admin管理员组文章数量:1279237
My REST services are deployed under Tomcat 7.0.64 (http://localhost:8080/xxx). I invoke these services from using a JavaScript library sourced by HTML pages. These HTML pages are served from another orgin (http://localhost:9090/html/yyy.html).
To enable cross origin requests, on server, I have configured CORSFilter in web.xml as follows:
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,HEAD,OPTIONS,PUT,PATCH,DELETE</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,X-CUSTOM1,X-CUSOM2,X-CUSTOM3</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,X-CUSTOM3</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>10</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
From following output from RequestDumper, you can notice that preflight request from browser has received successful response(200). However, the actual request that followed failed with 403 Forbidden:
Preflight Request and Response
http-apr-8080-exec-6 ===============================================================
http-apr-8080-exec-8 START TIME =26-Sep-2015 21:28:53
http-apr-8080-exec-8 requestURI=/xxxx/zzzz
http-apr-8080-exec-8 authType=null
http-apr-8080-exec-8 characterEncoding=null
http-apr-8080-exec-8 contentLength=-1
http-apr-8080-exec-8 contentType=null
http-apr-8080-exec-8 contextPath=/xxxx
http-apr-8080-exec-8 header=host=localhost:8080
http-apr-8080-exec-8 header=connection=keep-alive
http-apr-8080-exec-8 header=pragma=no-cache
http-apr-8080-exec-8 header=cache-control=no-cache
http-apr-8080-exec-8 header=access-control-request-method=POST
http-apr-8080-exec-8 header=origin=http://localhost:9090
http-apr-8080-exec-8 header=user-agent=Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.42 Safari/537.36
http-apr-8080-exec-8 header=access-control-request-headers=x-custom1, x-custom2
http-apr-8080-exec-8 header=accept=*/*
http-apr-8080-exec-8 header=referer=http://localhost:9090/html/yyyy.html
http-apr-8080-exec-8 header=accept-encoding=gzip, deflate, sdch
http-apr-8080-exec-8 header=accept-language=en-US,en;q=0.8,ta;q=0.6
http-apr-8080-exec-8 locale=en_US
http-apr-8080-exec-8 method=OPTIONS
http-apr-8080-exec-8 pathInfo=null
http-apr-8080-exec-8 protocol=HTTP/1.1
http-apr-8080-exec-8 queryString=null
http-apr-8080-exec-8 remoteAddr=127.0.0.1
http-apr-8080-exec-8 remoteHost=127.0.0.1
http-apr-8080-exec-8 remoteUser=null
http-apr-8080-exec-8 requestedSessionId=null
http-apr-8080-exec-8 scheme=http
http-apr-8080-exec-8 serverName=localhost
http-apr-8080-exec-8 serverPort=8080
http-apr-8080-exec-8 servletPath=/zzzz
http-apr-8080-exec-8 isSecure=false
http-apr-8080-exec-8 ------------------=--------------------------------------------
http-apr-8080-exec-8 ------------------=--------------------------------------------
http-apr-8080-exec-8 authType=null
http-apr-8080-exec-8 contentType=null
http-apr-8080-exec-8 header=Access-Control-Allow-Origin=http://localhost:9090
http-apr-8080-exec-8 header=Access-Control-Allow-Credentials=true
http-apr-8080-exec-8 header=Access-Control-Max-Age=10
http-apr-8080-exec-8 header=Access-Control-Allow-Methods=POST
http-apr-8080-exec-8 header=Access-Control-Allow-Headers=content-type,x-custom1,access-control-request-headers,accept,access-control-request-method,x-custom2,origin,x-custom3,x-requested-with
http-apr-8080-exec-8 remoteUser=null
http-apr-8080-exec-8 status=200
http-apr-8080-exec-8 END TIME =26-Sep-2015 21:28:53
http-apr-8080-exec-8 ===============================================================
Actual Request and Response - That failed with 403 Forbidden
http-apr-8080-exec-9 START TIME =26-Sep-2015 21:28:53
http-apr-8080-exec-9 requestURI=/xxxx/zzzz
http-apr-8080-exec-9 authType=null
http-apr-8080-exec-9 characterEncoding=null
http-apr-8080-exec-9 contentLength=0
http-apr-8080-exec-9 contentType=null
http-apr-8080-exec-9 contextPath=/xxxx
http-apr-8080-exec-9 header=host=localhost:8080
http-apr-8080-exec-9 header=connection=keep-alive
http-apr-8080-exec-9 header=content-length=0
http-apr-8080-exec-9 header=pragma=no-cache
http-apr-8080-exec-9 header=cache-control=no-cache
http-apr-8080-exec-9 header=origin=http://localhost:9090
http-apr-8080-exec-9 header=x-custom1=aaaaa
http-apr-8080-exec-9 header=x-custom2=bbbbb
http-apr-8080-exec-9 header=user-agent=Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.42 Safari/537.36
http-apr-8080-exec-9 header=accept=*/*
http-apr-8080-exec-9 header=referer=http://localhost:9090/html/yyyy.html
http-apr-8080-exec-9 header=accept-encoding=gzip, deflate
http-apr-8080-exec-9 header=accept-language=en-US,en;q=0.8,ta;q=0.6
http-apr-8080-exec-9 locale=en_US
http-apr-8080-exec-9 method=POST
http-apr-8080-exec-9 pathInfo=null
http-apr-8080-exec-9 protocol=HTTP/1.1
http-apr-8080-exec-9 queryString=null
http-apr-8080-exec-9 remoteAddr=127.0.0.1
http-apr-8080-exec-9 remoteHost=127.0.0.1
http-apr-8080-exec-9 remoteUser=null
http-apr-8080-exec-9 requestedSessionId=null
http-apr-8080-exec-9 scheme=http
http-apr-8080-exec-9 serverName=localhost
http-apr-8080-exec-9 serverPort=8080
http-apr-8080-exec-9 servletPath=/zzzz
http-apr-8080-exec-9 isSecure=false
http-apr-8080-exec-9 ------------------=--------------------------------------------
http-apr-8080-exec-9 ------------------=--------------------------------------------
http-apr-8080-exec-9 authType=null
http-apr-8080-exec-9 contentType=text/plain
http-apr-8080-exec-9 remoteUser=null
http-apr-8080-exec-9 status=403
http-apr-8080-exec-9 END TIME =26-Sep-2015 21:28:53
http-apr-8080-exec-9 ===============================================================
I am using Chrome as my browser.
I am wondering, when a preflight request is successful, is it possible for the actual response to get 403 forbidden?
Also please note that I have tested sending this same request from Chrome plugin Postman and I could get the expected response successfully without 403 error.
I went through the flow given in: Tomcat CORSFilter flowchart. I am not clear as what is going wrong here. Appreciate your help in solving the issue. Thanks.
My REST services are deployed under Tomcat 7.0.64 (http://localhost:8080/xxx). I invoke these services from using a JavaScript library sourced by HTML pages. These HTML pages are served from another orgin (http://localhost:9090/html/yyy.html).
To enable cross origin requests, on server, I have configured CORSFilter in web.xml as follows:
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,HEAD,OPTIONS,PUT,PATCH,DELETE</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,X-CUSTOM1,X-CUSOM2,X-CUSTOM3</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,X-CUSTOM3</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>10</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
From following output from RequestDumper, you can notice that preflight request from browser has received successful response(200). However, the actual request that followed failed with 403 Forbidden:
Preflight Request and Response
http-apr-8080-exec-6 ===============================================================
http-apr-8080-exec-8 START TIME =26-Sep-2015 21:28:53
http-apr-8080-exec-8 requestURI=/xxxx/zzzz
http-apr-8080-exec-8 authType=null
http-apr-8080-exec-8 characterEncoding=null
http-apr-8080-exec-8 contentLength=-1
http-apr-8080-exec-8 contentType=null
http-apr-8080-exec-8 contextPath=/xxxx
http-apr-8080-exec-8 header=host=localhost:8080
http-apr-8080-exec-8 header=connection=keep-alive
http-apr-8080-exec-8 header=pragma=no-cache
http-apr-8080-exec-8 header=cache-control=no-cache
http-apr-8080-exec-8 header=access-control-request-method=POST
http-apr-8080-exec-8 header=origin=http://localhost:9090
http-apr-8080-exec-8 header=user-agent=Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.42 Safari/537.36
http-apr-8080-exec-8 header=access-control-request-headers=x-custom1, x-custom2
http-apr-8080-exec-8 header=accept=*/*
http-apr-8080-exec-8 header=referer=http://localhost:9090/html/yyyy.html
http-apr-8080-exec-8 header=accept-encoding=gzip, deflate, sdch
http-apr-8080-exec-8 header=accept-language=en-US,en;q=0.8,ta;q=0.6
http-apr-8080-exec-8 locale=en_US
http-apr-8080-exec-8 method=OPTIONS
http-apr-8080-exec-8 pathInfo=null
http-apr-8080-exec-8 protocol=HTTP/1.1
http-apr-8080-exec-8 queryString=null
http-apr-8080-exec-8 remoteAddr=127.0.0.1
http-apr-8080-exec-8 remoteHost=127.0.0.1
http-apr-8080-exec-8 remoteUser=null
http-apr-8080-exec-8 requestedSessionId=null
http-apr-8080-exec-8 scheme=http
http-apr-8080-exec-8 serverName=localhost
http-apr-8080-exec-8 serverPort=8080
http-apr-8080-exec-8 servletPath=/zzzz
http-apr-8080-exec-8 isSecure=false
http-apr-8080-exec-8 ------------------=--------------------------------------------
http-apr-8080-exec-8 ------------------=--------------------------------------------
http-apr-8080-exec-8 authType=null
http-apr-8080-exec-8 contentType=null
http-apr-8080-exec-8 header=Access-Control-Allow-Origin=http://localhost:9090
http-apr-8080-exec-8 header=Access-Control-Allow-Credentials=true
http-apr-8080-exec-8 header=Access-Control-Max-Age=10
http-apr-8080-exec-8 header=Access-Control-Allow-Methods=POST
http-apr-8080-exec-8 header=Access-Control-Allow-Headers=content-type,x-custom1,access-control-request-headers,accept,access-control-request-method,x-custom2,origin,x-custom3,x-requested-with
http-apr-8080-exec-8 remoteUser=null
http-apr-8080-exec-8 status=200
http-apr-8080-exec-8 END TIME =26-Sep-2015 21:28:53
http-apr-8080-exec-8 ===============================================================
Actual Request and Response - That failed with 403 Forbidden
http-apr-8080-exec-9 START TIME =26-Sep-2015 21:28:53
http-apr-8080-exec-9 requestURI=/xxxx/zzzz
http-apr-8080-exec-9 authType=null
http-apr-8080-exec-9 characterEncoding=null
http-apr-8080-exec-9 contentLength=0
http-apr-8080-exec-9 contentType=null
http-apr-8080-exec-9 contextPath=/xxxx
http-apr-8080-exec-9 header=host=localhost:8080
http-apr-8080-exec-9 header=connection=keep-alive
http-apr-8080-exec-9 header=content-length=0
http-apr-8080-exec-9 header=pragma=no-cache
http-apr-8080-exec-9 header=cache-control=no-cache
http-apr-8080-exec-9 header=origin=http://localhost:9090
http-apr-8080-exec-9 header=x-custom1=aaaaa
http-apr-8080-exec-9 header=x-custom2=bbbbb
http-apr-8080-exec-9 header=user-agent=Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.42 Safari/537.36
http-apr-8080-exec-9 header=accept=*/*
http-apr-8080-exec-9 header=referer=http://localhost:9090/html/yyyy.html
http-apr-8080-exec-9 header=accept-encoding=gzip, deflate
http-apr-8080-exec-9 header=accept-language=en-US,en;q=0.8,ta;q=0.6
http-apr-8080-exec-9 locale=en_US
http-apr-8080-exec-9 method=POST
http-apr-8080-exec-9 pathInfo=null
http-apr-8080-exec-9 protocol=HTTP/1.1
http-apr-8080-exec-9 queryString=null
http-apr-8080-exec-9 remoteAddr=127.0.0.1
http-apr-8080-exec-9 remoteHost=127.0.0.1
http-apr-8080-exec-9 remoteUser=null
http-apr-8080-exec-9 requestedSessionId=null
http-apr-8080-exec-9 scheme=http
http-apr-8080-exec-9 serverName=localhost
http-apr-8080-exec-9 serverPort=8080
http-apr-8080-exec-9 servletPath=/zzzz
http-apr-8080-exec-9 isSecure=false
http-apr-8080-exec-9 ------------------=--------------------------------------------
http-apr-8080-exec-9 ------------------=--------------------------------------------
http-apr-8080-exec-9 authType=null
http-apr-8080-exec-9 contentType=text/plain
http-apr-8080-exec-9 remoteUser=null
http-apr-8080-exec-9 status=403
http-apr-8080-exec-9 END TIME =26-Sep-2015 21:28:53
http-apr-8080-exec-9 ===============================================================
I am using Chrome as my browser.
I am wondering, when a preflight request is successful, is it possible for the actual response to get 403 forbidden?
Also please note that I have tested sending this same request from Chrome plugin Postman and I could get the expected response successfully without 403 error.
I went through the flow given in: Tomcat CORSFilter flowchart. I am not clear as what is going wrong here. Appreciate your help in solving the issue. Thanks.
Share Improve this question edited Sep 26, 2015 at 17:22 nagu asked Sep 26, 2015 at 17:04 nagunagu 93710 silver badges17 bronze badges 1- I've tried logging with tomcat in wso2 das 3.10 , but I failed. log4j.properties:org.apache.catalina.filters=DEBUG What's your logging settings? – shuttle Commented Nov 4, 2016 at 14:43
2 Answers
Reset to default 9I had encountered the exact same issue. The solution was quite simple actually.
"There I noticed that the HTTP POST requests are somehow required to have the Content-Type HTTP header filled."
Try adding a Content-Type to your POST request.
To add onto this answer, the most likely reason for this working in Postman but not in the browser itself is that Postman is probably automatically adding the Content-Type to the request.
本文标签:
版权声明:本文标题:javascript - Tomcat CORS: Preflight successful, but actual request fails with 403 forbidden - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741275138a2369684.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论