Re: CORS issue with Tomcat and Android Webview

[Terence M. Bandoian]

On 4/24/2014 1:14 PM, Jose María Zaragoza wrote:
2014-04-24 19:00 GMT+02:00 Terence M. Bandoian <tere...@tmbsw.com>:
On 4/22/2014 1:37 PM, Jose María Zaragoza wrote:
---------- Forwarded message ----------
From: Terence M. Bandoian <tere...@tmbsw.com>
Date: 2014-04-22 20:12 GMT+02:00
Subject: Re: CORS issue with Tomcat and Android Webview
To: Tomcat Users List <users@tomcat.apache.org>

On 4/22/2014 11:03 AM, Ankit Singhal wrote:
Also we tried to give the same call from Android App to some different
Node
server and things worked fine. So it seems some problem with Tomcat only.

A silly question:

What does it have to do Tomcat's CORS support with W3C Widget Access
specification ?

I have no idea about Phonegap but it looks like that it prefers to
follow that specification for managing requests to different domains ,
right ?


Hi, Jose-

The request/response headers in the original post were difficult for me to
follow but basically, requests to Tomcat are successful when tested with
Chrome (desktop? laptop? server? same as Tomcat?) and unsuccessful when
tested from an Android device. What are the differences between the two
environments? Do those differences have any effect on request processing by
the Tomcat CORS filter? If it were me, I'd find out.

Well , I have no idea, but according this page

http://www.html5rocks.com/en/tutorials/cors/

if Content-Type is application/json , then request is a "not simple
request" ( sic. ) and it requires a OPTIONS preflight request (
including "Origin" header)
And "Once the preflight request gives permissions, the browser makes
the actual request"

First case (Chrome browser) did but, but the second didn't

Are you test to change the Content-Type ?

Regards


Hi, Jose-

From the page you cited:

"The use-case for CORS is simple. Imagine the site alice.com has some 
data that the site bob.com wants to access. This type of request 
traditionally wouldn’t be allowed under the browser’s same origin 
policy. However, by supporting CORS requests, alice.com can add a few 
special response headers that allows bob.com to access the data."

In this case, alice.com would be the server that hosts Tomcat.  As you 
suggest, the problem may very well be in the client but - FOR ME - it's 
worth the effort to understand what should happen on both the client and 
the server and to ensure that both are configured correctly.

-Terence Bandoian





On Tue, Apr 22, 2014 at 9:22 PM, Ankit Singhal
<ankising...@gmail.com>wrote:

Hi All



I am facing a strange problem with Tomcat 8 and CORS. I am developing a
Hybrid web app using ionicframework, AngularJS, Cordova as front end and
Tomcat 8 and Spring 3 as back-end.



For easy development I am testing the functionality in chrome , where
things are working fine. I added CORS filter with standard configuration
to
allow CROSS ORIGIN requests from browser.



Today I converted my app into Android App and started making AJAX calls
to
tomcat server. To my surprise things stopped working . I debugged
further
and anomalies in the headers of browser and Android webview.



Browser sends 2 requests for same call OPTION and POST. But Android
Webview only send POST request.



Browser Request Headers:



OPTION:

Remote Address:54.254.159.166:80

Request URL:http://medistreet.in/auth2

Request Method:OPTIONS

Status Code:200 OK

Request Headers

OPTIONS /auth2 HTTP/1.1

Host: medistreet.in

Connection: keep-alive

Access-Control-Request-Method: POST

Origin: http://localhost

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML,
like Gecko) Chrome/34.0.1847.116 Safari/537.36

Access-Control-Request-Headers: accept, content-type

Accept: */*

Referer: http://localhost/

Accept-Encoding: gzip,deflate,sdch

Accept-Language: en-US,en;q=






POST:



