Return-Path: 
 <users-return-248107-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id BBF2611B33
	for <apmail-tomcat-users-archive@www.apache.org>;
 Fri, 25 Apr 2014 04:17:01 +0000 (UTC)
Received: (qmail 74373 invoked by uid 500); 25 Apr 2014 04:16:57 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 73778 invoked by uid 500); 25 Apr 2014 04:16:50 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 73767 invoked by uid 99); 25 Apr 2014 04:16:47 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Apr 2014 04:16:47 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,NORMAL_HTTP_TO_IP,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of ankisinghal@gmail.com
 designates 209.85.214.180 as permitted sender)
Received: from [209.85.214.180] (HELO mail-ob0-f180.google.com)
 (209.85.214.180)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Apr 2014 04:16:43 +0000
Received: by mail-ob0-f180.google.com with SMTP id wm4so3719729obc.11
        for <users@tomcat.apache.org>; Thu, 24 Apr 2014 21:16:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=b887w05C+UItvpDs7qCSiSgR/14kXqvlu0NBRFGVMyU=;
        b=e1G/vvB7HRk9pHkawRwA+dssthTQG7kGwqPJ+lz1MdcySAA+bO2q1PDfty/fgDTI4b
         FugFq0NwPM8i4Iwb9Z6L+H0xpnVDBrXmoP2J6ShYey3qa6qUa8ZSpLNz4SqPiKVc9X1Q
         sYhBzhMjAsLaI5MOZM2o8jxkpD/iTo4kEP+5Mck6cw/jxEv4SXoDn/8d7m36HWHGYWZf
         tNAOeY2ggBFQRQQoFxIpTs67rNMXRAAuMXvYGX3HSsHcdxsufFGS3THVtYwfQc/s8+id
         82dhEUrNim2tLDxk5p9eyqclwktbmGmi1HMV6sVBXvo1QqlU7UQT7A2tzcdchnoUy/3P
         naPQ==
MIME-Version: 1.0
X-Received: by 10.60.135.226 with SMTP id pv2mr36985oeb.62.1398399380237; Thu,
 24 Apr 2014 21:16:20 -0700 (PDT)
Received: by 10.76.70.231 with HTTP; Thu, 24 Apr 2014 21:16:20 -0700 (PDT)
In-Reply-To: <53596EB9.5030802@tmbsw.com>
References: 
 <CABOBwRhi=56zjMZ=cD0H254yqURQVVapPc3Ogyn_LredFBMdDA@mail.gmail.com>
	<53596EB9.5030802@tmbsw.com>
Date: Fri, 25 Apr 2014 09:46:20 +0530
Message-ID: 
 <CAAGikQ-h1uMNVKj8qwVxaLyLuUtjVzquXzbsq9mJ6getBPzf2A@mail.gmail.com>
Subject: Re: CORS issue with Tomcat and Android Webview
From: Ankit Singhal <ankisinghal@gmail.com>
To: Tomcat Users List <users@tomcat.apache.org>
Content-Type: multipart/alternative; boundary=047d7b4142c65031bc04f7d63aac
X-Virus-Checked: Checked by ClamAV on apache.org

--047d7b4142c65031bc04f7d63aac
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi

I did more research on this and figure out the issue.If you see the headers
from Android and look into Origin Header.

Origin: file://

Tomcat CORS filter tries to validate the URI in Origin header and considers
"file://" as an invalid URI and returns back 403.

I have applied <accept-origin>*</accept-origin> params. So shouldn't CORS
filter honor this  ?

I agree that Client also has the problem  , but still server should also
allow...



