You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Brian <br...@emailbb.com> on 2015/02/05 16:42:54 UTC
Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens?
Hi,
I have a Restful service that receives a huge amount of HTTP requests per
day. In some of these requests, Tomcat returns an HTTP 403 error status.
This should never happen as far as I can tell because the resource is open,
and is very sporadic but yet very critical because it makes my service
unreliable. When this happens, it does for the same resource that would
otherwise return a succesful response.
I'm sure this is happening, because my users have reported me the issue, and
because I can clearly see that in our Tomcat log, as follows:
localhost - - [04/Feb/2015:01:11:06 -0500] "GET
/location/v1.7/locateip?key=abc123&ip=182.68.243.178&format=JSON HTTP/1.0"
403 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/40.0.2214.94 Safari/537.36"
localhost - - [04/Feb/2015:01:12:24 -0500] "GET
/location/v1.8/locateip?key=abc123&ip=local-ip&format=json&capacity=6X
HTTP/1.0" 403 - "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/40.0.2214.94 Safari/537.36"
localhost - - [04/Feb/2015:01:18:06 -0500] "GET
/location/v1.8/locateip?key=abc123&ip=local-ip&format=json&capacity=6X
HTTP/1.0" 403 - "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/40.0.2214.94 Safari/537.36"
Is there a way to show in the log why the 403s took place? How do I debug
these events?
I'm using Tomcat 7.0.50.
By the way: I don't know if this is relevant, but this is the complete stack
of software between the user and my Java App:
- The request first goes through a Amazon AWS load balancer
- Then it enters my Linux instance (Ubuntu 12.04.3)
- Then it arrives to Nginx (v1.4.7), that runs a module that deals with
abuses (when there are too many requests)
- Then it hits Tomcat (7.0.50)
- Then it finally hits my java servlet.
Thanks in advance,
Brian
Re: Sporadic HTTP 403 returned by Tomcat when this should not happen
ever. How to find out why this happens?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 2/6/15 11:58 AM, Mark Eggers wrote:
> CORS basically doesn't with Internet Explorer < 10.
>
> IE < 8, and CORS does not work at all. IE 8 - Microsoft has a
> 'special mechanism' for CORS IE 9 - Microsoft breaks the 'special
> mechanism' IE 10 - Microsoft tells people to use CORS
>
> http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx
>
> . . . been there, fought that
Hmm. Sounds like it's worth adding that to the CORSFilter
documentation, at least in summary (similar to above, including the link).
Could you make a docs patch?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJU2MHkAAoJEBzwKT+lPKRYcV4P/1b1N+BztmSHThMp7UQ993P/
vA4xbeU7ueskAciAiFAcfHtjOKlA1614YJPhOxNSLYVKOBlOyMhfJPjSFbhFazbH
ZgDY1ZyVVtqje5/5SmCL8lolMSNAGhktzgDOKB+yINQzzTnqtmOUBOzz3ZpDV4yi
TNnj8e79Cy/2Ubq24vp6FFxemEnoYbcy87zEW4U0uBqchlUCRqGVncQ1WKA3glBo
q4QozYiQorxY40nbNC6zEy1LxjlAjdWpimY/Sqrmgb9wb9lkmn5P9ZUEowM+y7SL
ULENuHAXZk+2P5RbTB02VNgwZ3Hz1Rb4FEbIUfDO1sF49fVmQxyFLo1AgzFNLXyJ
IK+Jm274K8wmdRC66duXbaKW5yqsF9TWehxKTNidvblFLbTENKbCZf+UIGBsb7qf
LhNcIutD5ZhoXtfUVCT0HtvC2/Fa8THI/qIUJaJ6rp2Zi2m1fZt2uWroFmpoFeik
RU7f+99QtBKzxxQ4TlhORBtmig1fuKhlAmlcXbwIi4eeHezsgkq7y6O9UtKNHo8c
WWCwdcJGq8e+RVbwO33+jFbuyo5hPotL3DiQmG0aaJvMYfeJCo2Ma6nUiK8PEjyR
FuyBESUdBdeCrc5f3fPZGzYsYraHyC+zuOqAwEwTr6JBEUO0MhBd7vTWNtNF9x95
gs2LQSgBikYX/MpNDOeU
=qhUC
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Sporadic HTTP 403 returned by Tomcat when this should not happen
ever. How to find out why this happens?
