Login page in AM 6.x hangs on Loading when CORS is enabled
The purpose of this article is to provide assistance if you experience issues where the AM login page displays a "Unknown Error - Please contact your Administrator" message and hangs on Loading ... when Cross-origin resource sharing (CORS) is enabled and you are using the Chrome™ browser.
2 readers recommend this article
Symptoms
When the message disappears, AM hangs and displays a Loading... message.
Variants of this issue can be seen when accessing AM over SSL (for example, using a URL such as: https://am.example.com:8443/am/XUI/#login/) or through a load balancer.
Disabling CORS allows access.
This only affects the Chrome browser; using Firefox® works.
Recent Changes
Enabled the CORS filter.
Added a load balancer in front of AM when CORS was already enabled and working.
Enabled SSL on AM when CORS was already enabled and working.
Added a realm DNS alias when CORS was already enabled and working.
Causes
Some browsers, such as Chrome, send the Origin Header in the request, even in Same-Origin scenarios.
Solution
This issue can be resolved by upgrading to AM 7 or later; you can download this from Backstage.
Workaround
You can work around this issue by adapting the CORS filter configuration to allow all possible server origins. You may have to include the hostname with both http and https protocols, the server name and the load balancer FQDN, and the port number if it is not the default. See Enabling CORS Support for general instructions on setting up a CORS filter:
- If you need to access more than one hostname, for example, you access AM through a load balancer and also have direct access to the AM server, you should remove or comment out the expectedHostname section in the CORS filter as this only allows one hostname: <!--init-param> <description> Expected Hostname (Optional): The name of the host expected in the request Host header. </description> <param-name>expectedHostname</param-name> <param-value>am.example.com:8443</param-value> </init-param-->
- Add each URL that is allowed to the Accepted Origins section. Include the protocol and the port if it is not the default. For example, if you want to allow access to https://lb.example.com:443/openam and https://am.example.com:8443/am, as well as a real cross-origin URL such as https://other.origin.example.com:443/myApp, the Accepted Origins section in the CORS filter on am1 would look like this: <init-param> <description> Accepted Origins (Required): A comma separated list of origins from which to accept CORS requests. </description> <param-name>origins</param-name> <param-value> https://am.example.com:8443/am,https://lb.example.com,https://other.origin.example.com </param-value> </init-param>
Note
You must restart the web application container in which AM runs to apply these configuration changes.
See How do I troubleshoot issues with CORS in AM (All versions)? if these changes do not resolve your issues.
See Also
How do I troubleshoot issues with CORS in AM (All versions)?
Related Training
N/A
Related Issue Tracker IDs
OPENAM-13210 (Make CORS filter dynamically configurable)
OPENAM-9890 (Allow list in expected Hostname section of CORS Filter)