You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Maatari Daniel Okouya <ok...@yahoo.fr> on 2015/07/23 16:49:15 UTC

TOMCAT 7 , Native CORS FILTER and Spring Security

Hi, 

I am using TOMCAT 7, and I have enable the CORS FILTER as per the explanation on the official website: https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter

I use the actual configuration: 


<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

I do it in my Web.xml that is in the conf folder. 

However the app that i am trying to access have a spring security filter.  I show below the application configuration in question. I have no control over that application. In fact this is a vendor application. I can only modify the configuration file to enable the CORS FILTER.

<!-- Spring Security START -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/</url-pattern>
    </filter-mapping>
    <!-- Spring Security END -->

or a larger view


  <filter>
        <filter-name>MessageFilter</filter-name>
        <filter-class>at.punkt.PoolParty.Management.MessageFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>MessageFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter>
        <filter-name>TransactionFilter</filter-name>
        <filter-class>biz.poolparty.thesaurus.web.support.TransactionFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>TransactionFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter>
        <filter-name>SpringLocaleFilter</filter-name>
        <filter-class>biz.poolparty.thesaurus.web.support.SpringLocaleFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>SpringLocaleFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!-- Spring Security START -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/</url-pattern>
    </filter-mapping>
    <!-- Spring Security END -->

    <listener>
        <description>ServletContextListener</description>
        <listener-class>at.punkt.PoolParty.Management.PoolPartyListener</listener-class>
    </listener>

    <!-- Location of the XML file that defines the root application context -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:/applicationContext.xml</param-value>
    </context-param>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <!-- Include spring dispatcher servlet -->
    <servlet>
        <servlet-name>dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>2</load-on-startup>
        <async-supported>true</async-supported>
    </servlet>
    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/!/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/api/*</url-pattern>
    </servlet-mapping>
    

I wonder if there is an issue between the Spring Security Filter and the Native Cors Filter coming with tomcat ?

What are the work around ?

If not how can I know what is exactly stop the CORS FILTER FROM WORKING RIGHT ?

