7

it may seem like a known issue and many questions exist on the topic, however, my situation is very strange. I have a simple web application that is deployed on tomcat 8.0.36. I have configured the CORS properly:

<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

The cross-origin requests are blocked by the browser:

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.mytestpage.com' is therefore not allowed access. The response had HTTP status code 403.

In the tomcat log file I also see the response code of 403. What is interesting is that the code of my application is never executed in case of cross-origin requests. The requests are blocked before reaching my application and 403 is sent immediately. I have no apache in front of tomcat, it's plain tomcat. I have tried many things, including whitelisting the origins and specifying allowed headers - nothing helped. I've also tried to set the header programmatically until I found that the code in case of cross-origin request is never executed.

UPD: The end point accepts POST requests. Those POST requests are sent as XmlHttpRequests from the JS snippet.

Any ideas what it can be?

p.s I can make successful same origin requests.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
bekon
  • 305
  • 1
  • 4
  • 12
  • Hi, you use defaults in your `CorsFilter` configuration, so problem can be with everything. For example `cors.allowed.methods` default value is `GET, POST, HEAD, OPTIONS` and maybe in request `DELETE` is trying. Could you post more details? – snieguu Jul 27 '16 at 21:26
  • I have updated the question. I'm sending POST requests. – bekon Jul 28 '16 at 08:53
  • Request is rejected by `org.apache.catalina.filters.CorsFilter`. Try debug it or set you logger to debug level on this class. – snieguu Jul 28 '16 at 10:03
  • yeap, it's definitely the filter that is blocking the request. How can I debug or put the logger on this specific class? – bekon Jul 28 '16 at 11:17
  • What IDE, what logger, what build tool you use? – snieguu Jul 28 '16 at 11:59
  • the tomcat is deployed on a linux box to which I connect through ssh. I deploy the war file in the {catalina.base}/webapps folder. I have configured the logging and this is what I see: 28-Jul-2016 15:59:57.095 FINE [http-bio-138.188.100.223-8443-exec-12] org.apache.catalina.filters.CorsFilter.handleInvalidCORS Invalid CORS request; Origin="https://"www.mytestpage.com;Method=POST p.s I had to add quotes,otherwise the protocol wouldn't be shown here – bekon Jul 28 '16 at 14:01

3 Answers3

5

I found what was the issue - I had to set the Content-Type header in the request, otherwise the request would be blocked. - Tomcat CORS filter

Community
  • 1
  • 1
bekon
  • 305
  • 1
  • 4
  • 12
1

You actually have to set both Access-Control-Allow-Origin and Access-Control-Allow-Methods. Here is an example:

Access-Control-Allow-Origin: http://www.myhost.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE

Also you have to accept "OPTIONS" method returning both Access-Control-Allow-* header lines. Some browsers may issue this kind of request prior to your actual request (e.g. "PUT" request) to get the access information of the service.

Boris Brodski
  • 8,425
  • 4
  • 40
  • 55
0

I just got into a similar situation. I solved it by using the same Tomcat server for all my needed web apps. Also, I had to use detailed name for the tomcat server instead of localhost. I saw no more CORS filter problems.

Jose Cabrera Zuniga
  • 2,348
  • 3
  • 31
  • 56