Remote Address:54.254.159.166:80

Request URL:http://medistreet.in/auth2

Request Method:POST

Status Code:200 OK



Request Headers

Accept:application/json, text/plain, */*

Accept-Encoding:gzip,deflate,sdch

Accept-Language:en-US,en;q=

Connection:keep-alive

Content-Length:39

Content-Type:application/json;charset=8


Host:medistreet.in

Origin:http://localhost

Referer:http://localhost/

User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML,
like Gecko) Chrome/34.0.1847.116 Safari/537.36





Android Request Headers:



Request URL:http://medistreet.in/auth2

Request Method:POST

Status Code:403 Forbidden

Request Headers

POST http://medistreet.in/auth2
HTTP/1.1<http://medistreet.in/auth2%20HTTP/1.1>

Accept: application/json, text/plain, */*

Origin: file://

User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; XT1033
Build/KXB20.25-1.31)
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0
Mobile
Safari/537.36

Content-Type: application/json;charset=8






The difference here I see is with Number of headers and specially Origin
Header  which contains "file://". To overcome this I added  more option
is CORS filter:



<filter>

<filter-name>CorsFilter</filter-name>

<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>

<init-param>

<param-name>cors.allowed.origins</param-name>

<param-value>*</param-value>

</init-param>

</filter>

<filter-mapping>

<filter-name>CorsFilter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>



Another strange thing is that when we send the same Android request
Headers from POSTMAN (chrome REST plugin) request is successful.



POSTMAN Headers:



Remote Address:54.254.159.166:80

Request URL:http://medistreet.in/auth2

Request Method:POST

Status Code:200 OK

Request Headers

Accept:application/json, text/plain, */*

Accept-Encoding:gzip,deflate,sdch

Accept-Language:en-US,en;q=


Cache-Control:no-cache

Connection:keep-alive

Content-Length:39

Content-Type:application/json;charset=8

Cookie:fbm_464284963672217�se_domain=edistreet.in;
JSESSIONID�435755F03D7B045DD6E33D1D16AC51;

fbsr_464284963672217=SqF-nWquTFPk_-5wAtI0jTImBNkVxglUT-gHNSw.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiJBUUQ0UEZZVXE4eDFIa3V6OW9RV3RlVzE4clQ3SmtVRjBzU1VVcXhfV1BENG8tV1BZYjZuTVdDdDJGMmw4TjJUeUxLSzhIYUU1TUc2MkY5cXZOaXRMN3NGdklNZkhySmluYkdjMWs1THAyZnZYa2Zpa1lLVGJ0OWlZeXVvRDNWUDhTblp4czJCeTQ4RTlYY1ZjUmhGWGJsNnFMeG5YcWxxQ0d3b0hRM1ctRWhlLU02ejVITnhhakJtaVFRVk9PanFBVUtMSlk4Y3pLa0RtejFSY3RjTEFRaW16X1lkLUFkUngxUGwzajVNczdWOFdiMW9xeC05QjA0T2xraXktVU9ZalpSRUJsZjhibnZjQXQ2aUZTc1d2QTA3TjVUYnFIekVxQ0JIYjJNRG4tSUJhajl6TEMwQlVpckM0YzJXbC1GVDNhcyIsImlzc3VlZF9hdCI6MTM5ODE4MDg2NCwidXNlcl9pZCI6IjU3NjI1MjI2MiJ9


Host:medistreet.in

Origin:chrome-extension://fdmmgilgnpjigdojojpjoooidkmcomcm

User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML,
like Gecko) Chrome/34.0.1847.116 Safari/537.36





After this also there is no solution to the problem .  I suspect that
Android Webview is not sending something which Tomcat is rejecting.



Any help will highly be appreciated.


Regards

Ankit


Hi, Ankit-

I would double-check the documentation for the Tomcat CORS filter and
the Cordova whitelist implementation:

https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter
http://docs.phonegap.com/en/3.4.0/guide_appdev_whitelist_index.md.html

Hope that helps.

-Terence Bandoian


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org