Reputation: 315
cross origin requests are blocked in tomcat 8 with HTTP status code 403
it may seem like a known issue and many questions exist on the topic, however, my situation is very strange. I have a simple web application that is deployed on tomcat 8.0.36. I have configured the CORS properly:
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The cross-origin requests are blocked by the browser:
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.mytestpage.com' is therefore not allowed access. The response had HTTP status code 403.
In the tomcat log file I also see the response code of 403. What is interesting is that the code of my application is never executed in case of cross-origin requests. The requests are blocked before reaching my application and 403 is sent immediately. I have no apache in front of tomcat, it's plain tomcat. I have tried many things, including whitelisting the origins and specifying allowed headers - nothing helped. I've also tried to set the header programmatically until I found that the code in case of cross-origin request is never executed.
UPD: The end point accepts POST requests. Those POST requests are sent as XmlHttpRequests from the JS snippet.
Any ideas what it can be?
p.s I can make successful same origin requests.
Upvotes: 7
Views: 18736
Answers (3)
Reputation: 2613
I just got into a similar situation. I solved it by using the same Tomcat server for all my needed web apps. Also, I had to use detailed name for the tomcat server instead of localhost. I saw no more CORS filter problems.
Upvotes: 0
Reputation: 8695
You actually have to set both Access-Control-Allow-Origin and Access-Control-Allow-Methods. Here is an example:
Access-Control-Allow-Origin: http://www.myhost.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Also you have to accept "OPTIONS" method returning both Access-Control-Allow-* header lines. Some browsers may issue this kind of request prior to your actual request (e.g. "PUT" request) to get the access information of the service.
Upvotes: 1
Reputation: 315
I found what was the issue - I had to set the Content-Type header in the request, otherwise the request would be blocked. - Tomcat CORS filter
Upvotes: 5
Related Questions
- Tomcat enable CORS: POST request from Safari returns 200, Chrome and Firefox return 403
- Tomcat CORS: Preflight successful, but actual request fails with 403 forbidden
- CORS failing when POST request has no body and server response is a 403 Forbidden error
- Apache Tomcat No 'Access-Control-Allow-Origin' header is present on the requested resource
- CORS filter gives 403 in POST only in Chrome
- enabling CORS in TOMCAT 7 servlets for post request
- Tomcat 8: CORS filter doesn't work
- Enable CORS on Tomcat 8.0.30
- CORS filter tomcat 7 No 'Access-Control-Allow-Origin' header is present on the requested resource
- how to allow cross domain requests on tomcat?