Hi James,
Ok, so I managed to fix it, but I have still not figured out what the exact
problem was. This is what I have done to resolve the issue.
The error was happening with the following versions:
Keycloak: 2.3.0
Tomcat: 8.5 (I also tried running the tomcat 8.039 with keycloak adapters
for version 2.3.0 but it was still giving me problems, some kind of valve
exception was thrown.)
I then reverted to version 2.2.1 of keycloak and tomcat 8.039, and then
everything worked. Used the exact same setup that I had in the other
versions, replaced the keycloak.json files for my rest service and my web
app, and everything worked.
Based on that, I think the problem might be with version 2.3.0 of keycloak
and tomcat 8*. If I have time I will try to investigate it a bit more.
Regards
Grant
On Fri, Nov 18, 2016 at 12:50 AM, James Falkner <jfalkner(a)redhat.com> wrote:
Hey Grant - if it's a protected URL, and you've configured
web origins
correctly for the client, and the adapter, and the browser is sending the
right stuff - then Keycloak adapter *should* add the CORS headers. I have a
few demos I've created that work in this way, but they all use the official
Red Hat SSO product, based on Keycloak 1.9.4.
If you use "curl" with the same headers, does it fail too? See the end of
http://blog.keycloak.org/2015/10/getting-started-with-
keycloak-securing.html for an example of how to obtain a token and issue
a request using curl.
-James
On Wed, Nov 16, 2016 at 2:51 PM, Grant Marrow <grantmarrow(a)gmail.com>
wrote:
> Hi James
>
> Yes I have used the chrome and firefox postmaster addon to process the
> same HTTP GET request to my rest service.
>
> During this request I added the authorisation bearer header with a valid
> token and it still returned the same error.
>
> The only time it worked was when I stripped out keycloak completely and
> just added the standard cors configuration in my web.xml of my service
> worked successfully. That's why I'm leaning to the fact that it might be a
> keycloak error.
>
> Regards
> Grant
> On 16 Nov 2016 21:39, "James Falkner" <jfalkner(a)redhat.com> wrote:
>
>> In the developer console in your browser, can you verify that the proper
>> Authorization header is being passed in the REST call? Something like
>> 'Authorization: bearer <token>'.
>>
>> -James
>>
>> Grant Marrow <grantmarrow(a)gmail.com>
>> November 16, 2016 at 2:22 PM
>> I'm familiar with cors. I have used the exact same setup with versions
>> 1.3,
>> 1.4 and 1.9 version of keycloak. This problem has started since I
>> upgraded
>> to version 2.3 if keycloak.
>>
>> I have also tried adding the cors-enabled-headers and
>> cors-enabled-methods
>> properties to the keycloak.json file on my rest service application and
>> that did not work as well.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> Chris Savory <chris.savory(a)edlogics.com>
>> November 16, 2016 at 2:11 PM
>> This doesn’t appear to be Keycloak related at all. This is just CORS
>> errors on your API.
>>
>> Try reading up here for some more background.
>>
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
>>
>> But in short, what you need to do is have your API respond with a couple
>> of headers; primarily the 'Access-Control-Allow-Origin' header so the
>> browser knows that XHR calls to the domain
http://localhost:8081 are
>> allowed be called from pages that are served off of the domain
>>
http://localhost:9000
>>
>> --
>> Christopher Savory
>> Software Engineer | EdLogics
>>
www.edlogics.com
>>
>>
>>
>>
>> From: Grant Marrow <grantmarrow(a)gmail.com> <grantmarrow(a)gmail.com>
>> Date: Wednesday, November 16, 2016 at 2:07 PM
>> To: Chris Savory <chris.savory(a)edlogics.com>
<chris.savory(a)edlogics.com>,
>> "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
>> <keycloak-user(a)lists.jboss.org> <keycloak-user(a)lists.jboss.org>
>> Subject: Re: [keycloak-user] No 'Access-Control-Allow-Origin' header is
>> present on the requested resource
>>
>> Ok below is a step by step of events:
>> 1. User navigates to web application at
http://localhost:9000
>> 2. Use clicks the sign in button at
http://localhost:9000/login
>> 3. User is redirected to keycloak at
http://localhost:8080 to login
>> 4. Once signed in the user ia redirected to
http://localhost:9000
>> 5. Authenticated User navigates to registrations page at
>>
http://localhost:9000/registrations. During this step a http GET
>> request is done to
http://localhost:8081/leap-ser
>> vice/resouces/private/registrations.