On Fri, Apr 25, 2014 at 1:36 AM, Terence M. Bandoian <terence@tmbsw.com>wro=
te:

> On 4/24/2014 1:14 PM, Jose Mar=C3=ADa Zaragoza wrote:
>
>> 2014-04-24 19:00 GMT+02:00 Terence M. Bandoian <terence@tmbsw.com>:
>>
>>> On 4/22/2014 1:37 PM, Jose Mar=C3=ADa Zaragoza wrote:
>>>
>>>> ---------- Forwarded message ----------
>>>> From: Terence M. Bandoian <terence@tmbsw.com>
>>>> Date: 2014-04-22 20:12 GMT+02:00
>>>> Subject: Re: CORS issue with Tomcat and Android Webview
>>>> To: Tomcat Users List <users@tomcat.apache.org>
>>>>
>>>>
>>>> On 4/22/2014 11:03 AM, Ankit Singhal wrote:
>>>>
>>>>> Also we tried to give the same call from Android App to some differen=
t
>>>>> Node
>>>>> server and things worked fine. So it seems some problem with Tomcat
>>>>> only.
>>>>>
>>>>>  A silly question:
>>>>
>>>> What does it have to do Tomcat's CORS support with W3C Widget Access
>>>> specification ?
>>>>
>>>> I have no idea about Phonegap but it looks like that it prefers to
>>>> follow that specification for managing requests to different domains ,
>>>> right ?
>>>>
>>>
>>>
>>> Hi, Jose-
>>>
>>> The request/response headers in the original post were difficult for me
>>> to
>>> follow but basically, requests to Tomcat are successful when tested wit=
h
>>> Chrome (desktop? laptop? server? same as Tomcat?) and unsuccessful when
>>> tested from an Android device. What are the differences between the two
>>> environments? Do those differences have any effect on request processin=
g
>>> by
>>> the Tomcat CORS filter? If it were me, I'd find out.
>>>
>>
>> Well , I have no idea, but according this page
>>
>> http://www.html5rocks.com/en/tutorials/cors/
>>
>> if Content-Type is application/json , then request is a "not simple
>> request" ( sic. ) and it requires a OPTIONS preflight request (
>> including "Origin" header)
>> And "Once the preflight request gives permissions, the browser makes
>> the actual request"
>>
>> First case (Chrome browser) did but, but the second didn't
>>
>> Are you test to change the Content-Type ?
>>
>> Regards
>>
>
>
> Hi, Jose-
>
> From the page you cited:
>
> "The use-case for CORS is simple. Imagine the site alice.com has some
> data that the site bob.com wants to access. This type of request
> traditionally wouldn=E2=80=99t be allowed under the browser=E2=80=99s sam=
e origin policy.
> However, by supporting CORS requests, alice.com can add a few special
> response headers that allows bob.com to access the data."
>
> In this case, alice.com would be the server that hosts Tomcat.  As you
> suggest, the problem may very well be in the client but - FOR ME - it's
> worth the effort to understand what should happen on both the client and
> the server and to ensure that both are configured correctly.
>
> -Terence Bandoian
>
>
>
>>
>>
>>  On Tue, Apr 22, 2014 at 9:22 PM, Ankit Singhal
>>>>> <ankisinghal@gmail.com>wrote:
>>>>>
>>>>>  Hi All
>>>>>>
>>>>>>
>>>>>>
>>>>>> I am facing a strange problem with Tomcat 8 and CORS. I am developin=
g
>>>>>> a
>>>>>> Hybrid web app using ionicframework, AngularJS, Cordova as front end
>>>>>> and
>>>>>> Tomcat 8 and Spring 3 as back-end.
>>>>>>
>>>>>>
>>>>>>
>>>>>> For easy development I am testing the functionality in chrome , wher=
