cross origin requests are blocked in tomcat 8 with HTTP status code 403
Asked Answered
X

3

7

it may seem like a known issue and many questions exist on the topic, however, my situation is very strange. I have a simple web application that is deployed on tomcat 8.0.36. I have configured the CORS properly:

<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

The cross-origin requests are blocked by the browser:

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.mytestpage.com' is therefore not allowed access. The response had HTTP status code 403.

In the tomcat log file I also see the response code of 403. What is interesting is that the code of my application is never executed in case of cross-origin requests. The requests are blocked before reaching my application and 403 is sent immediately. I have no apache in front of tomcat, it's plain tomcat. I have tried many things, including whitelisting the origins and specifying allowed headers - nothing helped. I've also tried to set the header programmatically until I found that the code in case of cross-origin request is never executed.

UPD: The end point accepts POST requests. Those POST requests are sent as XmlHttpRequests from the JS snippet.

Any ideas what it can be?

p.s I can make successful same origin requests.

Xanthate answered 27/7, 2016 at 20:35 Comment(6)
Hi, you use defaults in your CorsFilter configuration, so problem can be with everything. For example cors.allowed.methods default value is GET, POST, HEAD, OPTIONS and maybe in request DELETE is trying. Could you post more details?Oligochaete
I have updated the question. I'm sending POST requests.Xanthate
Request is rejected by org.apache.catalina.filters.CorsFilter. Try debug it or set you logger to debug level on this class.Oligochaete
yeap, it's definitely the filter that is blocking the request. How can I debug or put the logger on this specific class?Xanthate
What IDE, what logger, what build tool you use?Oligochaete
the tomcat is deployed on a linux box to which I connect through ssh. I deploy the war file in the {catalina.base}/webapps folder. I have configured the logging and this is what I see: 28-Jul-2016 15:59:57.095 FINE [http-bio-138.188.100.223-8443-exec-12] org.apache.catalina.filters.CorsFilter.handleInvalidCORS Invalid CORS request; Origin="https://"www.mytestpage.com;Method=POST p.s I had to add quotes,otherwise the protocol wouldn't be shown hereXanthate
X
5

I found what was the issue - I had to set the Content-Type header in the request, otherwise the request would be blocked. - Tomcat CORS filter

Xanthate answered 28/7, 2016 at 15:2 Comment(0)
A
1

You actually have to set both Access-Control-Allow-Origin and Access-Control-Allow-Methods. Here is an example:

Access-Control-Allow-Origin: http://www.myhost.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE

Also you have to accept "OPTIONS" method returning both Access-Control-Allow-* header lines. Some browsers may issue this kind of request prior to your actual request (e.g. "PUT" request) to get the access information of the service.

Arondell answered 28/7, 2016 at 15:17 Comment(0)
O
0

I just got into a similar situation. I solved it by using the same Tomcat server for all my needed web apps. Also, I had to use detailed name for the tomcat server instead of localhost. I saw no more CORS filter problems.

Oleaster answered 11/9, 2019 at 16:38 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.