[keycloak-user] CORS Problem

Brem, Robert Robert.Brem at adesso.ch
Tue Jan 27 01:55:08 EST 2015


Hy @ll,

For my current project I use Docker and run each service in a own container, and spread the services over multiple servers. All connected via REST.

For the security I found Keycloak, and I think it's a really cool tool. But I never was the best friend of security... JASS/Spring Security...

My problem is, I try to use the cors example (https://github.com/keycloak/keycloak/tree/master/examples/cors). I also use AngularJS for the frontend that consumes multiple REST Services.
But I don't get it to work. I always get the following error:
XMLHttpRequest cannot load http://162.244.28.89:8080/BrandService/resources/brands/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://162.244.28.89' is therefore not allowed access. The response had HTTP status code 403.

Google Chrome give me the following output for the http request:
Remote Address:162.244.28.89:8080
Request URL:http://162.244.28.89:8080/BrandService/resources/brands/
Request Method:GET
Status Code:403 Forbidden
Request Headersview source
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Authorization:Bearer eyJhbGciOiJSUzI1NiJ9....ay2Sr-GP0CYfSDV7O2Q8sNyx91RgHdhy2S600NYEHUFG2VoF5cRCDBJpkuPbcXVtz2liMy-80S3KY9lfII
Connection:keep-alive
Host:162.244.28.89:8080
Origin:http://162.244.28.89
Referer:http://162.244.28.89/
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
Response Headersview source
Cache-Control:no-cache, no-store, must-revalidate
Connection:keep-alive
Content-Length:68
Content-Type:text/html;charset=UTF-8
Date:Fri, 23 Jan 2015 19:23:33 GMT
Expires:0
Pragma:no-cache
Server:WildFly/8
X-Powered-By:Undertow/1
ConsoleSearchEmulationRendering

What I don't get is the response header. Shouldn't there be the following header settings:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:origin,accept,content-type
Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS, HEAD
Access-Control-Allow-Origin:*
Access-Control-Max-Age:151200
Allow:HEAD, POST, GET, OPTIONS, PUT

My keycloak.json looks like that:
{
  "realm": "openPixx",
  "realm-public-key": "...bmwCckE..gWjLQIDAQAB",
  "ssl-required": "external",
  "resource": "BrandService",
  "bearer-only": true,
  "cors-max-age" : 1000,
  "enable-cors": true,
  "cors-allowed-methods" : "POST, PUT, DELETE, GET"
}

In Keycloak I've defined the BrandFrontend:
Enabled: true
Client Protocol: openid-connect
Access Type: public
Redirect URL: http://162.244.28.89/*
Web Origin: http://162.244.28.89

For the AngularJS part I've used the authinterceptor from the example.

If you have read until here.
Thank you very much and sorry for my bad English :)

Greets
Rob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150127/54a1fa7e/attachment.html 


More information about the keycloak-user mailing list