e
>>>>>> things are working fine. I added CORS filter with standard
>>>>>> configuration
>>>>>> to
>>>>>> allow CROSS ORIGIN requests from browser.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Today I converted my app into Android App and started making AJAX
>>>>>> calls
>>>>>> to
>>>>>> tomcat server. To my surprise things stopped working . I debugged
>>>>>> further
>>>>>> and anomalies in the headers of browser and Android webview.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Browser sends 2 requests for same call OPTION and POST. But Android
>>>>>> Webview only send POST request.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Browser Request Headers:
>>>>>>
>>>>>>
>>>>>>
>>>>>> OPTION:
>>>>>>
>>>>>> Remote Address:54.254.159.166:80
>>>>>>
>>>>>> Request URL:http://medistreet.in/auth2
>>>>>>
>>>>>> Request Method:OPTIONS
>>>>>>
>>>>>> Status Code:200 OK
>>>>>>
>>>>>> Request Headers
>>>>>>
>>>>>> OPTIONS /auth2 HTTP/1.1
>>>>>>
>>>>>> Host: medistreet.in
>>>>>>
>>>>>> Connection: keep-alive
>>>>>>
>>>>>> Access-Control-Request-Method: POST
>>>>>>
>>>>>> Origin: http://localhost
>>>>>>
>>>>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
>>>>>> (KHTML,
>>>>>> like Gecko) Chrome/34.0.1847.116 Safari/537.36
>>>>>>
>>>>>> Access-Control-Request-Headers: accept, content-type
>>>>>>
>>>>>> Accept: */*
>>>>>>
>>>>>> Referer: http://localhost/
>>>>>>
>>>>>> Accept-Encoding: gzip,deflate,sdch
>>>>>>
>>>>>> Accept-Language: en-US,en;q=3D
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> POST:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Remote Address:54.254.159.166:80
>>>>>>
>>>>>> Request URL:http://medistreet.in/auth2
>>>>>>
>>>>>> Request Method:POST
>>>>>>
>>>>>> Status Code:200 OK
>>>>>>
>>>>>>
>>>>>>
>>>>>> Request Headers
>>>>>>
>>>>>> Accept:application/json, text/plain, */*
>>>>>>
>>>>>> Accept-Encoding:gzip,deflate,sdch
>>>>>>
>>>>>> Accept-Language:en-US,en;q=3D
>>>>>>
>>>>>> Connection:keep-alive
>>>>>>
>>>>>> Content-Length:39
>>>>>>
>>>>>> Content-Type:application/json;charset=3D8
>>>>>>
>>>>>>
>>>>>> Host:medistreet.in
>>>>>>
>>>>>> Origin:http://localhost
>>>>>>
>>>>>> Referer:http://localhost/
>>>>>>
>>>>>> User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
>>>>>> (KHTML,
>>>>>> like Gecko) Chrome/34.0.1847.116 Safari/537.36
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Android Request Headers:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Request URL:http://medistreet.in/auth2
>>>>>>
>>>>>> Request Method:POST
>>>>>>
>>>>>> Status Code:403 Forbidden
>>>>>>
>>>>>> Request Headers
>>>>>>
>>>>>> POST http://medistreet.in/auth2
>>>>>> HTTP/1.1<http://medistreet.in/auth2%20HTTP/1.1>
>>>>>>
>>>>>> Accept: application/json, text/plain, */*
>>>>>>
>>>>>> Origin: file://
>>>>>>
>>>>>> User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; XT1033
>>>>>> Build/KXB20.25-1.31)
>>>>>> AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0
>>>>>> Mobile
>>>>>> Safari/537.36
>>>>>>
>>>>>> Content-Type: application/json;charset=3D8
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> The difference here I see is with Number of headers and specially
>>>>>> Origin
>>>>>> Header  which contains "file://". To overcome this I added  more
