Hi,
it looks to me that your CORS settings on adapters side and also for
your frontend application looks good. However keycloak returned 403
Forbidden and hence did not add cors headers (we are adding cors headers
after successful authentication). Do you have something in the server log?
What I would try is:
- Temporary set "ssl-required" to "none" in the adapters
configuration
- If it doesn't help, then see how it will behave if both frontend
application and rest application are on same origin (either
)
- Maybe using hostname like "myhost.com" instead of IP address could
help. If you have opportunity to temporarily add virtual host and use
hostname it worth a try (it's strange, but who knows...)
Marek
On 27.1.2015 07:55, Brem, Robert wrote:
Hy @ll,
For my current project I use Docker and run each service in a own
container, and spread the services over multiple servers. All
connected via REST.
For the security I found Keycloak, and I think it’s a really cool
tool. But I never was the best friend of security… JASS/Spring Security…
My problem is, I try to use the cors example
(
https://github.com/keycloak/keycloak/tree/master/examples/cors). I
also use AngularJS for the frontend that consumes multiple REST Services.
But I don’t get it to work. I always get the following error:
XMLHttpRequest cannot load
http://162.244.28.89:8080/BrandService/resources/brands/. No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://162.244.28.89' is therefore not allowed
access. The response had HTTP status code 403.
Google Chrome give me the following output for the http request:
Remote Address:162.244.28.89:8080
Request URL:http://162.244.28.89:8080/BrandService/resources/brands/
Request Method:GET
Status Code:403 Forbidden
*_Request Headersview source_*
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Authorization:Bearer
eyJhbGciOiJSUzI1NiJ9….ay2Sr-GP0CYfSDV7O2Q8sNyx91RgHdhy2S600NYEHUFG2VoF5cRCDBJpkuPbcXVtz2liMy-80S3KY9lfII
Connection:keep-alive
Host:162.244.28.89:8080
Origin:http://162.244.28.89
Referer:http://162.244.28.89/
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
*_Response Headersview source_*
Cache-Control:no-cache, no-store, must-revalidate
Connection:keep-alive
Content-Length:68
Content-Type:text/html;charset=UTF-8
Date:Fri, 23 Jan 2015 19:23:33 GMT
Expires:0
Pragma:no-cache
Server:WildFly/8
X-Powered-By:Undertow/1
ConsoleSearchEmulationRendering
What I don’t get is the response header. Shouldn’t there be the
following header settings:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:origin,accept,content-type
Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS, HEAD
Access-Control-Allow-Origin:*
Access-Control-Max-Age:151200
Allow:HEAD, POST, GET, OPTIONS, PUT
My keycloak.json looks like that:
{
"realm": "openPixx",
"realm-public-key": "…bmwCckE..gWjLQIDAQAB",
"ssl-required": "external",
"resource": "BrandService",
"bearer-only": true,
"cors-max-age" : 1000,
"enable-cors": true,
"cors-allowed-methods" : "POST, PUT, DELETE, GET"
}
In Keycloak I’ve defined the BrandFrontend:
Enabled: true
Client Protocol: openid-connect
Access Type: public
Redirect URL:
http://162.244.28.89/*
Web Origin:
http://162.244.28.89
For the AngularJS part I’ve used the authinterceptor from the example.
If you have read until here.
Thank you very much and sorry for my bad English J
Greets
Rob
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user