tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chandrashekar H.S <schan...@kodiakptt.com>
Subject Tomcat CORS filter not allowing origin with file:// when resource access done from WebView
Date Fri, 19 Aug 2016 11:03:42 GMT 
Hi,


We are facing a problem in tomcat cors filter. Below is the filter configurations added in
web.xml for cors request processing.

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
    <!--<init-param>
      <param-name>cors.allow.nullorigin</param-name>
      <param-value>true</param-value>
   </init-param>-->
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,KN-X-UserAgent</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>

The Tomcat server processes all the cors request successfully when the Origin in the request
contains a domain for all sachems like http://www.kodiakptt.com , file://local<file://local/>
etc.


POST http://kodiakptt.com/poc/ HTTP/1.1
Host: medistreet.in
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://www.kodiakptt.com<http://www.kodiakptt.com/>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116
Safari/537.36


The http request fails if the Origin header contains only scheme and not a domain name. The
Server sends 403 when the request is as below.


POST http://kodiakptt.com/poc/ HTTP/1.1
Accept: application/json, text/plain, */*
Origin: file://
User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; XT1033 Build/KXB20.25-1.31) AppleWebKit/537.36
(KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36
Content-Type: application/json;charset=UT

The Difference in request headers from the successfull operation and failed operations are

1. Origin is file:// in falied and http://www.kodiakptt.com<http://www.kodiakptt.com/>
in successfully processed request

2. The User-Agent header.


Regards,

Chandra
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message