>>>>>> option
>>>>>> is CORS filter:
>>>>>>
>>>>>>
>>>>>>
>>>>>> <filter>
>>>>>>
>>>>>> <filter-name>CorsFilter</filter-name>
>>>>>>
>>>>>> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
>>>>>>
>>>>>> <init-param>
>>>>>>
>>>>>> <param-name>cors.allowed.origins</param-name>
>>>>>>
>>>>>> <param-value>*</param-value>
>>>>>>
>>>>>> </init-param>
>>>>>>
>>>>>> </filter>
>>>>>>
>>>>>> <filter-mapping>
>>>>>>
>>>>>> <filter-name>CorsFilter</filter-name>
>>>>>>
>>>>>> <url-pattern>/*</url-pattern>
>>>>>>
>>>>>> </filter-mapping>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Another strange thing is that when we send the same Android request
>>>>>> Headers from POSTMAN (chrome REST plugin) request is successful.
>>>>>>
>>>>>>
>>>>>>
>>>>>> POSTMAN Headers:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Remote Address:54.254.159.166:80
>>>>>>
>>>>>> Request URL:http://medistreet.in/auth2
>>>>>>
>>>>>> Request Method:POST
>>>>>>
>>>>>> Status Code:200 OK
>>>>>>
>>>>>> Request Headers
>>>>>>
>>>>>> Accept:application/json, text/plain, */*
>>>>>>
>>>>>> Accept-Encoding:gzip,deflate,sdch
>>>>>>
>>>>>> Accept-Language:en-US,en;q=3D
>>>>>>
>>>>>>
>>>>>> Cache-Control:no-cache
>>>>>>
>>>>>> Connection:keep-alive
>>>>>>
>>>>>> Content-Length:39
>>>>>>
>>>>>> Content-Type:application/json;charset=3D8
>>>>>>
>>>>>> Cookie:fbm_464284963672217=EF=BF=BDse_domain=3Dedistreet.in;
>>>>>> JSESSIONID=EF=BF=BD435755F03D7B045DD6E33D1D16AC51;
>>>>>>
>>>>>> fbsr_464284963672217=3DSqF-nWquTFPk_-5wAtI0jTImBNkVxglUT-gHNSw.
>>>>>> eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiJBUUQ0UEZZVXE4
>>>>>> eDFIa3V6OW9RV3RlVzE4clQ3SmtVRjBzU1VVcXhfV1BENG8tV1BZYjZuTVdD
>>>>>> dDJGMmw4TjJUeUxLSzhIYUU1TUc2MkY5cXZOaXRMN3NGdklNZkhySmluYkdj
>>>>>> MWs1THAyZnZYa2Zpa1lLVGJ0OWlZeXVvRDNWUDhTblp4czJCeTQ4RTlYY1Zj
>>>>>> UmhGWGJsNnFMeG5YcWxxQ0d3b0hRM1ctRWhlLU02ejVITnhhakJtaVFRVk9P
>>>>>> anFBVUtMSlk4Y3pLa0RtejFSY3RjTEFRaW16X1lkLUFkUngxUGwzajVNczdW
>>>>>> OFdiMW9xeC05QjA0T2xraXktVU9ZalpSRUJsZjhibnZjQXQ2aUZTc1d2QTA3
>>>>>> TjVUYnFIekVxQ0JIYjJNRG4tSUJhajl6TEMwQlVpckM0YzJXbC1GVDNhcyIs
>>>>>> Imlzc3VlZF9hdCI6MTM5ODE4MDg2NCwidXNlcl9pZCI6IjU3NjI1MjI2MiJ9
>>>>>>
>>>>>>
>>>>>> Host:medistreet.in
>>>>>>
>>>>>> Origin:chrome-extension://fdmmgilgnpjigdojojpjoooidkmcomcm
>>>>>>
>>>>>> User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
>>>>>> (KHTML,
>>>>>> like Gecko) Chrome/34.0.1847.116 Safari/537.36
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> After this also there is no solution to the problem .  I suspect tha=
t
>>>>>> Android Webview is not sending something which Tomcat is rejecting.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Any help will highly be appreciated.
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Ankit
>>>>>>
>>>>>
>>>>
>>>> Hi, Ankit-
>>>>
>>>> I would double-check the documentation for the Tomcat CORS filter and
>>>> the Cordova whitelist implementation:
>>>>
>>>> https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filte=
r
>>>> http://docs.phonegap.com/en/3.4.0/guide_appdev_whitelist_index.md.html
>>>>
>>>> Hope that helps.
>>>>
>>>> -Terence Bandoian
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

--047d7b4142c65031bc04f7d63aac--