[keycloak-user] No 'Access-Control-Allow-Origin' header is present on the requested resource

Grant Marrow grantmarrow at gmail.com
Fri Nov 18 04:43:51 EST 2016


Hi James,

Ok, so I managed to fix it, but I have still not figured out what the exact
problem was. This is what I have done to resolve the issue.

The error was happening with the following versions:
Keycloak: 2.3.0
Tomcat: 8.5 (I also tried running the tomcat 8.039 with keycloak adapters
for version 2.3.0 but it was still giving me problems, some kind of valve
exception was thrown.)

I then reverted to version 2.2.1 of keycloak and tomcat 8.039, and then
everything worked. Used the exact same setup that I had in the other
versions, replaced the keycloak.json files for my rest service and my web
app, and everything worked.

Based on that, I think the problem might be with version 2.3.0 of keycloak
and tomcat 8*. If I have time I will try to investigate it a bit more.

Regards
Grant




On Fri, Nov 18, 2016 at 12:50 AM, James Falkner <jfalkner at redhat.com> wrote:

> Hey Grant - if it's a protected URL, and you've configured web origins
> correctly for the client, and the adapter, and the browser is sending the
> right stuff - then Keycloak adapter *should* add the CORS headers. I have a
> few demos I've created that work in this way, but they all use the official
> Red Hat SSO product, based on Keycloak 1.9.4.
>
> If you use "curl" with the same headers, does it fail too? See the end of
> http://blog.keycloak.org/2015/10/getting-started-with-
> keycloak-securing.html for an example of how to obtain a token and issue
> a request using curl.
>
> -James
>
> On Wed, Nov 16, 2016 at 2:51 PM, Grant Marrow <grantmarrow at gmail.com>
> wrote:
>
>> Hi James
>>
>> Yes I have used the chrome and firefox  postmaster addon to process the
>> same HTTP GET request to my rest service.
>>
>> During this request I added the authorisation bearer header with a valid
>> token and it still returned the same error.
>>
>> The only time it worked was when I  stripped out keycloak completely and
>> just added the standard cors configuration in my web.xml of my service
>> worked successfully. That's why I'm leaning to the fact that it might be a
>> keycloak error.
>>
>> Regards
>> Grant
>> On 16 Nov 2016 21:39, "James Falkner" <jfalkner at redhat.com> wrote:
>>
>>> In the developer console in your browser, can you verify that the proper
>>> Authorization header is being passed in the REST call? Something like
>>> 'Authorization: bearer <token>'.
>>>
>>> -James
>>>
>>> Grant Marrow <grantmarrow at gmail.com>
>>> November 16, 2016 at 2:22 PM
>>> I'm familiar with cors. I have used the exact same setup with versions
>>> 1.3,
>>> 1.4 and 1.9 version of keycloak. This problem has started since I
>>> upgraded
>>> to version 2.3 if keycloak.
>>>
>>> I have also tried adding the cors-enabled-headers and
>>> cors-enabled-methods
>>> properties to the keycloak.json file on my rest service application and
>>> that did not work as well.
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> Chris Savory <chris.savory at edlogics.com>
>>> November 16, 2016 at 2:11 PM
>>> This doesn’t appear to be Keycloak related at all. This is just CORS
>>> errors on your API.
>>>
>>> Try reading up here for some more background.
>>> https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
>>>
>>> But in short, what you need to do is have your API respond with a couple
>>> of headers; primarily the 'Access-Control-Allow-Origin' header so the
>>> browser knows that XHR calls to the domain http://localhost:8081 are
>>> allowed be called from pages that are served off of the domain
>>> http://localhost:9000
>>>
>>> --
>>> Christopher Savory
>>> Software Engineer | EdLogics
>>> www.edlogics.com
>>>
>>>
>>>
>>>
>>> From: Grant Marrow <grantmarrow at gmail.com> <grantmarrow at gmail.com>
>>> Date: Wednesday, November 16, 2016 at 2:07 PM
>>> To: Chris Savory <chris.savory at edlogics.com> <chris.savory at edlogics.com>,
>>> "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>>> <keycloak-user at lists.jboss.org> <keycloak-user at lists.jboss.org>