Posted by Mark Eggers <it...@yahoo.com.INVALID>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2/6/2015 2:21 AM, Brian wrote:
> Hello Mark,
>
> 1- No authentication at all, since the user authenticates sending a
> parameter in the query string.
>
> 2- I have two filters:
> "org.tuckey.web.filters.urlrewrite.UrlRewriteFilter" (which has
> been working fine for years now) and.... CORS, yes!!! Actually, the
> CORS filter (org.apache.catalina.filters.CorsFilter) is the first
> filter in my web.xml file, so it is the first to run. This is the
> way I have configured it:
>
> <filter> <filter-name>CorsFilter</filter-name>
> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
>
>
<init-param>
> <param-name>cors.allowed.origins</param-name>
> <param-value>*</param-value> </init-param> <init-param>
> <param-name>cors.support.credentials</param-name>
> <param-value>false</param-value> </init-param> </filter>
> <filter-mapping> <filter-name>CorsFilter</filter-name>
> <url-pattern>/*</url-pattern> </filter-mapping>
>
> I added the CORS filter probably two months ago, and probably I
> have started seen the 403 errors since then, yes! And now that I
> think about it, probably it is the CORS filter the reason of the
> 403 indeed, since my API is being called not only from servers but
> also from Javascript running in all kind of browsers and maybe some
> of them don't deal with CORS properly. That would explain why the
> 403s happens ocasionally. In fact, I see this 403 ocurring in most
> of the cases by one specific user (authenticated by a parameter in
> the query string) that calls my API from javacript!
>
> In what conditions does this filter return a 403 error? What are
> the Headers involved when that happens? How can I avoid this
> problem? Where (on the internet) can I learn more about this
> specific problem?
CORS basically doesn't with Internet Explorer < 10.
IE < 8, and CORS does not work at all.
IE 8 - Microsoft has a 'special mechanism' for CORS
IE 9 - Microsoft breaks the 'special mechanism'
IE 10 - Microsoft tells people to use CORS
http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx
. . . been there, fought that
/mde/
>
> Thanks Mark!
>
>
>
>> -----Original Message----- From: Mark Thomas
>> [mailto:markt@apache.org] Sent: viernes, 06 de febrero de 2015
>> 04:47 a.m. To: Tomcat Users List Subject: Re: Sporadic HTTP 403
>> returned by Tomcat when this should not happen ever. How to find
>> out why this happens?
>>
>> On 05/02/2015 23:14, Brian wrote:
>>> Hello David,
>>>
>>> Not, it is not the case. No exceptions whatsoever. And about
>>> 1/100 (or less) of
>> the requests return a 403 to the users, and all those requests
>> are doing the same thing.
>>> Thanks a lot for your help!
>>
>> Is any authentication configured for this web application?
>>
>> What filters are configured (the CORS filter might return a 403
>> for example)?
>>
>> Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJU1PLOAAoJEEFGbsYNeTwtg18H/j1yQF3474DOj7aqlV6coukt
IHzxkKPADyxEZ/CeAlJrV/E/dGkhk4CI4hYsnYogzRZi0RNyf6ibiwCIS+nClYqD
XqsuLrgVfULgqoo2C2rqRhVXgE6PruVv3C+Sw6PfqXLzVziNZANKaUEKUyzHdbfB
CFc8pbPKdZ/cCUYB46FNfw0xH//3v05xs9lxB88GDzmpa1ByDKggyG8t8KDO8BN3
skyr/36yaE/Xecr6bpTserOQQu+2IWH+H386ucZr0WMWGxL4rYCZLOyQK57RzJFk
regMSEgHZmKxluiEwf09VrgZD+crjN1MRI+eiYigQ5VxgQNliFIhluR58I8euxc=
=c7fL
-----END PGP SIGNATURE-----
---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Sporadic HTTP 403 returned by Tomcat when this should not happen
ever. How to find out why this happens?
