Java JAX-RS CORS/Tomcat Conflict : javax.servlet.ServletException

Question

I am currently running my own web-app and it usually does not give me any issues to set up my environment. However, this is a new machine set up with Tomcat 9.0 and JDK 8. Only difference between this one and others which work properly is the version of Eclipse IDE.

All resources return 404 in this environment and I have narrowed down the reason for this during runtime to:

javax.servlet.ServletException: It is not allowed to configure supportsCredentials=[true] when allowedOrigins=[*]

Anyone know why this is no longer allowed / why it does not work?

In src/main/webapp/WEB-INF/web.xml CORS filters are added as follows:

<?xml version="1.0" encoding="UTF-8"?>
<!-- This web.xml file is not required when using Servlet 3.0 container,
     see implementation details http://jersey.java.net/nonav/documentation/latest/jax-rs.html -->
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    <servlet>
        <servlet-name>Jersey Web Application</servlet-name>
        <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
        <init-param>
            <param-name>jersey.config.server.provider.packages</param-name>
            <param-value>lksecure.lks,lksecure,messenger.msg</param-value>             
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>Jersey Web Application</servlet-name>
        <url-pattern>/webapi`/`*</url-pattern>
    </servlet-mapping>

  <filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
      <param-name>cors.allowed.origins</param-name>
      <param-value>*</param-value>
    </init-param>
    <init-param>
      <param-name>cors.allowed.methods</param-name>
      <param-value>GET,POST,DELETE,HEAD,OPTIONS</param-value>
    </init-param>
    <init-param>
      <param-name>cors.allowed.headers</param-name>
      <param-value>Content-Type,auth,user,persona,target,recaptcha,id,endpoint,portX-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
    </init-param>
    <init-param>
      <param-name>cors.exposed.headers</param-name>
      <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
    </init-param>
    <init-param>
      <param-name>cors.support.credentials</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>cors.preflight.maxage</param-name>
      <param-value>10</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
</web-app>

Thanks!

Answer 1

`<init-param>
      <param-name>cors.allowed.origins</param-name>
      <param-value>*</param-value>
</init-param>`

just put a '/' before '*' like this

`<init-param>
      <param-name>cors.allowed.origins</param-name>
      <param-value>/*</param-value>
</init-param>`

Answer 2

You have to provide a comma separated white list of allowed origins to also have supportCredentials=[true]: http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter

How to narrow down the problem and how to find out which URLs you have to add for Tomcats web.xml cors.allowed.origins parameter is explained here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors

This behavior was introduced due to security reasons in May 2018: https://bz.apache.org/bugzilla/show_bug.cgi?id=62343