Re: [keycloak-user] How to set up CORS for javascript calling a REST app

Here is some more information on my problem. I have done a local build with the source from 5/8/2014. I deployed the auth-server to JBoss 7.1.1 running at localhost:8080 I deployed the as7-adapter to JBoss 7.1.1 running at myhost.net:7116 I have 2 applications running on the server at myhost.net:7116 1. gui-app - a jsp that uses Angular.js to make an Ajax call to a REST service in rest-app 2. rest-app - a REST service Both the gui-app and rest-app are configured to be secured by the auth-server. When the jsp from gui-app is requested it will get redirected to the auth-server and get the login form and successfully login. I can see the KEYCLOAK_IDENTITY cookie set and get the access code and exchange the access code for an access token. Everything looks good. When the Ajax request is made to the rest-app the problems start. First of all for the Anguar.js config I had to set $httpProvider.defaults.withCredentials = true or the KEYCLOAK_IDENTITY cookie would not get sent when the request was redirected to the auth-server. In the Cors.build() method the origin value from the request is null so none of this code executes. This may be because I have the auth-server and my apps on different instances of JBoss with different domains. Also since I have already successfully logged in (with the call from the jsp) the method that gets called is in OAuthFlows. redirectAccessCode (). This method does not set any of the Access-Control-Allow-* methods and I get an error in the browser console: XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/tokens/login?client_id=rest-app&am.... No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://myhost.net:7116' is therefore not allowed access. If I modify the code to add the Access-Control-Allow-* headers to the response, I get further along. Now the redirect with the access code get processed by the adapter. When the adapter strips the access code and sends back a redirect response without the access code it does not add the Access-Control-Allow-* headers so this fails with the error: XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt…FHbNf0z2R0hVsU6QBMamaEVUv.... No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. Modifying the adapter to add the Access-Control-Allow-* for this redirect response gets a little further. Now the problem is that the Origin=null in the request header and I get this error: XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt…5LL8dP6-ZEEE_t1fLf-OrJBTM.... The 'Access-Control-Allow-Origin' header has a value 'https://myhost.net:7116' that is not equal to the supplied origin. Origin 'null' is therefore not allowed access. I tried to set the Access-Control-Allow-Origin = * to get around this null issue, but then I get an error: A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'null' is therefore not allowed access. But I have to set the credentials flag to true in order to get the KEYCLOAK_IDENTITY cookie to be sent. Can you look into these problems and let me know if there is a way to get this working for the applications that I have? Thanks -Jim -----Original Message----- From: Boettcher, Jim Sent: Tuesday, May 06, 2014 8:31 AM To: 'Stian Thorgersen'; Bill Burke Cc: keycloak-user(a)lists.jboss.org Subject: RE: How to set up CORS for javascript calling a REST app I first tried with the Alpa-3 release. I then did a build with latest source and deployed the auth-server.war and the keycloak-as7-adapter module. I still have the same problem with the latest source. I also noticed that with the latest source running on JBoss 7.1.1 when I tried to import a realm I get this error: Caused by: java.lang.NoSuchMethodError: org.jboss.resteasy.plugins.providers.multipart.InputPart.setMediaType(Ljavax/ws/rs/core/MediaType;)V at org.keycloak.services.resources.admin.RealmsAdminResource.uploadRealm(RealmsAdminResource.java:132) [keycloak-services-1.0-beta-1-SNAPSHOT.jar:] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_45] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_45] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_45] at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:155) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:152) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91) [resteasy-jaxrs-2.3.2.Final.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:525) [resteasy-jaxrs-2.3.2.Final.jar:] Jim -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Stian Thorgersen Sent: Tuesday, May 06, 2014 4:55 AM To: Bill Burke Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] How to set up CORS for javascript calling a REST app I added some fixes to CORS in the adapters that haven't made it into a release yet. Have you tried with building the server from source? ----- Original Message ----- _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user