it may seem like a known issue and many questions exist on the topic, however, my situation is very strange. I have a simple web application that is deployed on tomcat 8.0.36. I have configured the CORS properly:
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The cross-origin requests are blocked by the browser:
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.mytestpage.com' is therefore not allowed access. The response had HTTP status code 403.
In the tomcat log file I also see the response code of 403. What is interesting is that the code of my application is never executed in case of cross-origin requests. The requests are blocked before reaching my application and 403 is sent immediately. I have no apache in front of tomcat, it's plain tomcat. I have tried many things, including whitelisting the origins and specifying allowed headers - nothing helped. I've also tried to set the header programmatically until I found that the code in case of cross-origin request is never executed.
UPD: The end point accepts POST requests. Those POST requests are sent as XmlHttpRequests from the JS snippet.
Any ideas what it can be?
p.s I can make successful same origin requests.
CorsFilter
configuration, so problem can be with everything. For examplecors.allowed.methods
default value isGET, POST, HEAD, OPTIONS
and maybe in requestDELETE
is trying. Could you post more details? – Oligochaeteorg.apache.catalina.filters.CorsFilter
. Try debug it or set you logger to debug level on this class. – Oligochaete