tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens?
Date Fri, 06 Feb 2015 10:45:41 GMT
On 06/02/2015 10:21, Brian wrote:
> Hello Mark,
> 1- No authentication at all, since the user authenticates sending a parameter in the
query string.
> 2- I have two filters: "org.tuckey.web.filters.urlrewrite.UrlRewriteFilter" (which has
been working fine for years now) and.... CORS, yes!!!
> Actually, the CORS filter (org.apache.catalina.filters.CorsFilter) is the first filter
in my web.xml file, so it is the first to run.
> This is the way I have configured it:
>   <filter>
>     <filter-name>CorsFilter</filter-name>
>     <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
>     <init-param>
>       <param-name></param-name>
>       <param-value>*</param-value>
>     </init-param>
>     <init-param>
>       <param-name></param-name>
>       <param-value>false</param-value>
>     </init-param>
>   </filter>
>   <filter-mapping>
>     <filter-name>CorsFilter</filter-name>
>     <url-pattern>/*</url-pattern>
>   </filter-mapping>
> I added the CORS filter probably two months ago, and probably I have started seen the
403 errors since then, yes!
> And now that I think about it, probably it is the CORS filter the reason of the 403 indeed,
since my API is being called not only from servers but also from Javascript running in all
kind of browsers and maybe some of them don't deal with CORS properly. That would explain
why the 403s happens ocasionally. In fact, I see this 403 ocurring in most of the cases by
one specific user (authenticated by a parameter in the query string) that calls my API from
> In what conditions does this filter return a 403 error? What are the Headers involved
when that happens? How can I avoid this problem? Where (on the internet) can I learn more
about this specific problem?
> Thanks Mark!

There have been some changes to the best bet is to look at the source
code for version you are using:

If I recall, clients that send a null origin will be rejected when * is
used. That got fixed recently.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message