You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2018/09/26 09:31:45 UTC
[Bug 62761] New: CORS filter is not working in tomcat 9.0.11 and
9.0.12
https://bz.apache.org/bugzilla/show_bug.cgi?id=62761
Bug ID: 62761
Summary: CORS filter is not working in tomcat 9.0.11 and 9.0.12
Product: Tomcat 9
Version: 9.0.12
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: sreeganti72@gmail.com
Target Milestone: -----
for the CORS configuration as specified in the documentation in web.xml
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>10</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
i get the following error printed in the log file
26-Sep-2018 14:43:52.535 SEVERE [main]
org.apache.catalina.core.StandardContext.filterStart Exception starting filter
[CorsFilter]
javax.servlet.ServletException: It is not allowed to configure
supportsCredentials=[true] when allowedOrigins=[*]
at
org.apache.catalina.filters.CorsFilter.parseAndStore(CorsFilter.java:759)
at org.apache.catalina.filters.CorsFilter.init(CorsFilter.java:183)
at javax.servlet.GenericFilter.init(GenericFilter.java:61)
at
org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:270)
at
org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:251)
at
org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:102)
at
org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4491)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5135)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:743)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:719)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:703)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1141)
at
org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1876)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at
java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:1053)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:428)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1585)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:308)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:424)
at
org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:367)
at
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:969)
at
org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:839)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1429)
at
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1419)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at
java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134)
at
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:944)
at
org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:261)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardService.startInternal(StandardService.java:422)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:770)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.startup.Catalina.start(Catalina.java:682)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:350)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
This filter used to work in the tomcat 8.33 version
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62761] CORS filter example in docs not working in versions
since 9.0.9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62761
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #4 from Mark Thomas <ma...@apache.org> ---
Fixed in:
- trunk for 9.0.13 onwards
- 8.5.x for 8.5.35 onwards
- 7.0.x for 7.0.92 onwards
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62761] CORS filter is not working in tomcat 9.0.11 and 9.0.12
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62761
Konstantin Kolinko <kn...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
--- Comment #2 from Konstantin Kolinko <kn...@gmail.com> ---
Your configuration is insecure and exposes you to the issue specified in
CVE-2018-8014 (bug 62343).
This is no longer allowed.
BTW, the "more advanced configuration" example at [1](9.0.12) [2](nightly)
suffers from the same issue as your configuration and should be updated.
[1]
http://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Add_Default_Character_Set_Filter/Initialisation_parameters
[2]
https://ci.apache.org/projects/tomcat/tomcat9/docs/config/filter.html#CORS_Filter
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62761] CORS filter example in docs not working in versions
since 9.0.9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62761
Sam Weston <we...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |weston.sam@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62761] CORS filter is not working in tomcat 9.0.11 and 9.0.12
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62761
--- Comment #3 from Sam Weston <we...@gmail.com> ---
I can confirm that this is definitely a bug in this documentation page in
tomcat 7, 8 and 9. The CORS behaviour has been changed but not this part of the
docs.
https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#CORS_Filter
The broken example is under "Here's an example of a more advanced
configuration, that overrides defaults:"
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62761] CORS filter example in docs not working in versions
since 9.0.9
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62761
Sam Weston <we...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|CORS filter is not working |CORS filter example in docs
|in tomcat 9.0.11 and 9.0.12 |not working in versions
| |since 9.0.9
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62761] CORS filter is not working in tomcat 9.0.11 and 9.0.12
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62761
--- Comment #1 from Sreenivasan <sr...@gmail.com> ---
Created attachment 36164
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36164&action=edit
Attaching tomcat log for Cors Filter issue
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org