>>> Subject: Re: [keycloak-user] No 'Access-Control-Allow-Origin' header is
>>> present on the requested resource
>>>
>>> Ok below is a step by step of events:
>>> 1. User navigates to web application at http://localhost:9000
>>> 2. Use clicks the sign in button at http://localhost:9000/login
>>> 3. User is redirected to keycloak at http://localhost:8080 to login
>>> 4. Once signed in the user ia redirected to http://localhost:9000
>>> 5. Authenticated User navigates to registrations page at
>>> http://localhost:9000/registrations. During this step a http GET
>>> request is done to http://localhost:8081/leap-ser
>>> vice/resouces/private/registrations.
>>> At the above step the error occurs. Please let me know if you need more
>>> information. Thanks
>>> Regards
>>> Grant
>>> On 16 Nov 2016 20:26, "Grant Marrow" <grantmarrow at gmail.com>
>>> <grantmarrow at gmail.com> wrote:
>>> Hi Chris
>>> Thanks for getting back to me.  I have done that and it didnt work.  I
>>> have also tired adding *. That did not work as well. What else can I try?
>>> Please let me know. Thanks
>>> Regards
>>> Grant
>>> On 16 Nov 2016 20:15, "Chris Savory" <chris.savory at edlogics.com>
>>> <chris.savory at edlogics.com> wrote:
>>> In the admin, click on Clients, then select your client.  Do you have
>>> any values for “Web Origins” there?  If not, you need to add ‘
>>> http://localhost:9000’
>>>
>>> --
>>> Christopher Savory
>>> Software Engineer | EdLogics
>>> www.edlogics.com <http://www.edlogics.com/> <http://www.edlogics.com/>
>>>
>>>  <http://www.edlogics.com/> <http://www.edlogics.com/>
>>>  <https://www.linkedin.com/company/edlogics>
>>> <https://www.linkedin.com/company/edlogics>
>>> <https://twitter.com/EdLogics> <https://twitter.com/EdLogics>
>>>
>>> On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf
>>> of Grant Marrow"
>>> <keycloak-user-bounces at lists.jboss.orgonbehalfofGrantMarrow>
>>> <keycloak-user-bounces at lists.jboss.org on behalf of
>>> grantmarrow at gmail.com>
>>> <keycloak-user-bounces at lists.jboss.orgonbehalfofgrantmarrow@gmail.com>
>>> wrote:
>>>
>>>     Hi,
>>>
>>>     I really need some help. I keep on getting the following error:
>>>
>>>
>>>     *No 'Access-Control-Allow-Origin' header is present on the requested
>>>     resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>>> <http://localhost:9000/>' is
>>>     therefore not allowed access. The response had HTTP status code 500.*
>>>
>>>     This is my setup:
>>>
>>>     *Front End:*
>>>     - angular 1.5 web application running at http://localhost:9000
>>>     - client configuration on keycloak admin console:
>>>     - keycloak.json:
>>>
>>>     {
>>>       "realm": "leap",
>>>       "auth-server-url": "http://localhost:8080/auth"
>>> <http://localhost:8080/auth>,
>>>       "ssl-required": "external",
>>>       "resource": "leap-web",
>>>       "public-client": true
>>>     }
>>>
>>>
>>>     *Auth Server*
>>>     - keycloak version 2.30Final running at http://localhost:8080
>>>
>>>     *Web service*
>>>     - java REST service running on Tomcat version 8.5
>>>     - client config on keycloak admin console:
>>>     - web.xml of rest service:
>>>
>>>     <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> <http://www.w3.org/2001/XMLSchema-instance> xmlns="
>>>     http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>>>     http://java.sun.com/xml/ns/javaee
>>>     http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>>>     version="3.0">
>>>       <display-name>Archetype Created Web Application</display-name>
>>>       <module-name>leap-service</module-name>
>>>      <listener>
>>>         <listener-class>com.hm.leap.service.init.ContextListener</li
>>> stener-class>
>>>
>>>       </listener>
>>>     <context-param>
>>>     <param-name>persistentUnit</param-name>
>>>     <param-value>leap</param-value>
>>>     </context-param>
>>>
>>>       <security-constraint>
>>>       <web-resource-collection>
>>>       <web-resource-name>Leap-Service</web-resource-name>
