URLs. You are still vulnerable if somebody hijacks the IP/DNS name of your pure
HTML/Javascript application though. HTML/Javascript application though.
</para> </para> startAsync
<para> <para>
To use this adapter, you first must load and initialize the keycloak javascript library into your application. To use this adapter, you first must load and initialize the keycloak javascript library into your application.
<programlisting><![CDATA[ <programlisting><![CDATA[

View file

@ -118,7 +118,7 @@ public class AuthenticatedActionsValve extends ValveBase {
response.setHeader("Access-Control-Allow-Origin", origin); response.setHeader("Access-Control-Allow-Origin", origin);
response.setHeader("Access-Control-Allow-Credentials", "true"); response.setHeader("Access-Control-Allow-Credentials", "true");
} else { } else {
log.debugv("session or origin was null: {0}", request.getRequestURI()); log.debugv("letting through. This is an unathenticated session or origin header was null: {0}", request.getRequestURI());
} }
return false; return false;
} }

View file

@ -124,7 +124,7 @@ public class AuthenticatedActionsHandler implements HttpHandler {
exchange.getResponseHeaders().put(PreflightCorsHandler.ACCESS_CONTROL_ALLOW_ORIGIN, origin); exchange.getResponseHeaders().put(PreflightCorsHandler.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
exchange.getResponseHeaders().put(PreflightCorsHandler.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true"); exchange.getResponseHeaders().put(PreflightCorsHandler.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
} else { } else {
log.debugv("not secured or origin was null: {0}", exchange.getRequestURI()); log.debugv("cors validation not needed as we're not a secure session or origin header was null: {0}", exchange.getRequestURI());
} }
return false; return false;
} }