Cors 如何在KeyClope中禁用COR
我们使用Key斗篷12.0.4作为在同一域下运行的应用程序的独立Idp。keydove作为本机Docker映像运行(jboss/keydove:12.0.4)。在安全审计期间,我们注意到CORS请求可能会发送到我们的KeyClope实例。因为我们的应用程序在同一个域下运行,所以我们不需要COR。我一直在尝试为我们的域禁用或至少配置CORS,但没有成功。KeyClope似乎总是发送访问控制-*头:Cors 如何在KeyClope中禁用COR,cors,keycloak,Cors,Keycloak,我们使用Key斗篷12.0.4作为在同一域下运行的应用程序的独立Idp。keydove作为本机Docker映像运行(jboss/keydove:12.0.4)。在安全审计期间,我们注意到CORS请求可能会发送到我们的KeyClope实例。因为我们的应用程序在同一个域下运行,所以我们不需要COR。我一直在尝试为我们的域禁用或至少配置CORS,但没有成功。KeyClope似乎总是发送访问控制-*头: $ curl -X OPTIONS -I -H "Origin: http://evil.
$ curl -X OPTIONS -I -H "Origin: http://evil.site.com" http://localhost:8080/auth/realms/master/account
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer
Date: Mon, 03 May 2021 08:24:32 GMT
Connection: keep-alive
Access-Control-Allow-Origin: http://evil.site.com
Access-Control-Allow-Credentials: true
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Content-Length: 0
Access-Control-Allow-Methods: HEAD, POST, GET, OPTIONS
Access-Control-Max-Age: 3600
我已尝试在客户端配置中配置Web源,但没有任何作用:
Web Origins http://localhost:8080
我还尝试在Wildfly配置中配置Access Control-*标头,如果标头已设置,则该配置似乎不起作用:
<subsystem xmlns="urn:jboss:domain:undertow:11.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}" enable-http2="true"/>
<https-listener name="https" socket-binding="https" proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
<filter-ref name="Access-Control-Allow-Origin"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="Access-Control-Allow-Origin" header-name="Access-Control-Allow-Origin" header-value="http://localhost:8080"/>
</filters>
</subsystem>
在不借助Web代理过滤掉这些头的情况下,有没有办法禁用keydape本身中的CORS?我错过什么了吗