Can't make GWT app work with CORS configured on Tomcat 7

Question

I'm trying to configure GWT application to work with a different backend server (running Tomcat 7.0.26).

I followed the instructions from this website and configured CORS filter: http://software.dzhuvinov.com/cors-filter-installation.html

I used the sample GWT code (Greetings App), with these modifications:

1. In GWT App I added this line, before the RPC call:

   ((ServiceDefTarget) greetingService).setServiceEntryPoint("http://remoteserver/testcors/greet");
   

2. I have modified web.xml and added CORS filter:

   <filter>
           <!-- The CORS filter with parameters -->
           <filter-name>CORS</filter-name>
           <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
   
           <!-- Note: All parameters are options, if ommitted CORS Filter will fall 
                   back to the respective default values. -->
           <init-param>
                   <param-name>cors.allowGenericHttpRequests</param-name>
                   <param-value>true</param-value>
           </init-param>
   
           <init-param>
                   <param-name>cors.allowOrigin</param-name>
                   <param-value>*</param-value>
           </init-param>
   
           <init-param>
                   <param-name>cors.allowSubdomains</param-name>
                   <param-value>false</param-value>
           </init-param>
   
           <init-param>
                   <param-name>cors.supportedMethods</param-name>
                   <param-value>GET, HEAD, POST, OPTIONS</param-value>
           </init-param>
   
           <init-param>
                   <param-name>cors.supportedHeaders</param-name>
                   <param-value>Content-Type, X-Requested-With</param-value>
           </init-param>
   
           <init-param>
                   <param-name>cors.exposedHeaders</param-name>
                   <param-value>X-Test-1, X-Test-2</param-value>
           </init-param>
   
           <init-param>
                   <param-name>cors.supportsCredentials</param-name>
                   <param-value>true</param-value>
           </init-param>
   
           <init-param>
                   <param-name>cors.maxAge</param-name>
                   <param-value>3600</param-value>
           </init-param>
   
   </filter>
   
   <filter-mapping>
           <!-- CORS Filter mapping -->
           <filter-name>CORS</filter-name>
           <url-pattern>/testcors/greet</url-pattern>
   </filter-mapping>
   

If I access TestCORS app from "remoteserver", everything works fine and I can see these headers added:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: http://remoteserver
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: X-Test-2, X-Test-1
Content-Encoding: gzip
Content-Disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 214
Date: Sun, 24 Feb 2013 15:12:42 GMT

But if I access the same TestCORS GWT app running on my local machine (127.0.0.1:8888), I get this error:

Request headers:

OPTIONS /testcors/greet HTTP/1.1
Host: remoteserver
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://127.0.0.1:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17
Access-Control-Request-Headers: x-gwt-module-base, x-gwt-permutation, origin, content-type
Accept: */*
Referer: http://127.0.0.1:8888/TestCORS.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response headers:

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain;charset=ISO-8859-1
Content-Length: 96
Date: Sun, 24 Feb 2013 15:14:38 GMT

I tried this different browsers (Chrome Version 24.0.1312.57, Safari Version 6.0.2 (8536.26.17), Firefox 18.0.2, Opera Version 12.14) and I got the same error returned by the server - HTTP 403.

I saw few people having similar problems, but I wasn't able to find the solution:

• Apache Tomcat and CORS
• CORS on EC2 TOMCAT 7

Any help is very appreciated!

Answer 1

Thanks to Vladimir, I also got CORS filter from this website to work: http://software.dzhuvinov.com/cors-filter-installation.html

I added additional supported headers in the web.xml:

<init-param>
    <param-name>cors.supportedHeaders</param-name>
    <param-value>Content-Type, X-Requested-With, x-gwt-module-base, x-gwt-permutation, origin, content-type</param-value>
</init-param>

Answer 2

I've not used this cors-filter before, I prefer a simplest one like this.

Anyway, in your case it seems you have not configured correctly the headers gwt needs to work, your app is sending:

Access-Control-Request-Headers: x-gwt-module-base, x-gwt-permutation, origin, content-type

So, your configuration should have:

<init-param>
   <param-name>cors.supportedHeaders</param-name>
   <param-value>x-gwt-module-base, x-gwt-permutation, origin, content-type</param-value>
</init-param>