>> At the above step the error occurs. Please let me know if you need more
>> information. Thanks
>> Regards
>> Grant
>> On 16 Nov 2016 20:26, "Grant Marrow" <grantmarrow(a)gmail.com>
>> <grantmarrow(a)gmail.com> wrote:
>> Hi Chris
>> Thanks for getting back to me. I have done that and it didnt work. I
>> have also tired adding *. That did not work as well. What else can I try?
>> Please let me know. Thanks
>> Regards
>> Grant
>> On 16 Nov 2016 20:15, "Chris Savory" <chris.savory(a)edlogics.com>
>> <chris.savory(a)edlogics.com> wrote:
>> In the admin, click on Clients, then select your client. Do you have
>> any values for “Web Origins” there? If not, you need to add ‘
>>
http://localhost:9000’
>>
>> --
>> Christopher Savory
>> Software Engineer | EdLogics
>>
www.edlogics.com <
http://www.edlogics.com/>
<
http://www.edlogics.com/>
>>
>> <
http://www.edlogics.com/> <
http://www.edlogics.com/>
>> <
https://www.linkedin.com/company/edlogics>
>> <
https://www.linkedin.com/company/edlogics>
>> <
https://twitter.com/EdLogics> <
https://twitter.com/EdLogics>
>>
>> On 11/16/16, 1:08 PM, "keycloak-user-bounces(a)lists.jboss.org on behalf
>> of Grant Marrow"
>> <keycloak-user-bounces(a)lists.jboss.orgonbehalfofGrantMarrow>
>> <keycloak-user-bounces(a)lists.jboss.org on behalf of
>> grantmarrow(a)gmail.com>
>> <keycloak-user-bounces@lists.jboss.orgonbehalfofgrantmarrow(a)gmail.com>
>> wrote:
>>
>> Hi,
>>
>> I really need some help. I keep on getting the following error:
>>
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <
http://localhost:9000/>
>> <
http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> This is my setup:
>>
>> *Front End:*
>> - angular 1.5 web application running at
http://localhost:9000
>> - client configuration on keycloak admin console:
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "auth-server-url": "http://localhost:8080/auth"
>> <
http://localhost:8080/auth>;,
>> "ssl-required": "external",
>> "resource": "leap-web",
>> "public-client": true
>> }
>>
>>
>> *Auth Server*
>> - keycloak version 2.30Final running at
http://localhost:8080
>>
>> *Web service*
>> - java REST service running on Tomcat version 8.5
>> - client config on keycloak admin console:
>> - web.xml of rest service:
>>
>> <web-app
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> <
http://www.w3.org/2001/XMLSchema-instance> xmlns="
>>
http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>>
http://java.sun.com/xml/ns/javaee
>>
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID"
>> version="3.0">
>> <display-name>Archetype Created Web Application</display-name>
>> <module-name>leap-service</module-name>
>> <listener>
>> <listener-class>com.hm.leap.service.init.ContextListener</li
>> stener-class>
>>
>> </listener>
>> <context-param>
>> <param-name>persistentUnit</param-name>
>> <param-value>leap</param-value>
>> </context-param>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Leap-Service</web-resource-name>
>> <url-pattern>/resources/private/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>user</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> <login-config>
>> <auth-method>KEYCLOAK</auth-method>
>> <realm-name>leap</realm-name>
>> </login-config>
>>
>> <security-role>
>> <role-name>user</role-name>
>> </security-role>
>>
>> </web-app>
>>
>> - I also have the valve setup on my context.xml that lives in the
>> META-INF
>> directory
>> <Context path="/leap-service">
>> <Valve
>> className="org.keycloak.adapters.tomcat.KeycloakAuthenticato
>> rValve"/>
>>
>> </Context>
>>
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "bearer-only": true,
>> "auth-server-url": "http://localhost:8080/auth"
>> <
http://localhost:8080/auth>;,
>> "ssl-required": "external",
>> "resource": "leap-service",
>> "enable-cors": true
>> }
>>
>> The error occurs in the following scenario:
>> - The angular web app launches, the user clicks the login button
>> which
>> redirects to Keycloak. The user signs in. The user then tries
>> navigates to
>> another page. This page then executes a GET request on my REST
>> service
>> which returns a list which is displayed in a table. But while
>> executing the
>> GET request, I receive the error:
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <
http://localhost:9000/>
>> <
http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> In my Tomcat log file. I see the following warning message:
>>
>>
>> *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage
>> No
>> login page was defined for FORM authentication in context
>> [/leap-service]*
>>
>> I really can't seen to pinpoint the error. I find it quite strange
>> because
>> I have the same setup but using an older version of keycloak (1.9*),
>> which
>> worked fine. I know this might be a silly problem, but if you have
>> some
>> time to help me, I would really appreciate it. Thanks.
