[keycloak-user] SOLVED ! -> OPTIONS 401 - CORS problem

java_os java at neposoft.com
Sat Feb 11 10:03:55 EST 2017


Adding the webserver (where spa is deployed) to the IO trusted sites,
makes IE work.
Wondering why, since CORS were rejected by the jboss server , on the rest
not my the apache httpd.
But hey, in chrome , you do not need to do anything, allowing OPTIONS on
rest boot makes it right.
Anyone here can comment on if allowing OPTIONS in spring security config
is a security risk? Provided that OPTIONS is not handles on any rest api
calls?

cheers
> But it's not working for IE11 - XMLHttpRequest: Network Error 0x80070005,
> Access is denied.
> Anyone any tips on this?
> Chrome/Firefox work
> Thanks
>
>> I solved it - all through Spring Security Config in boot. I had to
>> remove
>> http.anonymous().disable()
>> then I had to allow OPTIONS on :
>> http.authorizeRequests()
>>                 .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
>> making sure we're not handle OPTIONS on any rest points I guess should
>> be
>> safe enough.
>> Other than that , cross domain rest calls work now.
>> Hopefully this will help anyone hitting this issue.
>>
>>
>>> Group
>>>
>>> I have an angular spa deployed on host A - apache httpd (static
>>> content)
>>> making REST api calls into a spring-boot
>>> hosted by host B. The 2 servers are different domains.
>>> Spa is protected by Keycloak.js. Am able to bring in the index. When I
>>> click on a rest call,
>>> browser sends over first OPTIONS request to make sure server B is ready
>>> to
>>> accept since it is an XHR cross domain call.
>>> But the problem is that OPTIONS is being sent without Authorization:
>>> Bearer 'token' and so the rest webserver rejects the call
>>> with 401 -Unauthorized. Each REST call from the SPA to the cross domain
>>> REST is rejected.
>>> Am I the first one to hit this?
>>> I saw people solving this with regular un-secured apps, but in my case
>>> Keycloak using spring-security rejects it.
>>> Anyone in the group can help me - anyone has deployed the client and
>>> server (being bearer keycloak protected) and solved
>>> this problem.
>>> Have tried various things inside spring-boot to allow options/cors, etc
>>> -
>>> none worked.
>>>
>>> Thank you for help.
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>




More information about the keycloak-user mailing list