Help: Cant access ui after update to 5.18.1

Pela Silveira

unread,

Sep 25, 2019, 8:13:29 AM9/25/19

to dcm4che

Hello,

after update to 5.18.1 cant access any more to ui

I see this in console:

Access to XMLHttpRequest at 'http://x.x.x.x:8880/auth/realms/dcm4che/protocol/openid-connect/token' from origin 'http://x.x.x.x:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I attach a screen capture of keycloak configuration.

In server log i see this:

09:05:53,308 INFO [org.dcm4chee.arc.conf.rs.QueryDeviceName] (default task-4) Process GET /dcm4chee-arc/devicename?null from nu...@z.z.z.z

09:05:53,308 INFO [org.dcm4chee.arc.monitor.rs.ArchiveMonitor] (default task-3) Process GET /dcm4chee-arc/monitor/serverTime from nu...@z.z.z.z

09:05:53,315 INFO [org.dcm4chee.arc.conf.rs.ConfigurationRS] (default task-3) Process GET /dcm4chee-arc/devices?dicomDeviceName=dcm4chee-arc from nu...@z.z.z.z

09:05:53,321 INFO [org.dcm4chee.arc.conf.rs.QueryPDQServices] (default task-3) Process GET /dcm4chee-arc/pdq?null from nu...@z.z.z.z

I will appreciate any help

thank you

cors1.png

Gunter Zeilinger

unread,

Sep 25, 2019, 8:17:48 AM9/25/19

to dcm...@googlegroups.com

Check configured Web Origins in Keycloak for dcm4chee-arc-ui client.

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

--
You received this message because you are subscribed to the Google Groups "dcm4che" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dcm4che+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/f4b782b1-dbc9-4b04-81ec-38f6ce2cc4e8%40googlegroups.com.

Pela Silveira

unread,

Sep 25, 2019, 9:37:56 AM9/25/19

to dcm4che

Thank you gunterze,

I add http to web origin and start working for http

for https i get a msg of mixed content because auth server is over http:

Mixed Content: The page at 'https://x.x.x.x:8443/dcm4chee-arc/ui2/' was loaded over HTTPS, but requested an insecure resource 'http://x.x.x.x:8880/auth/realms/dcm4che/protocol/openid-connect/login-status-iframe.html'. This request has been blocked; the content must be served over HTTPS.

what i have to do here? put two urls for auth server? in /subsystem/keycloak/secure-deplyment? In that case, separated by commas?

Auth Server URL

http://x.x.x.x:8880/auth

than you very much

On Wednesday, September 25, 2019 at 9:17:48 AM UTC-3, gunterze wrote:

Check configured Web Origins in Keycloak for dcm4chee-arc-ui client.

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, September 25, 2019 2:13 PM, Pela Silveira <pela2s...@gmail.com> wrote:

Hello,

after update to 5.18.1 cant access any more to ui

I see this in console:

Access to XMLHttpRequest at 'http://x.x.x.x:8880/auth/realms/dcm4che/protocol/openid-connect/token' from origin 'http://x.x.x.x:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I attach a screen capture of keycloak configuration.

In server log i see this:

09:05:53,308 INFO [org.dcm4chee.arc.conf.rs.QueryDeviceName] (default task-4) Process GET /dcm4chee-arc/devicename?null from nu...@z.z.z.z
09:05:53,308 INFO [org.dcm4chee.arc.monitor.rs.ArchiveMonitor] (default task-3) Process GET /dcm4chee-arc/monitor/serverTime from nu...@z.z.z.z
09:05:53,315 INFO [org.dcm4chee.arc.conf.rs.ConfigurationRS] (default task-3) Process GET /dcm4chee-arc/devices?dicomDeviceName=dcm4chee-arc from nu...@z.z.z.z
09:05:53,321 INFO [org.dcm4chee.arc.conf.rs.QueryPDQServices] (default task-3) Process GET /dcm4chee-arc/pdq?null from nu...@z.z.z.z

I will appreciate any help

thank you

--
You received this message because you are subscribed to the Google Groups "dcm4che" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dcm...@googlegroups.com.

Gunter Zeilinger

unread,

Sep 25, 2019, 9:41:27 AM9/25/19

to dcm...@googlegroups.com

use the https URL for AUTH_SERVER_URL

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

To unsubscribe from this group and stop receiving emails from it, send an email to dcm4che+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/dcf3699b-89ce-4b1e-b8cf-5931991395cd%40googlegroups.com.

Pela Silveira

unread,

Sep 27, 2019, 9:22:42 AM9/27/19

to dcm...@googlegroups.com

Sorry Gunterze,

I changed auth url to
https://x.x.x.x:8843/auth

but now i get forbidden for both http - https

To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/dcf3699b-89ce-4b1e-b8cf-5931991395cd%40googlegroups.com.

Gunter Zeilinger

unread,

Sep 27, 2019, 9:32:02 AM9/27/19

to dcm...@googlegroups.com

Check the server.log of wildfly and keycloak for error messages.

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Friday, September 27, 2019 3:22 PM, Pela Silveira <pela2s...@gmail.com> wrote:

Sorry Gunterze,

I changed auth url to

http://172.16.1.118:8080/auth

To unsubscribe from this group and stop receiving emails from it, send an email to dcm4che+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/485a838a-2165-4be1-aff9-980a62217133%40googlegroups.com.