>>
>> Regards
>> Grant
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> Grant Marrow <grantmarrow(a)gmail.com>
>> November 16, 2016 at 2:07 PM
>> Ok below is a step by step of events:
>>
>> 1. User navigates to web application at
http://localhost:9000
>>
>> 2. Use clicks the sign in button at
http://localhost:9000/login
>>
>> 3. User is redirected to keycloak at
http://localhost:8080 to login
>>
>> 4. Once signed in the user ia redirected to
http://localhost:9000
>>
>> 5. Authenticated User navigates to registrations page at
>>
http://localhost:9000/registrations. During this step a http GET
>> request is
>> done to
http://localhost:8081/leap-service/resouces/private/registra
>> tions.
>>
>> At the above step the error occurs. Please let me know if you need more
>> information. Thanks
>>
>> Regards
>> Grant
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> Chris Savory <chris.savory(a)edlogics.com>
>> November 16, 2016 at 1:15 PM
>> In the admin, click on Clients, then select your client. Do you have any
>> values for “Web Origins” there? If not, you need to add ‘
>>
http://localhost:9000’
>>
>> --
>> Christopher Savory
>> Software Engineer | EdLogics
>>
www.edlogics.com <
http://www.edlogics.com/>
<
http://www.edlogics.com/>
>>
>> <
http://www.edlogics.com/> <
http://www.edlogics.com/>
>> <
https://www.linkedin.com/company/edlogics>
>> <
https://www.linkedin.com/company/edlogics>
>> <
https://twitter.com/EdLogics> <
https://twitter.com/EdLogics>
>>
>> On 11/16/16, 1:08 PM, "keycloak-user-bounces(a)lists.jboss.org on behalf
>> of Grant Marrow"
>> <keycloak-user-bounces(a)lists.jboss.orgonbehalfofGrantMarrow>
>> <keycloak-user-bounces(a)lists.jboss.org on behalf of
>> grantmarrow(a)gmail.com>
>> <keycloak-user-bounces@lists.jboss.orgonbehalfofgrantmarrow(a)gmail.com>
>> wrote:
>>
>> Hi,
>>
>> I really need some help. I keep on getting the following error:
>>
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <
http://localhost:9000/>
>> <
http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> This is my setup:
>>
>> *Front End:*
>> - angular 1.5 web application running at
http://localhost:9000
>> - client configuration on keycloak admin console:
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "auth-server-url": "http://localhost:8080/auth"
>> <
http://localhost:8080/auth>;,
>> "ssl-required": "external",
>> "resource": "leap-web",
>> "public-client": true
>> }
>>
>>
>> *Auth Server*
>> - keycloak version 2.30Final running at
http://localhost:8080
>>
>> *Web service*
>> - java REST service running on Tomcat version 8.5
>> - client config on keycloak admin console:
>> - web.xml of rest service:
>>
>> <web-app
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> <
http://www.w3.org/2001/XMLSchema-instance> xmlns="
>>
http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>>
http://java.sun.com/xml/ns/javaee
>>
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>> version="3.0">
>> <display-name>Archetype Created Web Application</display-name>
>> <module-name>leap-service</module-name>
>> <listener>
>> <listener-class>com.hm.leap.service.init.ContextListener</li
>> stener-class>
>>
>> </listener>
>> <context-param>
>> <param-name>persistentUnit</param-name>
>> <param-value>leap</param-value>
>> </context-param>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Leap-Service</web-resource-name>
>> <url-pattern>/resources/private/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>user</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> <login-config>
>> <auth-method>KEYCLOAK</auth-method>
>> <realm-name>leap</realm-name>
>> </login-config>
>>
>> <security-role>
>> <role-name>user</role-name>
>> </security-role>
>>
>> </web-app>
>>
>> - I also have the valve setup on my context.xml that lives in the
>> META-INF
>> directory
>> <Context path="/leap-service">
>> <Valve
>>
className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>>
>> </Context>
>>
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "bearer-only": true,
>> "auth-server-url": "http://localhost:8080/auth"
>> <
http://localhost:8080/auth>;,
>> "ssl-required": "external",
>> "resource": "leap-service",
>> "enable-cors": true
>> }
>>
>> The error occurs in the following scenario:
>> - The angular web app launches, the user clicks the login button which
>> redirects to Keycloak. The user signs in. The user then tries navigates
>> to
>> another page. This page then executes a GET request on my REST service
>> which returns a list which is displayed in a table. But while executing
>> the
>> GET request, I receive the error:
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <
http://localhost:9000/>
>> <
http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> In my Tomcat log file. I see the following warning message:
>>
>>
>> *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage
>> No
>> login page was defined for FORM authentication in context
>> [/leap-service]*
>>
>> I really can't seen to pinpoint the error. I find it quite strange
>> because
>> I have the same setup but using an older version of keycloak (1.9*),
>> which
>> worked fine. I know this might be a silly problem, but if you have some
>> time to help me, I would really appreciate it. Thanks.
