Re: [keycloak-user] SOLVED ! -> OPTIONS 401 - CORS problem

I solved it - all through Spring Security Config in boot. I had to remove http.anonymous().disable() then I had to allow OPTIONS on : http.authorizeRequests() .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() making sure we're not handle OPTIONS on any rest points I guess should be safe enough. Other than that , cross domain rest calls work now. Hopefully this will help anyone hitting this issue. > Group > > I have an angular spa deployed on host A - apache httpd (static content) > making REST api calls into a spring-boot > hosted by host B. The 2 servers are different domains. > Spa is protected by Keycloak.js. Am able to bring in the index. When I > click on a rest call, > browser sends over first OPTIONS request to make sure server B is ready > to > accept since it is an XHR cross domain call. > But the problem is that OPTIONS is being sent without Authorization: > Bearer 'token' and so the rest webserver rejects the call > with 401 -Unauthorized. Each REST call from the SPA to the cross domain > REST is rejected. > Am I the first one to hit this? > I saw people solving this with regular un-secured apps, but in my case > Keycloak using spring-security rejects it. > Anyone in the group can help me - anyone has deployed the client and > server (being bearer keycloak protected) and solved > this problem. > Have tried various things inside spring-boot to allow options/cors, etc > - > none worked. > > Thank you for help. > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >