8:03 a.m.
Hello,
I have protected a Java web application that's compiled in a WAR
package and accessible through a Tomcat 8 sever. To do this I followed
the steps here:
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java...
My Java Application is a RESTful API which can only be accessed by
authorized users that bear a token.
In Keycloak I configured my client (and keycloak.json) as follows:
{
"realm": "MainDomain",
"bearer-only": true,
"auth-server-url": "http://<My Keycloak Server>:8081/auth",
"ssl-required": "none",
"resource": "main-domain-server"
}
If I have a valid token I can access the service fine through cURL
requests. However, using any browser (Firefox, Chrome, Opera, expect
IE, which for some reason works) I can't access any resource through
AJAX as I get CORS problems:
"Response to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:3000' is therefore not allowed
access. The response had HTTP status code 401."
I searched around and found I should put "enable_cors": true in my
keycloak.json, however this causes the following CORS problem:
"The 'Access-Control-Allow-Origin' header contains multiple values
'http://localhost:3000, http://localhost:3000';, but only one is
allowed. Origin 'http://localhost:3000' is therefore not allowed
access."
I think I'm out of ideas at the moment on what could be causing this.
Does anyone have any idea what could be wrong in my configuration?
My best regards,
Silva
9:44 a.m.
Hello again,
I forgot to mention I'm using Keycloak 3.1.0 Final.
Meanwhile i searched a bit more and found more people with the same
problem, but sadly, no solution:
http://lists.jboss.org/pipermail/keycloak-user/2014-May/000259.html
http://lists.jboss.org/pipermail/keycloak-user/2016-May/006147.html
I also made a really basic WAR application, protected by keycloak,
that just says "Hello" when you access the route /hello. The minimal
client code that reproduces the problem:
<script type="text/javascript"
src="https://code.jquery.com/jquery-3.1.0.min.js"></scrip...
<script type="text/javascript"
src="http://localhost:9000/auth/js/keycloak.js"></script>
<script type="text/javascript">
var keycloak = Keycloak('keycloak.json');
keycloak.init({ onLoad: 'login-required'
}).success(function(authenticated) {
if (authenticated) {
$.ajax({method: "GET", url:
"http://localhost:8080/hello",
headers: { 'Authorization': 'Bearer ' +
keycloak.token }
});
}
});
</script>
I'm able to login successfully and acquire a valid working token.
However the AJAX call fails with the same errors mentioned before.
In Chrome 57 and Opera : "The 'Access-Control-Allow-Origin' header
contains multiple values 'http://localhost, http://localhost';, but
only one is allowed. Origin 'http://localhost' is therefore not
allowed access."
In Firefox 52: "Cross-Origin Request Blocked: The Same Origin Policy
disallows reading the remote resource. (Reason: CORS header
‘Access-Control-Allow-Origin’ does not match ‘(null)’)".
It works in IE11 but the page refreshes constantly, similar to what
I've mentioned
here: http://lists.jboss.org/pipermail/keycloak-user/2017-May/010677.html,
even when accepting third-party cookies.
Anyone have any hints please? What's going on with my setup? :(
Some additional information:
My API has the CORS filter enabled, like this:
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>10</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
My Client has "enable-cors": true.
Strangely I'm able to access the API through cURL if I use the valid
access-token.
Any help is appreciated at this point :(.
Best regards,
Silva
Citando sesnor.silva(a)sapo.pt:
Hello,
I have protected a Java web application that's compiled in a WAR
package and accessible through a Tomcat 8 sever. To do this I followed
the steps here:
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java...
My Java Application is a RESTful API which can only be accessed by
authorized users that bear a token.
In Keycloak I configured my client (and keycloak.json) as follows:
{
"realm": "MainDomain",
"bearer-only": true,
"auth-server-url": "http://<My Keycloak Server>:8081/auth",
"ssl-required": "none",
"resource": "main-domain-server"
}
If I have a valid token I can access the service fine through cURL
requests. However, using any browser (Firefox, Chrome, Opera, expect
IE, which for some reason works) I can't access any resource through
AJAX as I get CORS problems:
"Response to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:3000' is therefore not allowed
access. The response had HTTP status code 401."
I searched around and found I should put "enable_cors": true in my
keycloak.json, however this causes the following CORS problem:
"The 'Access-Control-Allow-Origin' header contains multiple values
'http://localhost:3000, http://localhost:3000';, but only one is
allowed. Origin 'http://localhost:3000' is therefore not allowed
access."
I think I'm out of ideas at the moment on what could be causing this.
Does anyone have any idea what could be wrong in my configuration?
My best regards,
Silva
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
9:48 a.m.
Hi,
The problem is that you have defined yourself a CORS filter + enabled CORS
in the keycloak.json, that will duplicate the CORS headers and fail. Remove
your CORS filter and it should be okay (or disable CORS in keycloak.json)
On Wed, May 24, 2017 at 4:44 PM, <sesnor.silva(a)sapo.pt> wrote:
Hello again,
I forgot to mention I'm using Keycloak 3.1.0 Final.
Meanwhile i searched a bit more and found more people with the same
problem, but sadly, no solution:
http://lists.jboss.org/pipermail/keycloak-user/2014-May/000259.html
http://lists.jboss.org/pipermail/keycloak-user/2016-May/006147.html
I also made a really basic WAR application, protected by keycloak,
that just says "Hello" when you access the route /hello. The minimal
client code that reproduces the problem:
<script type="text/javascript"
src="https://code.jquery.com/jquery-3.1.0.min.js"></scrip...
<script type="text/javascript"
src="http://localhost:9000/auth/js/keycloak.js"></script>
<script type="text/javascript">
var keycloak = Keycloak('keycloak.json');
keycloak.init({ onLoad: 'login-required'
}).success(function(authenticated) {
if (authenticated) {
$.ajax({method: "GET", url:
"http://localhost:8080/hello
",
headers: { 'Authorization': 'Bearer ' +
keycloak.token }
});
}
});
</script>
I'm able to login successfully and acquire a valid working token.
However the AJAX call fails with the same errors mentioned before.
In Chrome 57 and Opera : "The 'Access-Control-Allow-Origin' header
contains multiple values 'http://localhost, http://localhost';, but
only one is allowed. Origin 'http://localhost' is therefore not
allowed access."
In Firefox 52: "Cross-Origin Request Blocked: The Same Origin Policy
disallows reading the remote resource. (Reason: CORS header
‘Access-Control-Allow-Origin’ does not match ‘(null)’)".
It works in IE11 but the page refreshes constantly, similar to what
I've mentioned
here: http://lists.jboss.org/pipermail/keycloak-user/2017-May/010677.html,
even when accepting third-party cookies.
Anyone have any hints please? What's going on with my setup? :(
Some additional information:
My API has the CORS filter enabled, like this:
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With,accept,Origin,
Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-
Allow-Credentials</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>10</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
My Client has "enable-cors": true.
Strangely I'm able to access the API through cURL if I use the valid
access-token.
Any help is appreciated at this point :(.
Best regards,
Silva
Citando sesnor.silva(a)sapo.pt:
> Hello,
>
> I have protected a Java web application that's compiled in a WAR
> package and accessible through a Tomcat 8 sever. To do this I followed
> the steps here:
> https://keycloak.gitbooks.io/documentation/securing_apps/
topics/oidc/java/tomcat-adapter.html
>
> My Java Application is a RESTful API which can only be accessed by
> authorized users that bear a token.
>
> In Keycloak I configured my client (and keycloak.json) as follows:
> {
> "realm": "MainDomain",
> "bearer-only": true,
> "auth-server-url": "http://<My Keycloak
Server>:8081/auth",
> "ssl-required": "none",
> "resource": "main-domain-server"
> }
>
> If I have a valid token I can access the service fine through cURL
> requests. However, using any browser (Firefox, Chrome, Opera, expect
> IE, which for some reason works) I can't access any resource through
> AJAX as I get CORS problems:
> "Response to preflight request doesn't pass access control check: No
> 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'http://localhost:3000' is therefore not allowed
> access. The response had HTTP status code 401."
>
> I searched around and found I should put "enable_cors": true in my
> keycloak.json, however this causes the following CORS problem:
> "The 'Access-Control-Allow-Origin' header contains multiple values
> 'http://localhost:3000, http://localhost:3000';, but only one is
> allowed. Origin 'http://localhost:3000' is therefore not allowed
> access."
>
> I think I'm out of ideas at the moment on what could be causing this.
> Does anyone have any idea what could be wrong in my configuration?
>
> My best regards,
> Silva
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.orghttps://lists.jboss.org/
mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2772
days inactive
2775
days old
2 comments
2 participants
participants (2)
-
Sebastien Blanc -
sesnor.silva@sapo.pt