You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Sjir Bagmeijer <sj...@basefarm.com> on 2016/05/20 09:34:13 UTC

Tomcat Cors on 40x requests.

Hello,


We have some issues with getting cors to work for requests within the 40x status code range.

So we are curious if anyone else has gotten this to work perhaps?

I think our very first question actually is if cors is meant to be on 40x requests or only on 20x requests?

Now our actual web.xml looks as following:
<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>http://tomcat.example.com,https://example.com
</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,soapaction</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>


If I would test this it actually works for all 200 requests:
curl -i -H "Origin:  https://tomcat.example.com" -H "Access-Control-Request-Method: GET" -H "Access-Control-Request-Headers: Content-Type, soapaction" -X GET -i http://localhost:8080/lol/test /1.json
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: https://tomcat.example.com
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow-Credentials
Cache-Control: public, max-age=10


However if I would do this on a requests that would generate a 404 requests it does not work:
curl -i -H "Origin:  https://tomcat.example.com" -H "Access-Control-Request-Method: GET" -H "Access-Control-Request-Headers: Content-Type, soapaction" -X GET -i http://localhost:8080/lol/test /xxx.json
HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Cache-Control: public, must-revalidate, max-age=10
Content-Type: application/json
Content-Length: 128
Date: Fri, 20 May 2016 09:28:42 GMT

What would we need to do to make it show those cors headers also on those 404 requests?, and this counts the same for any kind of 401 requests (401 as in application authentication not the tomcat authentication).

We would applicate any feedback or arguments if we do this wrong.


Thank you in advanced,
//Sjir Bagmeijer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat Cors on 40x requests.

Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.

On 20.05.2016 12:06, Andr Warnier (tomcat) wrote:
> On 20.05.2016 11:34, Sjir Bagmeijer wrote:
>> Hello,
>>
>>
>> We have some issues with getting cors to work for requests within the 40x status code
>> range.
>>
>
> What is interesting, is that https://www.w3.org/TR/cors/ says absolutely nothing about
> "not exist", "not found", 404 status etc.
> (It does say a lot about Authorization etc., but apparently nothing about resources which
> do not exist)
>

While continuing to search the web for this, I found a number of recommendations when 
searching Google for "CORS and 404", among which this one :
http://www.bentedder.com/cors-issue-with-options-request-returning-404/

I believe that you could achieve the same with, for example, the URLRewriteFilter.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat Cors on 40x requests.

Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.

On 20.05.2016 11:34, Sjir Bagmeijer wrote:
> Hello,
>
>
> We have some issues with getting cors to work for requests within the 40x status code range.
>

What is interesting, is that https://www.w3.org/TR/cors/ says absolutely nothing about 
"not exist", "not found", 404 status etc.
(It does say a lot about Authorization etc., but apparently nothing about resources which 
do not exist)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org