Re: [keycloak-user] How to set up CORS for javascript calling a REST app

Here is some more information on my problem. I have done a local build with the source from 5/8/2014. I deployed the auth-server to JBoss 7.1.1 running at localhost:8080 I deployed the as7-adapter to JBoss 7.1.1 running at myhost.net:7116 I have 2 applications running on the server at myhost.net:7116 1. gui-app - a jsp that uses Angular.js to make an Ajax call to a REST service in rest-app 2. rest-app - a REST service Both the gui-app and rest-app are configured to be secured by the auth-server. When the jsp from gui-app is requested it will get redirected to the auth-server and get the login form and successfully login. I can see the KEYCLOAK_IDENTITY cookie set and get the access code and exchange the access code for an access token. Everything looks good. When the Ajax request is made to the rest-app the problems start. First of all for the Anguar.js config I had to set $httpProvider.defaults.withCredentials = true or the KEYCLOAK_IDENTITY cookie would not get sent when the request was redirected to the auth-server. In the Cors.build() method the origin value from the request is null so none of this code executes. This may be because I have the auth-server and my apps on different instances of JBoss with different domains. Also since I have already successfully logged in (with the call from the jsp) the method that gets called is in OAuthFlows. redirectAccessCode (). This method does not set any of the Access-Control-Allow-* methods and I get an error in the browser console: XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/tokens/login?client_id=rest-app&am.... No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://myhost.net:7116' is therefore not allowed access. If I modify the code to add the Access-Control-Allow-* headers to the response, I get further along. Now the redirect with the access code get processed by the adapter. When the adapter strips the access code and sends back a redirect response without the access code it does not add the Access-Control-Allow-* headers so this fails with the error: XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt…FHbNf0z2R0hVsU6QBMamaEVUv.... No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. Modifying the adapter to add the Access-Control-Allow-* for this redirect response gets a little further. Now the problem is that the Origin=null in the request header and I get this error: XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt…5LL8dP6-ZEEE_t1fLf-OrJBTM.... The 'Access-Control-Allow-Origin' header has a value 'https://myhost.net:7116' that is not equal to the supplied origin. Origin 'null' is therefore not allowed access. I tried to set the Access-Control-Allow-Origin = * to get around this null issue, but then I get an error: A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'null' is therefore not allowed access. But I have to set the credentials flag to true in order to get the KEYCLOAK_IDENTITY cookie to be sent. Can you look into these problems and let me know if there is a way to get this working for the applications that I have? Thanks -Jim -----Original Message----- From: Boettcher, Jim Sent: Tuesday, May 06, 2014 8:31 AM To: 'Stian Thorgersen'; Bill Burke Cc: keycloak-user(a)lists.jboss.org Subject: RE: How to set up CORS for javascript calling a REST app I first tried with the Alpa-3 release. I then did a build with latest source and deployed the auth-server.war and the keycloak-as7-adapter module. I still have the same problem with the latest source. I also noticed that with the latest source running on JBoss 7.1.1 when I tried to import a realm I get this error: Caused by: java.lang.NoSuchMethodError: org.jboss.resteasy.plugins.providers.multipart.InputPart.setMediaType(Ljavax/ws/rs/core/MediaType;)V at org.keycloak.services.resources.admin.RealmsAdminResource.uploadRealm(RealmsAdminResource.java:132) [keycloak-services-1.0-beta-1-SNAPSHOT.jar:] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_45] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_45] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_45] at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:155) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:152) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:525) [resteasy-jaxrs-2.3.2.Final.jar:] Jim -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Stian Thorgersen Sent: Tuesday, May 06, 2014 4:55 AM To: Bill Burke Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] How to set up CORS for javascript calling a REST app I added some fixes to CORS in the adapters that haven't made it into a release yet. Have you tried with building the server from source? ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: keycloak-user(a)lists.jboss.org > Sent: Monday, 5 May, 2014 11:42:11 PM > Subject: Re: [keycloak-user] How to set up CORS for javascript calling > a REST app > > You are using the latest release? I'll take a look. I don't have any > unit tests for the CORs stuff in the last alpha release (have some in > trunk though) and I don't think I tested it manually either. > > On 5/5/2014 3:41 PM, Boettcher, Jim wrote: >> Hi, >> >> I’m trying to get CORS working for a javascript app. The javascript >> app >> (gui_app) is making AJAX requests to a different REST app (rest_app). >> >> In the Keycloak admin console I created an application for the >> rest_app application and set a Web Origin of “*” . I then copied the >> Installation for Jboss Subsystem XML to the standalone.xml of the >> JBoss 7.1.1 server that the rest_app is running on. I modified the >> configuration to add >> >> <enable-cors>true</enable-cors> >> >> When I try to open the gui_app from Chrome I get errors like: >> >> XMLHttpRequest cannot load >> http://localhost:8080/auth/rest/realms/dp-gui/tokens/login?client_id=rest.... >> No 'Access-Control-Allow-Origin' header is present on the requested >> resource. Origin 'https://localhost:7116' is therefore not allowed access. >> >> I’ve tried playing with various settings but can’t get anything to work. >> >> Is there an example available for how to get this to work? >> >> Is there anything else that needs to be done on the Keycloak server >> side? Or on the Adapter side? >> >> Thanks, >> >> Jim >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user