-- 
Maatari Daniel Okouya
Sent with Airmail

Re: TOMCAT 7 , Native CORS FILTER and Spring Security

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Maatari,

On 7/23/15 10:49 AM, Maatari Daniel Okouya wrote:
> Hi,
> 
> I am using TOMCAT 7, and I have enable the CORS FILTER as per the
> explanation on the official website:
> https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filte
r
>
>  I use the actual configuration:
> 
> 
> <filter> <filter-name>CorsFilter</filter-name> 
> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
>
> 
<init-param>
> <param-name>cors.allowed.origins</param-name> 
> <param-value>*</param-value> </init-param> <init-param> 
> <param-name>cors.allowed.methods</param-name> 
> <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value> </init-param> 
> <init-param> <param-name>cors.allowed.headers</param-name> 
> <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Contro
l-Request-Method,Access-Control-Request-Headers</param-value>
>
> 
</init-param>
> <init-param> <param-name>cors.exposed.headers</param-name> 
> <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credenti
als</param-value>
>
> 
</init-param>
> <init-param> <param-name>cors.support.credentials</param-name> 
> <param-value>true</param-value> </init-param> <init-param> 
> <param-name>cors.preflight.maxage</param-name> 
> <param-value>10</param-value> </init-param> </filter> 
> <filter-mapping> <filter-name>CorsFilter</filter-name> 
> <url-pattern>/*</url-pattern> </filter-mapping>
> 
> I do it in my Web.xml that is in the conf folder.
> 
> However the app that i am trying to access have a spring security
> filter.  I show below the application configuration in question. I
> have no control over that application. In fact this is a vendor
> application. I can only modify the configuration file to enable the
> CORS FILTER.
> 
> <!-- Spring Security START --> <filter> 
> <filter-name>springSecurityFilterChain</filter-name> 
> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</fi
lter-class>
>
> 
</filter>
> <filter-mapping> 
> <filter-name>springSecurityFilterChain</filter-name> 
> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> 
> <filter-name>springSecurityFilterChain</filter-name> 
> <url-pattern>/</url-pattern> </filter-mapping> <!-- Spring Security
> END -->
> 
> or a larger view
> 
> 
> <filter> <filter-name>MessageFilter</filter-name> 
> <filter-class>at.punkt.PoolParty.Management.MessageFilter</filter-clas
s>
>
> 
</filter>
> <filter-mapping> <filter-name>MessageFilter</filter-name> 
> <url-pattern>/*</url-pattern> </filter-mapping>
> 
> <filter> <filter-name>TransactionFilter</filter-name> 
> <filter-class>biz.poolparty.thesaurus.web.support.TransactionFilter</f
ilter-class>
>
> 
</filter>
> <filter-mapping> <filter-name>TransactionFilter</filter-name> 
> <url-pattern>/*</url-pattern> </filter-mapping>
> 
> <filter> <filter-name>SpringLocaleFilter</filter-name> 
> <filter-class>biz.poolparty.thesaurus.web.support.SpringLocaleFilter</
filter-class>
>
> 
</filter>
> <filter-mapping> <filter-name>SpringLocaleFilter</filter-name> 
> <url-pattern>/*</url-pattern> </filter-mapping>
> 
> <!-- Spring Security START --> <filter> 
> <filter-name>springSecurityFilterChain</filter-name> 
> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</fi
lter-class>
>
> 
</filter>
> <filter-mapping> 
> <filter-name>springSecurityFilterChain</filter-name> 
> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> 
> <filter-name>springSecurityFilterChain</filter-name> 
> <url-pattern>/</url-pattern> </filter-mapping> <!-- Spring Security
> END -->
> 
> <listener> <description>ServletContextListener</description> 
> <listener-class>at.punkt.PoolParty.Management.PoolPartyListener</liste
ner-class>
>
> 
</listener>
> 
> <!-- Location of the XML file that defines the root application
> context --> <context-param> 
> <param-name>contextConfigLocation</param-name> 
> <param-value>classpath:/applicationContext.xml</param-value> 
> </context-param>
> 
> <listener> 
> <listener-class>org.springframework.web.context.ContextLoaderListener<
/listener-class>
>
> 
</listener>
> 
> <!-- Include spring dispatcher servlet --> <servlet> 
> <servlet-name>dispatcher</servlet-name> 
> <servlet-class>org.springframework.web.servlet.DispatcherServlet</serv
let-class>
>
> 
<load-on-startup>2</load-on-startup>
> <async-supported>true</async-supported> </servlet> 
> <servlet-mapping> <servlet-name>dispatcher</servlet-name> 
> <url-pattern>/!/*</url-pattern> </servlet-mapping> 
> <servlet-mapping> <servlet-name>dispatcher</servlet-name> 
> <url-pattern>/api/*</url-pattern> </servlet-mapping>
> 
> 
> I wonder if there is an issue between the Spring Security Filter
> and the Native Cors Filter coming with tomcat ?
> 
> What are the work around ?
> 
> If not how can I know what is exactly stop the CORS FILTER FROM
> WORKING RIGHT ?

What happens when the filter does not work properly? Does the
application break, or do you merely not get any CORS protection. What
have you been doing to test? You need to provide more information if
we can help you.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVt87nAAoJEBzwKT+lPKRY2NYQAMWT+0tvpB3NxIvT7rS4eqDH
uMdZ5hKen1zTUwaR75HpMmOYy1fNieoC4MG5GQluRe9V+hd4nW1FjR3FRUFhlBPC
kyfhAmKND7Hc+MO//hwOFxCH0pMAEoeECqjIXdwyHqdMLqDxHKxDir2rlBN8qVJ5
YttStdG1PvuZaarWNavoILHN3ENO273KM1Ujq+UfpKSwU7zFKqRFPa/HdJIx1jnj
QOYadkTLejXKAFKXNIaJv1lOy/PF5AH7kNkIqaakRhWfTxddufBY508qkfPF1AKQ
wZkRejfq7ARG6z+ygbHYAuc2we3ulfIgDvbYOWQBxHhXaKTH9oP6swmyTV04BWWu
wReISXWKDRjAeqNc2v9toiuNJxG9E6tuEuoO1hXOme9iKjZ7+5n/pcupYXy8QaLw
hulb0r+Rw8XPE2zwZVPmoJLt3gzVJ9/9Rwy4amagLNd8TT25/0jKD9pyCjb6xVak
tIx9hpHocr8UGGooM3YErs0ZIxMJyMaK/Amyu/e/xlkWLocY67f4YbkRCr93OOs+
drJJYTyAy5ScKbK3k3k4Fe7j3+A8Va6W77xP2FLmXLFphAGXTNw0JcqzhyEG7R+v
xVaPNlR+GKvuKfp3T7KEXWbNaNUswOWGo9OHpY5Ji/r4otuhtN0c7EwA2qVvZJQ9
dOWlEdHul4YVAO1ISQAV
=YuF9
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org