[keycloak-user] SOLVED ! -> OPTIONS 401 - CORS problem

java_os java at neposoft.com
Sat Feb 11 08:02:06 EST 2017


I solved it - all through Spring Security Config in boot. I had to remove
http.anonymous().disable()
then I had to allow OPTIONS on :
http.authorizeRequests()
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
making sure we're not handle OPTIONS on any rest points I guess should be
safe enough.
Other than that , cross domain rest calls work now.
Hopefully this will help anyone hitting this issue.


> Group
>
> I have an angular spa deployed on host A - apache httpd (static content)
> making REST api calls into a spring-boot
> hosted by host B. The 2 servers are different domains.
> Spa is protected by Keycloak.js. Am able to bring in the index. When I
> click on a rest call,
> browser sends over first OPTIONS request to make sure server B is ready to
> accept since it is an XHR cross domain call.
> But the problem is that OPTIONS is being sent without Authorization:
> Bearer 'token' and so the rest webserver rejects the call
> with 401 -Unauthorized. Each REST call from the SPA to the cross domain
> REST is rejected.
> Am I the first one to hit this?
> I saw people solving this with regular un-secured apps, but in my case
> Keycloak using spring-security rejects it.
> Anyone in the group can help me - anyone has deployed the client and
> server (being bearer keycloak protected) and solved
> this problem.
> Have tried various things inside spring-boot to allow options/cors, etc -
> none worked.
>
> Thank you for help.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>




More information about the keycloak-user mailing list