1

I'm new on apiman, and I'm trying to use some API calls with Jquery. But unfortunately I got this error:

XMLHttpRequest cannot load https://apigtw.url/apiman-gateway///1.0/?apikey=9999999-8888-6666-33333-968a712ce68b. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://myapp.local' is therefore not allowed access. The response had HTTP status code 500.

So, I'm using some policies, such as:

Keycloak Authorization Policy:

Require OAuth: true
Require Transport Security: true
Blacklist Unsafe Tokens: false
Realm: https://sso.local/auth/realms/test-realm
Keycloak Realm Certificate: <keycloak key certificate>
Forward Realm Roles? true

Authorization Policy Configuration:

Path: .*
Verb: *
Required Role: my-role

Did I miss something on apiman configuration?

I believe I should add CORs, but I don't know if it is necessary. I tried to use this but the error still occurs.

Please, need help

Does anyone know how to configure APIMan CORs?

Edit:

It seems this is was solved in issue 516, but still occurs with me. I'm using version 1.2.3 of APIMan

Here is the Response Headers:

Connection:close
Content-Type:application/json
Date:Wed, 28 Dec 2016 13:54:08 GMT
Server:Apache/2.4.18 (Ubuntu)
Transfer-Encoding:chunked
X-Gateway-Error:API not public.
X-Powered-By:Undertow/1

and

Here is the Request Headers:

Accept:*/*
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4
Access-Control-Request-Headers:authorization, x-api-key
Access-Control-Request-Method:GET
Connection:keep-alive
Host: apiman.url
Origin:http://192.168.56.22:8080
Referer:http://192.168.56.22:8080/app
User-Agent:Mozilla/5.0 ...
Query String Parameters
view source
view URL encoded

And here is my ajax request:

$.ajax({
  url: 'https://apiman.url/apiman-gateway/<org>/<api>/1.0/<method>?apikey=xxxxxx-xxxxx-xxxxx-xxxxx',
  headers: {
      'Content-Type':'application/json',
      'Accept' : 'application/json',
      'Authorization' : 'Bearer ' + keycloak.token
  },
  method: 'GET',
  dataType: 'json',
  success: function(data){
    console.log('header1', data);
  }
});
Celso Agra
  • 1,389
  • 2
  • 15
  • 37
  • Possible duplicate of ["No 'Access-Control-Allow-Origin' header is present on the requested resource"](http://stackoverflow.com/questions/20035101/no-access-control-allow-origin-header-is-present-on-the-requested-resource) – Dekel Dec 27 '16 at 21:57
  • Thanks! that link has a similiar content and can help me. But I believe I can add more info with this link ['CORS? Of Course!'](http://www.apiman.io/blog/security/plugin/policy/cors/1.2.x/2016/01/22/cors-redux.html). – Celso Agra Dec 27 '16 at 23:56
  • Maybe the question is too generic. I'll change this – Celso Agra Dec 27 '16 at 23:56

1 Answers1

2

Have you ensured that the CORS policy is before the Keycloak policy in the policy chain? That will ensure CORS is serviced first.

i.e. CORS Policy -> Keycloak Policy -> Authorization Policy

NB: If you're using the CORS policy then you should probably pass your API key as a query parameter because browsers do not pass custom headers during preflight request (that it performs on your behalf).

See: https://stackoverflow.com/a/13997235/2766538

Community
  • 1
  • 1
Marc Savy
  • 450
  • 4
  • 12
  • Thanks @Marc! This is only policy that I got. Btw, I don't if this can be useful, but I put this policy on my plans between my client and API. – Celso Agra Dec 28 '16 at 14:40
  • For now, I just remove the keycloak and authorization policies. For now i'm trying to understand why the request is not considering my request headers – Celso Agra Dec 28 '16 at 14:42
  • From the edit you provided - the error indicates that you're not using the correct URL to access the API. You should be using the URL provided from the client tab - you seem to be attempting to access it directly. – Marc Savy Dec 28 '16 at 14:53
  • I Fix it! It is because I sent apikey as query parameter in the first attempt. Soory for that – Celso Agra Dec 28 '16 at 15:15
  • I used this same url on browser and works fine. I just removed the keycloak policies for while – Celso Agra Dec 28 '16 at 15:15