>>>       <url-pattern>/resources/private/*</url-pattern>
>>>       </web-resource-collection>
>>>       <auth-constraint>
>>>       <role-name>user</role-name>
>>>       </auth-constraint>
>>>       </security-constraint>
>>>
>>>        <login-config>
>>>             <auth-method>KEYCLOAK</auth-method>
>>>             <realm-name>leap</realm-name>
>>>        </login-config>
>>>
>>>       <security-role>
>>>       <role-name>user</role-name>
>>>       </security-role>
>>>
>>>     </web-app>
>>>
>>>     - I also have the valve setup on my context.xml that lives in the
>>> META-INF
>>>     directory
>>>     <Context path="/leap-service">
>>>     <Valve
>>>     className="org.keycloak.adapters.tomcat.KeycloakAuthenticato
>>> rValve"/>
>>>
>>>     </Context>
>>>
>>>     - keycloak.json:
>>>
>>>     {
>>>       "realm": "leap",
>>>       "bearer-only": true,
>>>       "auth-server-url": "http://localhost:8080/auth"
>>> <http://localhost:8080/auth>,
>>>       "ssl-required": "external",
>>>       "resource": "leap-service",
>>>       "enable-cors": true
>>>     }
>>>
>>>     The error occurs in the following scenario:
>>>     - The angular web app launches, the user clicks the login button
>>> which
>>>     redirects to Keycloak. The user signs in. The user then tries
>>> navigates to
>>>     another page. This page then executes a GET request on my REST
>>> service
>>>     which returns a list which is displayed in a table. But while
>>> executing the
>>>     GET request, I receive the error:
>>>
>>>     *No 'Access-Control-Allow-Origin' header is present on the requested
>>>     resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>>> <http://localhost:9000/>' is
>>>     therefore not allowed access. The response had HTTP status code 500.*
>>>
>>>     In my Tomcat log file. I see the following warning message:
>>>
>>>
>>>     *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>>>     org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage
>>> No
>>>     login page was defined for FORM authentication in context
>>> [/leap-service]*
>>>
>>>     I really can't seen to pinpoint the error. I find it quite strange
>>> because
>>>     I have the same setup but using an older version of keycloak (1.9*),
>>> which
>>>     worked fine. I know this might be a silly problem, but if you have
>>> some
>>>     time to help me, I would really appreciate it. Thanks.
>>>
>>>     Regards
>>>     Grant
>>>     _______________________________________________
>>>     keycloak-user mailing list
>>>     keycloak-user at lists.jboss.org
>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> Grant Marrow <grantmarrow at gmail.com>
>>> November 16, 2016 at 2:07 PM
>>> Ok below is a step by step of events:
>>>
>>> 1. User navigates to web application at http://localhost:9000
>>>
>>> 2. Use clicks the sign in button at http://localhost:9000/login
>>>
>>> 3. User is redirected to keycloak at http://localhost:8080 to login
>>>
>>> 4. Once signed in the user ia redirected to http://localhost:9000
>>>
>>> 5. Authenticated User navigates to registrations page at
>>> http://localhost:9000/registrations. During this step a http GET
>>> request is
>>> done to http://localhost:8081/leap-service/resouces/private/registra
>>> tions.
>>>
>>> At the above step the error occurs. Please let me know if you need more
>>> information. Thanks
>>>
>>> Regards
>>> Grant
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> Chris Savory <chris.savory at edlogics.com>
>>> November 16, 2016 at 1:15 PM
>>> In the admin, click on Clients, then select your client. Do you have any
>>> values for “Web Origins” there? If not, you need to add ‘
>>> http://localhost:9000’
>>>
>>> --
>>> Christopher Savory
>>> Software Engineer | EdLogics
>>> www.edlogics.com <http://www.edlogics.com/> <http://www.edlogics.com/>
>>>
>>> <http://www.edlogics.com/> <http://www.edlogics.com/>
>>> <https://www.linkedin.com/company/edlogics>
>>> <https://www.linkedin.com/company/edlogics>
>>> <https://twitter.com/EdLogics> <https://twitter.com/EdLogics>
>>>
>>> On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf
>>> of Grant Marrow"
>>> <keycloak-user-bounces at lists.jboss.orgonbehalfofGrantMarrow>
>>> <keycloak-user-bounces at lists.jboss.org on behalf of
>>> grantmarrow at gmail.com>
>>> <keycloak-user-bounces at lists.jboss.orgonbehalfofgrantmarrow@gmail.com>
>>> wrote:
>>>
>>> Hi,
>>>
>>> I really need some help. I keep on getting the following error:
>>>
>>>
>>> *No 'Access-Control-Allow-Origin' header is present on the requested
>>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>>> <http://localhost:9000/>' is
>>> therefore not allowed access. The response had HTTP status code 500.*
>>>
>>> This is my setup:
>>>
>>> *Front End:*
>>> - angular 1.5 web application running at http://localhost:9000
>>> - client configuration on keycloak admin console:
>>> - keycloak.json:
>>>
>>> {
>>> "realm": "leap",
>>> "auth-server-url": "http://localhost:8080/auth"
>>> <http://localhost:8080/auth>,
>>> "ssl-required": "external",
>>> "resource": "leap-web",
>>> "public-client": true
>>> }
>>>
>>>
>>> *Auth Server*
>>> - keycloak version 2.30Final running at http://localhost:8080
>>>
>>> *Web service*
>>> - java REST service running on Tomcat version 8.5
>>> - client config on keycloak admin console:
>>> - web.xml of rest service:
>>>
>>> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> <http://www.w3.org/2001/XMLSchema-instance> xmlns="
>>> http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>>> http://java.sun.com/xml/ns/javaee
>>> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>>> version="3.0">
>>> <display-name>Archetype Created Web Application</display-name>
>>> <module-name>leap-service</module-name>
>>> <listener>
>>> <listener-class>com.hm.leap.service.init.ContextListener</li
>>> stener-class>
>>>
>>> </listener>
>>> <context-param>
>>> <param-name>persistentUnit</param-name>
>>> <param-value>leap</param-value>
>>> </context-param>
>>>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>Leap-Service</web-resource-name>
>>> <url-pattern>/resources/private/*</url-pattern>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>user</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>>
>>> <login-config>
>>> <auth-method>KEYCLOAK</auth-method>
>>> <realm-name>leap</realm-name>
>>> </login-config>
>>>
>>> <security-role>
>>> <role-name>user</role-name>
>>> </security-role>
>>>
>>> </web-app>
>>>
>>> - I also have the valve setup on my context.xml that lives in the
>>> META-INF
>>> directory
>>> <Context path="/leap-service">
>>> <Valve
>>> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>>>
>>> </Context>
>>>
>>> - keycloak.json:
>>>
>>> {
>>> "realm": "leap",
>>> "bearer-only": true,
>>> "auth-server-url": "http://localhost:8080/auth"
>>> <http://localhost:8080/auth>,
>>> "ssl-required": "external",
>>> "resource": "leap-service",
>>> "enable-cors": true
>>> }
>>>
>>> The error occurs in the following scenario:
>>> - The angular web app launches, the user clicks the login button which
>>> redirects to Keycloak. The user signs in. The user then tries navigates
>>> to
>>> another page. This page then executes a GET request on my REST service
>>> which returns a list which is displayed in a table. But while executing
>>> the
>>> GET request, I receive the error:
>>>
>>> *No 'Access-Control-Allow-Origin' header is present on the requested
>>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>>> <http://localhost:9000/>' is
>>> therefore not allowed access. The response had HTTP status code 500.*
>>>
>>> In my Tomcat log file. I see the following warning message:
>>>
>>>
>>> *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>>> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage
>>> No
>>> login page was defined for FORM authentication in context
>>> [/leap-service]*
>>>
>>> I really can't seen to pinpoint the error. I find it quite strange
>>> because
>>> I have the same setup but using an older version of keycloak (1.9*),
>>> which
>>> worked fine. I know this might be a silly problem, but if you have some
>>> time to help me, I would really appreciate it. Thanks.
>>>
>>> Regards
>>> Grant
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> Grant Marrow <grantmarrow at gmail.com>
>>> November 16, 2016 at 1:08 PM
>>> Hi,
>>>
>>> I really need some help. I keep on getting the following error:
>>>
>>>
>>> *No 'Access-Control-Allow-Origin' header is present on the requested
>>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>>> <http://localhost:9000/>' is
>>> therefore not allowed access. The response had HTTP status code 500.*
>>>
>>> This is my setup:
>>>
>>> *Front End:*
>>> - angular 1.5 web application running at http://localhost:9000
>>> - client configuration on keycloak admin console:
>>> - keycloak.json:
>>>
>>> {
>>> "realm": "leap",
>>> "auth-server-url": "http://localhost:8080/auth"
>>> <http://localhost:8080/auth>,
>>> "ssl-required": "external",
>>> "resource": "leap-web",
>>> "public-client": true
>>> }
>>>
>>>
>>> *Auth Server*
>>> - keycloak version 2.30Final running at http://localhost:8080
>>>
>>> *Web service*
>>> - java REST service running on Tomcat version 8.5
>>> - client config on keycloak admin console:
>>> - web.xml of rest service:
>>>
>>> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> <http://www.w3.org/2001/XMLSchema-instance> xmlns="
>>> http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>>> http://java.sun.com/xml/ns/javaee
>>> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>>> version="3.0">
>>> <display-name>Archetype Created Web Application</display-name>
>>> <module-name>leap-service</module-name>
>>> <listener>
>>> <listener-class>com.hm.leap.service.init.ContextListener</li
>>> stener-class>
>>>
>>> </listener>
>>> <context-param>
>>> <param-name>persistentUnit</param-name>
>>> <param-value>leap</param-value>
>>> </context-param>
>>>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>Leap-Service</web-resource-name>
>>> <url-pattern>/resources/private/*</url-pattern>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>user</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>>
>>> <login-config>
>>> <auth-method>KEYCLOAK</auth-method>
>>> <realm-name>leap</realm-name>
>>> </login-config>
>>>
>>> <security-role>
>>> <role-name>user</role-name>
>>> </security-role>
>>>
>>> </web-app>
>>>
>>> - I also have the valve setup on my context.xml that lives in the
>>> META-INF
>>> directory
>>> <Context path="/leap-service">
>>> <Valve
>>> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>>>
>>> </Context>
>>>
>>> - keycloak.json:
>>>
>>> {
>>> "realm": "leap",
>>> "bearer-only": true,
>>> "auth-server-url": "http://localhost:8080/auth"
>>> <http://localhost:8080/auth>,
>>> "ssl-required": "external",
>>> "resource": "leap-service",
>>> "enable-cors": true
>>> }
>>>
>>> The error occurs in the following scenario:
>>> - The angular web app launches, the user clicks the login button which
>>> redirects to Keycloak. The user signs in. The user then tries navigates
>>> to
>>> another page. This page then executes a GET request on my REST service
>>> which returns a list which is displayed in a table. But while executing
>>> the
>>> GET request, I receive the error:
>>>
>>> *No 'Access-Control-Allow-Origin' header is present on the requested
>>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>>> <http://localhost:9000/>' is
>>> therefore not allowed access. The response had HTTP status code 500.*
>>>
>>> In my Tomcat log file. I see the following warning message:
>>>
>>>
>>> *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>>> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage
>>> No
>>> login page was defined for FORM authentication in context
>>> [/leap-service]*
>>>
>>> I really can't seen to pinpoint the error. I find it quite strange
>>> because
>>> I have the same setup but using an older version of keycloak (1.9*),
>>> which
>>> worked fine. I know this might be a silly problem, but if you have some
>>> time to help me, I would really appreciate it. Thanks.
>>>
>>> Regards
>>> Grant
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>


More information about the keycloak-user mailing list