Posted by Sean Dawson <se...@gmail.com>.
http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter
"The filter works by adding required Access-Control-* headers to
HttpServletResponse object. The filter also protects against HTTP response
splitting. If request is invalid, or is not permitted, then request is
rejected with HTTP status code 403 (Forbidden)"
On Fri, Feb 6, 2015 at 5:45 AM, Mark Thomas <ma...@apache.org> wrote:
> On 06/02/2015 10:21, Brian wrote:
> > Hello Mark,
> >
> > 1- No authentication at all, since the user authenticates sending a
> parameter in the query string.
> >
> > 2- I have two filters:
> "org.tuckey.web.filters.urlrewrite.UrlRewriteFilter" (which has been
> working fine for years now) and.... CORS, yes!!!
> > Actually, the CORS filter (org.apache.catalina.filters.CorsFilter) is
> the first filter in my web.xml file, so it is the first to run.
> > This is the way I have configured it:
> >
> > <filter>
> > <filter-name>CorsFilter</filter-name>
> > <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
> > <init-param>
> > <param-name>cors.allowed.origins</param-name>
> > <param-value>*</param-value>
> > </init-param>
> > <init-param>
> > <param-name>cors.support.credentials</param-name>
> > <param-value>false</param-value>
> > </init-param>
> > </filter>
> > <filter-mapping>
> > <filter-name>CorsFilter</filter-name>
> > <url-pattern>/*</url-pattern>
> > </filter-mapping>
> >
> > I added the CORS filter probably two months ago, and probably I have
> started seen the 403 errors since then, yes!
> > And now that I think about it, probably it is the CORS filter the reason
> of the 403 indeed, since my API is being called not only from servers but
> also from Javascript running in all kind of browsers and maybe some of them
> don't deal with CORS properly. That would explain why the 403s happens
> ocasionally. In fact, I see this 403 ocurring in most of the cases by one
> specific user (authenticated by a parameter in the query string) that calls
> my API from javacript!
> >
> > In what conditions does this filter return a 403 error? What are the
> Headers involved when that happens? How can I avoid this problem? Where (on
> the internet) can I learn more about this specific problem?
> >
> > Thanks Mark!
>
> There have been some changes to the best bet is to look at the source
> code for version you are using:
>
>
> http://svn.apache.org/viewvc/tomcat/tc7.0.x/tags/TOMCAT_7_0_50/java/org/apache/catalina/filters/CorsFilter.java?view=annotate
>
> If I recall, clients that send a null origin will be rejected when * is
> used. That got fixed recently.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Sporadic HTTP 403 returned by Tomcat when this should not happen
ever. How to find out why this happens?
Posted by Mark Thomas <ma...@apache.org>.
On 06/02/2015 10:21, Brian wrote:
> Hello Mark,
>
> 1- No authentication at all, since the user authenticates sending a parameter in the query string.
>
> 2- I have two filters: "org.tuckey.web.filters.urlrewrite.UrlRewriteFilter" (which has been working fine for years now) and.... CORS, yes!!!
> Actually, the CORS filter (org.apache.catalina.filters.CorsFilter) is the first filter in my web.xml file, so it is the first to run.
> This is the way I have configured it:
>
> <filter>
> <filter-name>CorsFilter</filter-name>
> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
> <init-param>
> <param-name>cors.allowed.origins</param-name>
> <param-value>*</param-value>
> </init-param>
> <init-param>
> <param-name>cors.support.credentials</param-name>
> <param-value>false</param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>CorsFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> I added the CORS filter probably two months ago, and probably I have started seen the 403 errors since then, yes!
> And now that I think about it, probably it is the CORS filter the reason of the 403 indeed, since my API is being called not only from servers but also from Javascript running in all kind of browsers and maybe some of them don't deal with CORS properly. That would explain why the 403s happens ocasionally. In fact, I see this 403 ocurring in most of the cases by one specific user (authenticated by a parameter in the query string) that calls my API from javacript!
>
> In what conditions does this filter return a 403 error? What are the Headers involved when that happens? How can I avoid this problem? Where (on the internet) can I learn more about this specific problem?
>
> Thanks Mark!