Pela Silveira

unread,

Sep 27, 2019, 2:43:35 PM9/27/19

to dcm4che

Here is log of the server... in keycloak I don't see anything

15:39:09,002 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)

at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)

at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:573)

at org.keycloak.adapters.SniSSLSocketFactory.createLayeredSocket(SniSSLSocketFactory.java:114)

at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:557)

at org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)

at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:414)

at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)

at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)

at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134)

at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)

at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445)

at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)

at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)

at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)

at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)

at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:111)

at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:335)

at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:280)

at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:139)

at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)

at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)

at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)

at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:268)

at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)

at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)

at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)

at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)

at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)

at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)

at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)

at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)

at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)

at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)

at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)

at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)

at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)

at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)

at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)

at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)

at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)

at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)

at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)

at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)

at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)

at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)

at io.undertow.server.Connectors.executeRootHandler(Connectors.java:364)

at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)

at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)

at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)

at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)

at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)

at java.lang.Thread.run(Thread.java:748)

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)

at sun.security.validator.Validator.validate(Validator.java:262)

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)

... 72 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)

at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)

To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/485a838a-2165-4be1-aff9-980a62217133%40googlegroups.com.

Gunter Zeilinger

unread,

Sep 28, 2019, 1:08:25 AM9/28/19

to dcm...@googlegroups.com

Did you configure a truststore for the keycloak adapter, and does it contain a certificate for the issuer of the certificate configured for keycloak?

If you used the dockerized version, it's configured by default.

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

To unsubscribe from this group and stop receiving emails from it, send an email to dcm4che+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/1e39e05b-b7eb-4b4f-9ff4-ed04fb99bfb1%40googlegroups.com.

Pela Silveira

unread,

Sep 28, 2019, 10:04:50 AM9/28/19

to dcm4che

No, I didnt. i Will read about it.

Thank you

Pela Silveira

unread,

Nov 4, 2019, 6:48:39 PM11/4/19

to dcm4che

Hello, I am enabling https with the documentation and I have a doubt.

I am reading this:

https://github.com/dcm4che/dcm4chee-arc-light/wiki/Enabling-SSL-HTTPS-for-the-Keycloak-Server

In step 2: it says: "In keycloak-server subsystem"

Add

 <spi name="truststore">.....

I didnt find that key in $WILDFLY_HOME/standalone/configuration/dcm4chee-arc.xml

so i think it refers to standalone.xml configuration file of keycloak server. It's that right?

<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">

thank you in advance

Pela Silveira

unread,

Nov 8, 2019, 4:11:19 PM11/8/19

to dcm4che

I have read again gunterze's answer and i understand that step 2 has to be configured on keycloak server.

Pela Silveira

unread,

Nov 12, 2019, 1:24:25 PM11/12/19

to dcm...@googlegroups.com

Hello again

i made several changes to do it work:

First, in my deploy, I have 2 diferent wildfly servers.

This is how it is explained in https://github.com/dcm4che/dcm4chee-arc-light/wiki/Secure-Archive-UI-and-RESTful-Services-using-Keycloak

this happens because keycloak standalone server has its own wildfly.

so as trustore is not configured by default in this deploy i have to do it. For that i read this page of wiki https://github.com/dcm4che/dcm4chee-arc-light/wiki/Enabling-SSL-HTTPS-for-the-Keycloak-Server

here is where my confusion started, because the documentations says that changes must be done in $WILDFLY_HOME/standalone/configuration/dcm4chee-arc.xml, but point 2 talks about keycloak-server subsystem which runs in kecloak standalone server

so i have to change this in $WILDFLY_HOME/standalone/configuration/dcm4chee-arc.xml:

<ssl>
    <keystore path="dcm4chee-arc/key.jks" relative-to="jboss.server.config.dir" keystore-password="secret" alias="dcm4chee-arc" key-password="secret"/>
 </ssl>

and add this:

<truststore>${jboss.server.config.dir}/dcm4chee-arc/key.jks</truststore>
 <truststore-password>secret</truststore-password>
 <allow-any-hostname>true</allow-any-hostname>

after that i have to copy cacerts.jks and key.jks in $KEYCLOAK_HOME/standalone/configuration/dcm4chee-arc/

and add this in $KEYCLOAK_HOME/standalone/configuration/standalone.xml

 <spi name="truststore">
         <provider name="file" enabled="true">
                 <properties>
                         <property name="file" value="${jboss.server.config.dir}/dcm4chee-arc/key.jks"/>
                         <property name="password" value="secret"/>
                         <property name="hostname-verification-policy" value="ANY"/>
                         <property name="disabled" value="false"/>
                 </properties>
         </provider>
 </spi>

and this:

 <ssl>
    <keystore path="dcm4chee-arc/key.jks" relative-to="jboss.server.config.dir" keystore-password="secret" alias="dcm4chee-arc" key-password="secret"/>
 </ssl>

After that I set

Auth Server URL:https://x.x.x.x:8843/auth

in dcm4chee-arc-ui2-5.19.0-secure.war and in dcm4chee-arc-war-5.19.0-secure.war

And also I needed to set this in $WILDFLY_HOME/standalone/configuration/dcm4chee-arc.xml

in <system-properties>

I don't know if all of this is ok, i will appreciate any comment.

thank you very much

Pablo

Reply all

Reply to author

Forward