Hi I did more research on this and figure out the issue.If you see the headers from Android and look into Origin Header.
Origin: file:// Tomcat CORS filter tries to validate the URI in Origin header and considers "file://" as an invalid URI and returns back 403. I have applied <accept-origin>*</accept-origin> params. So shouldn't CORS filter honor this ? I agree that Client also has the problem , but still server should also allow... On Fri, Apr 25, 2014 at 1:36 AM, Terence M. Bandoian <tere...@tmbsw.com>wrote: > On 4/24/2014 1:14 PM, Jose María Zaragoza wrote: > >> 2014-04-24 19:00 GMT+02:00 Terence M. Bandoian <tere...@tmbsw.com>: >> >>> On 4/22/2014 1:37 PM, Jose María Zaragoza wrote: >>> >>>> ---------- Forwarded message ---------- >>>> From: Terence M. Bandoian <tere...@tmbsw.com> >>>> