tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ankit Singhal <ankising...@gmail.com>
Subject Re: CORS issue with Tomcat and Android Webview
Date Fri, 25 Apr 2014 04:16:20 GMT
Hi

I did more research on this and figure out the issue.If you see the headers
from Android and look into Origin Header.

Origin: file://

Tomcat CORS filter tries to validate the URI in Origin header and considers
"file://" as an invalid URI and returns back 403.

I have applied <accept-origin>*</accept-origin> params. So shouldn't CORS
filter honor this  ?

I agree that Client also has the problem  , but still server should also
allow...



On Fri, Apr 25, 2014 at 1:36 AM, Terence M. Bandoian <terence@tmbsw.com>wrote:

> On 4/24/2014 1:14 PM, Jose María Zaragoza wrote:
>
>> 2014-04-24 19:00 GMT+02:00 Terence M. Bandoian <terence@tmbsw.com>:
>>
>>> On 4/22/2014 1:37 PM, Jose María Zaragoza wrote:
>>>
>>>> ---------- Forwarded message ----------
>>>> From: Terence M. Bandoian <terence@tmbsw.com>
>>>> Date: 2014-04-22 20:12 GMT+02:00
>>>> Subject: Re: CORS issue with Tomcat and Android Webview
>>>> To: Tomcat Users List <users@tomcat.apache.org>
>>>>
>>>>
>>>> On 4/22/2014 11:03 AM, Ankit Singhal wrote:
>>>>
>>>>> Also we tried to give the same call from Android App to some different
>>>>> Node
>>>>> server and things worked fine. So it seems some problem with Tomcat
>>>>> only.
>>>>>
>>>>>  A silly question:
>>>>
>>>> What does it have to do Tomcat's CORS support with W3C Widget Access
>>>> specification ?
>>>>
>>>> I have no idea about Phonegap but it looks like that it prefers to
>>>> follow that specification for managing requests to different domains ,
>>>> right ?
>>>>
>>>
>>>
>>> Hi, Jose-
>>>
>>> The request/response headers in the original post were difficult for me
>>> to
>>> follow but basically, requests to Tomcat are successful when tested with
>>> Chrome (desktop? laptop? server? same as Tomcat?) and unsuccessful when
>>> tested from an Android device. What are the differences between the two
>>> environments? Do those differences have any effect on request processing
>>> by
>>> the Tomcat CORS filter? If it were me, I'd find out.
>>>
>>
>> Well , I have no idea, but according this page
>>
>> http://www.html5rocks.com/en/tutorials/cors/
>>
>> if Content-Type is application/json , then request is a "not simple
>> request" ( sic. ) and it requires a OPTIONS preflight request (
>> including "Origin" header)
>> And "Once the preflight request gives permissions, the browser makes
>> the actual request"
>>
>> First case (Chrome browser) did but, but the second didn't
>>
>> Are you test to change the Content-Type ?
>>
>> Regards
>>
>
>
> Hi, Jose-
>
> From the page you cited:
>
> "The use-case for CORS is simple. Imagine the site alice.com has some
> data that the site bob.com wants to access. This type of request
> traditionally wouldn’t be allowed under the browser’s same origin policy.
> However, by supporting CORS requests, alice.com can add a few special
> response headers that allows bob.com to access the data."
>
> In this case, alice.com would be the server that hosts Tomcat.  As you
> suggest, the problem may very well be in the client but - FOR ME - it's
> worth the effort to understand what should happen on both the client and
> the server and to ensure that both are configured correctly.
>
> -Terence Bandoian
>
>
>
>>
>>
>>  On Tue, Apr 22, 2014 at 9:22 PM, Ankit Singhal
>>>>> <ankisinghal@gmail.com>wrote:
>>>>>
>>>>>  Hi All
>>>>>>
>>>>>>
>>>>>>
>>>>>> I am facing a strange problem with Tomcat 8 and CORS. I am developing
>>>>>> a
>>>>>> Hybrid web app using ionicframework, AngularJS, Cordova as front
end
>>>>>> and
>>>>>> Tomcat 8 and Spring 3 as back-end.
>>>>>>
>>>>>>
>>>>>>
>>>>>> For easy development I am testing the functionality in chrome , where
>>>>>> things are working fine. I added CORS filter with standard
>>>>>> configuration
>>>>>> to
>>>>>> allow CROSS ORIGIN requests from browser.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Today I converted my app into Android App and started making AJAX
>>>>>> calls
>>>>>> to
>>>>>> tomcat server. To my surprise things stopped working . I debugged
>>>>>> further
>>>>>> and anomalies in the headers of browser and Android webview.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Browser sends 2 requests for same call OPTION and POST. But Android
>>>>>> Webview only send POST request.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Browser Request Headers:
>>>>>>
>>>>>>
>>>>>>
>>>>>> OPTION:
>>>>>>
>>>>>> Remote Address:54.254.159.166:80
>>>>>>
>>>>>> Request URL:http://medistreet.in/auth2
>>>>>>
>>>>>> Request Method:OPTIONS
>>>>>>
>>>>>> Status Code:200 OK
>>>>>>
>>>>>> Request Headers
>>>>>>
>>>>>> OPTIONS /auth2 HTTP/1.1
>>>>>>
>>>>>> Host: medistreet.in
>>>>>>
>>>>>> Connection: keep-alive
>>>>>>
>>>>>> Access-Control-Request-Method: POST
>>>>>>
>>>>>> Origin: http://localhost
>>>>>>
>>>>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
>>>>>> (KHTML,
>>>>>> like Gecko) Chrome/34.0.1847.116 Safari/537.36
>>>>>>
>>>>>> Access-Control-Request-Headers: accept, content-type
>>>>>>
>>>>>> Accept: */*
>>>>>>
>>>>>> Referer: http://localhost/
>>>>>>
>>>>>> Accept-Encoding: gzip,deflate,sdch
>>>>>>
>>>>>> Accept-Language: en-US,en;q=
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> POST:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Remote Address:54.254.159.166:80
>>>>>>
>>>>>> Request URL:http://medistreet.in/auth2
>>>>>>
>>>>>> Request Method:POST
>>>>>>
>>>>>> Status Code:200 OK
>>>>>>
>>>>>>
>>>>>>
>>>>>> Request Headers
>>>>>>
>>>>>> Accept:application/json, text/plain, */*
>>>>>>
>>>>>> Accept-Encoding:gzip,deflate,sdch
>>>>>>
>>>>>> Accept-Language:en-US,en;q=
>>>>>>
>>>>>> Connection:keep-alive
>>>>>>
>>>>>> Content-Length:39
>>>>>>
>>>>>> Content-Type:application/json;charset=8
>>>>>>
>>>>>>
>>>>>> Host:medistreet.in
>>>>>>
>>>>>> Origin:http://localhost
>>>>>>
>>>>>> Referer:http://localhost/
>>>>>>
>>>>>> User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
>>>>>> (KHTML,
>>>>>> like Gecko) Chrome/34.0.1847.116 Safari/537.36
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Android Request Headers:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Request URL:http://medistreet.in/auth2
>>>>>>
>>>>>> Request Method:POST
>>>>>>
>>>>>> Status Code:403 Forbidden
>>>>>>
>>>>>> Request Headers
>>>>>>
>>>>>> POST http://medistreet.in/auth2
>>>>>> HTTP/1.1<http://medistreet.in/auth2%20HTTP/1.1>
>>>>>>
>>>>>> Accept: application/json, text/plain, */*
>>>>>>
>>>>>> Origin: file://
>>>>>>
>>>>>> User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; XT1033
>>>>>> Build/KXB20.25-1.31)
>>>>>> AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0
>>>>>> Mobile
>>>>>> Safari/537.36
>>>>>>
>>>>>> Content-Type: application/json;charset=8
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> The difference here I see is with Number of headers and specially
>>>>>> Origin
>>>>>> Header  which contains "file://". To overcome this I added  more
>>>>>> option
>>>>>> is CORS filter:
>>>>>>
>>>>>>
>>>>>>
>>>>>> <filter>
>>>>>>
>>>>>> <filter-name>CorsFilter</filter-name>
>>>>>>
>>>>>> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
>>>>>>
>>>>>> <init-param>
>>>>>>
>>>>>> <param-name>cors.allowed.origins</param-name>
>>>>>>
>>>>>> <param-value>*</param-value>
>>>>>>
>>>>>> </init-param>
>>>>>>
>>>>>> </filter>
>>>>>>
>>>>>> <filter-mapping>
>>>>>>
>>>>>> <filter-name>CorsFilter</filter-name>
>>>>>>
>>>>>> <url-pattern>/*</url-pattern>
>>>>>>
>>>>>> </filter-mapping>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Another strange thing is that when we send the same Android request
>>>>>> Headers from POSTMAN (chrome REST plugin) request is successful.
>>>>>>
>>>>>>
>>>>>>
>>>>>> POSTMAN Headers:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Remote Address:54.254.159.166:80
>>>>>>
>>>>>> Request URL:http://medistreet.in/auth2
>>>>>>
>>>>>> Request Method:POST
>>>>>>
>>>>>> Status Code:200 OK
>>>>>>
>>>>>> Request Headers
>>>>>>
>>>>>> Accept:application/json, text/plain, */*
>>>>>>
>>>>>> Accept-Encoding:gzip,deflate,sdch
>>>>>>
>>>>>> Accept-Language:en-US,en;q=
>>>>>>
>>>>>>
>>>>>> Cache-Control:no-cache
>>>>>>
>>>>>> Connection:keep-alive
>>>>>>
>>>>>> Content-Length:39
>>>>>>
>>>>>> Content-Type:application/json;charset=8
>>>>>>
>>>>>> Cookie:fbm_464284963672217�se_domain=edistreet.in;
>>>>>> JSESSIONID�435755F03D7B045DD6E33D1D16AC51;
>>>>>>
>>>>>> fbsr_464284963672217=SqF-nWquTFPk_-5wAtI0jTImBNkVxglUT-gHNSw.
>>>>>> eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiJBUUQ0UEZZVXE4
>>>>>> eDFIa3V6OW9RV3RlVzE4clQ3SmtVRjBzU1VVcXhfV1BENG8tV1BZYjZuTVdD
>>>>>> dDJGMmw4TjJUeUxLSzhIYUU1TUc2MkY5cXZOaXRMN3NGdklNZkhySmluYkdj
>>>>>> MWs1THAyZnZYa2Zpa1lLVGJ0OWlZeXVvRDNWUDhTblp4czJCeTQ4RTlYY1Zj
>>>>>> UmhGWGJsNnFMeG5YcWxxQ0d3b0hRM1ctRWhlLU02ejVITnhhakJtaVFRVk9P
>>>>>> anFBVUtMSlk4Y3pLa0RtejFSY3RjTEFRaW16X1lkLUFkUngxUGwzajVNczdW
>>>>>> OFdiMW9xeC05QjA0T2xraXktVU9ZalpSRUJsZjhibnZjQXQ2aUZTc1d2QTA3
>>>>>> TjVUYnFIekVxQ0JIYjJNRG4tSUJhajl6TEMwQlVpckM0YzJXbC1GVDNhcyIs
>>>>>> Imlzc3VlZF9hdCI6MTM5ODE4MDg2NCwidXNlcl9pZCI6IjU3NjI1MjI2MiJ9
>>>>>>
>>>>>>
>>>>>> Host:medistreet.in
>>>>>>
>>>>>> Origin:chrome-extension://fdmmgilgnpjigdojojpjoooidkmcomcm
>>>>>>
>>>>>> User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
>>>>>> (KHTML,
>>>>>> like Gecko) Chrome/34.0.1847.116 Safari/537.36
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> After this also there is no solution to the problem .  I suspect
that
>>>>>> Android Webview is not sending something which Tomcat is rejecting.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Any help will highly be appreciated.
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Ankit
>>>>>>
>>>>>
>>>>
>>>> Hi, Ankit-
>>>>
>>>> I would double-check the documentation for the Tomcat CORS filter and
>>>> the Cordova whitelist implementation:
>>>>
>>>> https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter
>>>> http://docs.phonegap.com/en/3.4.0/guide_appdev_whitelist_index.md.html
>>>>
>>>> Hope that helps.
>>>>
>>>> -Terence Bandoian
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message