>>
>> Regards
>> Grant
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> Grant Marrow <grantmarrow(a)gmail.com>
>> November 16, 2016 at 1:08 PM
>> Hi,
>>
>> I really need some help. I keep on getting the following error:
>>
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <
http://localhost:9000/>
>> <
http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> This is my setup:
>>
>> *Front End:*
>> - angular 1.5 web application running at
http://localhost:9000
>> - client configuration on keycloak admin console:
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "auth-server-url": "http://localhost:8080/auth"
>> <
http://localhost:8080/auth>;,
>> "ssl-required": "external",
>> "resource": "leap-web",
>> "public-client": true
>> }
>>
>>
>> *Auth Server*
>> - keycloak version 2.30Final running at
http://localhost:8080
>>
>> *Web service*
>> - java REST service running on Tomcat version 8.5
>> - client config on keycloak admin console:
>> - web.xml of rest service:
>>
>> <web-app
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> <
http://www.w3.org/2001/XMLSchema-instance> xmlns="
>>
http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>>
http://java.sun.com/xml/ns/javaee
>>
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>> version="3.0">
>> <display-name>Archetype Created Web Application</display-name>
>> <module-name>leap-service</module-name>
>> <listener>
>> <listener-class>com.hm.leap.service.init.ContextListener</li
>> stener-class>
>>
>> </listener>
>> <context-param>
>> <param-name>persistentUnit</param-name>
>> <param-value>leap</param-value>
>> </context-param>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Leap-Service</web-resource-name>
>> <url-pattern>/resources/private/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>user</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> <login-config>
>> <auth-method>KEYCLOAK</auth-method>
>> <realm-name>leap</realm-name>
>> </login-config>
>>
>> <security-role>
>> <role-name>user</role-name>
>> </security-role>
>>
>> </web-app>
>>
>> - I also have the valve setup on my context.xml that lives in the
>> META-INF
>> directory
>> <Context path="/leap-service">
>> <Valve
>>
className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>>
>> </Context>
>>
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "bearer-only": true,
>> "auth-server-url": "http://localhost:8080/auth"
>> <
http://localhost:8080/auth>;,
>> "ssl-required": "external",
>> "resource": "leap-service",
>> "enable-cors": true
>> }
>>
>> The error occurs in the following scenario:
>> - The angular web app launches, the user clicks the login button which
>> redirects to Keycloak. The user signs in. The user then tries navigates
>> to
>> another page. This page then executes a GET request on my REST service
>> which returns a list which is displayed in a table. But while executing
>> the
>> GET request, I receive the error:
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <
http://localhost:9000/>
>> <
http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> In my Tomcat log file. I see the following warning message:
>>
>>
>> *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage
>> No
>> login page was defined for FORM authentication in context
>> [/leap-service]*
>>
>> I really can't seen to pinpoint the error. I find it quite strange
>> because
>> I have the same setup but using an older version of keycloak (1.9*),
>> which
>> worked fine. I know this might be a silly problem, but if you have some
>> time to help me, I would really appreciate it. Thanks.
>>
>> Regards
>> Grant
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>