Tomcat CORS filter

Asked 24/6, 2014 at 12:31 Answered 6/5, 2022 at 1:4

Solved java tomcat web-applications cors

I want to enable tomcat CORS filter, i added this to web.xml:

<filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

But it doesn't work. I tried with a custom filter:

<filter>
    <filter-name>SimpleCORSFilter</filter-name>
    <filter-class>com.common.SimpleCORSFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>SimpleCORSFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

With this Class:

public class SimpleCORSFilter implements Filter {

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) res;
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "x-requested-with");
        chain.doFilter(req, res);
    }
}

And this well works, can you tell me why? I don't know if it is important but I'm usign Spring Framework.

Incoercible answered 24/6, 2014 at 12:31 Comment(3)

How did you test the CorsFilter? With AJAX request or with just a simple GET? – Complexioned 24/6, 2014 at 12:39

Both, but firebug doesn't show the Access-Control header – Incoercible 24/6, 2014 at 12:41

Can you provide a complete example of how to set up SimpleCORSFilter? What are the imports? Where does the class live? I would like to add the class to tomcat and am not sure how. – Dugger 17/2, 2017 at 17:39

The filter org.apache.catalina.filters.CorsFilter seek first a header in the request: Origin. If this header does not exist, the filter does not add any header in the response. Perhaps for that reason does not work.

Additionally, in a POST request, look for the header Content-Type. Something similar happens to other methods. May you want to see the code of this filter. In another way, there is a flowchart:

CORS Flow Chart

Redheaded answered 24/6, 2014 at 15:29 Comment(1)

it doesn't help for me. I added Origin stackoverflow.com just for the test and tomcat doesn't return the headers – Veasey 23/12, 2014 at 13:23

I get a similar problem and I found something that worked for me on tomcat doc tomcat-doc-CORSFilter I use filter and init-param as below:

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

Hope it helps!

Bornholm answered 6/8, 2015 at 16:34 Comment(3)

Hi, I'm trying to put this to work but it seems that tomcat does not match the url-pattern or maybe the Filter is not enable... is there a way to put debug logs ? – Splitting 12/1, 2019 at 20:35

@HarshvardhanSharma You should add/change your code with this one on web.xml file, on path webapp/WEB-INF – Pickwickian 11/2, 2019 at 18:13

javax.servlet.ServletException: It is not allowed to configure supportsCredentials=[true] when allowedOrigins=[*] – Dipnoan 1/10, 2021 at 21:52

I don't have enough reputation to leave a comment but thanks for your answer @Krikza :)

Using Tomcat 9 I had the following issue: javax.servlet.ServletException: It is not allowed to configure supportsCredentials=[true] when allowedOrigins=[*]

Simply removing the parameter fixes it

<init-param>
  <param-name>cors.support.credentials</param-name>
  <param-value>true</param-value>
</init-param>

Stavro answered 16/1, 2021 at 11:51 Comment(0)

When I had the same problem, the tomcat reference didn't work. Here's how it worked:

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,PUT,DELETE,HEAD,OPTIONS</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

Sarina answered 6/5, 2022 at 1:4 Comment(0)

In my case with Ueditor，the X-Requested-With should be X_Requested_With.

Hypoxia answered 17/1, 2018 at 6:51 Comment(0)

Recommended topics

Hot tags