There have been some changes to the best bet is to look at the source
code for version you are using:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/tags/TOMCAT_7_0_50/java/org/apache/catalina/filters/CorsFilter.java?view=annotate
If I recall, clients that send a null origin will be rejected when * is
used. That got fixed recently.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens?
Posted by Brian <br...@emailbb.com>.
Hello Mark,
1- No authentication at all, since the user authenticates sending a parameter in the query string.
2- I have two filters: "org.tuckey.web.filters.urlrewrite.UrlRewriteFilter" (which has been working fine for years now) and.... CORS, yes!!!
Actually, the CORS filter (org.apache.catalina.filters.CorsFilter) is the first filter in my web.xml file, so it is the first to run.
This is the way I have configured it:
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I added the CORS filter probably two months ago, and probably I have started seen the 403 errors since then, yes!
And now that I think about it, probably it is the CORS filter the reason of the 403 indeed, since my API is being called not only from servers but also from Javascript running in all kind of browsers and maybe some of them don't deal with CORS properly. That would explain why the 403s happens ocasionally. In fact, I see this 403 ocurring in most of the cases by one specific user (authenticated by a parameter in the query string) that calls my API from javacript!
In what conditions does this filter return a 403 error? What are the Headers involved when that happens? How can I avoid this problem? Where (on the internet) can I learn more about this specific problem?
Thanks Mark!
> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: viernes, 06 de febrero de 2015 04:47 a.m.
> To: Tomcat Users List
> Subject: Re: Sporadic HTTP 403 returned by Tomcat when this should not
> happen ever. How to find out why this happens?
>
> On 05/02/2015 23:14, Brian wrote:
> > Hello David,
> >
> > Not, it is not the case. No exceptions whatsoever. And about 1/100 (or less) of
> the requests return a 403 to the users, and all those requests are doing the same
> thing.
> > Thanks a lot for your help!
>
> Is any authentication configured for this web application?
>
> What filters are configured (the CORS filter might return a 403 for
> example)?
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Sporadic HTTP 403 returned by Tomcat when this should not happen
ever. How to find out why this happens?
Posted by Mark Thomas <ma...@apache.org>.
On 05/02/2015 23:14, Brian wrote:
> Hello David,
>
> Not, it is not the case. No exceptions whatsoever. And about 1/100 (or less) of the requests return a 403 to the users, and all those requests are doing the same thing.
> Thanks a lot for your help!
Is any authentication configured for this web application?
What filters are configured (the CORS filter might return a 403 for
example)?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens?
Posted by Brian <br...@emailbb.com>.
Hello David,
Not, it is not the case. No exceptions whatsoever. And about 1/100 (or less) of the requests return a 403 to the users, and all those requests are doing the same thing.
Thanks a lot for your help!
> -----Original Message-----
> From: David Bullock [mailto:david.bullock@machaira.com.au]
> Sent: jueves, 05 de febrero de 2015 06:04 p.m.
> To: Tomcat Users List
> Subject: Re: Sporadic HTTP 403 returned by Tomcat when this should not
> happen ever. How to find out why this happens?
>
> On 6 February 2015 at 02:42, Brian <br...@emailbb.com> wrote:
>
> > Hi,
> >
> > I have a Restful service that receives a huge amount of HTTP requests per
> > day. In some of these requests, Tomcat returns an HTTP 403 error status.
> >
>
> Your servlet does something which throws a java.lang.Security exception
> (which is a runtime exception), and Tomcat is translating it into a 403 for
> you? (I didn't test it, but it might be a reasonable thing for a
> servlet-container to do).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Sporadic HTTP 403 returned by Tomcat when this should not happen
ever. How to find out why this happens?
Posted by David Bullock <da...@machaira.com.au>.
On 6 February 2015 at 02:42, Brian <br...@emailbb.com> wrote:
> Hi,
>
> I have a Restful service that receives a huge amount of HTTP requests per
> day. In some of these requests, Tomcat returns an HTTP 403 error status.
>
Your servlet does something which throws a java.lang.Security exception
(which is a runtime exception), and Tomcat is translating it into a 403 for
you? (I didn't test it, but it might be a reasonable thing for a
servlet-container to do).