Login page in AM 6.x hangs on Loading when CORS is enabled
The purpose of this article is to provide assistance if you experience issues where the AM login page displays a "Unknown Error - Please contact your Administrator" message and hangs on Loading ... when Cross-origin resource sharing (CORS) is enabled and you are using the Chrome™ browser.
2 readers recommend this article
When the message disappears, AM hangs and displays a Loading... message.
Variants of this issue can be seen when accessing AM over SSL (for example, using a URL such as: https://am.example.com:8443/am/XUI/#login/) or through a load balancer.
Disabling CORS allows access.
This only affects the Chrome browser; using Firefox® works.
Enabled the CORS filter.
Added a load balancer in front of AM when CORS was already enabled and working.
Enabled SSL on AM when CORS was already enabled and working.
Added a realm DNS alias when CORS was already enabled and working.
Some browsers, such as Chrome, send the Origin Header in the request, even in Same-Origin scenarios.
This issue can be resolved by upgrading to AM 7 or later; you can download this from Backstage.
You can work around this issue by adapting the CORS filter configuration to allow all possible server origins. You may have to include the hostname with both http and https protocols, the server name and the load balancer FQDN, and the port number if it is not the default. See Enabling CORS Support for general instructions on setting up a CORS filter:
- If you need to access more than one hostname, for example, you access AM through a load balancer and also have direct access to the AM server, you should remove or comment out the expectedHostname section in the CORS filter as this only allows one hostname: <!--init-param> <description> Expected Hostname (Optional): The name of the host expected in the request Host header. </description> <param-name>expectedHostname</param-name> <param-value>am.example.com:8443</param-value> </init-param-->
- Add each URL that is allowed to the Accepted Origins section. Include the protocol and the port if it is not the default. For example, if you want to allow access to https://lb.example.com:443/openam and https://am.example.com:8443/am, as well as a real cross-origin URL such as https://other.origin.example.com:443/myApp, the Accepted Origins section in the CORS filter on am1 would look like this: <init-param> <description> Accepted Origins (Required): A comma separated list of origins from which to accept CORS requests. </description> <param-name>origins</param-name> <param-value> https://am.example.com:8443/am,https://lb.example.com,https://other.origin.example.com </param-value> </init-param>
You must restart the web application container in which AM runs to apply these configuration changes.
See How do I troubleshoot issues with CORS in AM (All versions)? if these changes do not resolve your issues.
How do I troubleshoot issues with CORS in AM (All versions)?
Related Issue Tracker IDs
OPENAM-13210 (Make CORS filter dynamically configurable)
OPENAM-9890 (Allow list in expected Hostname section of CORS Filter)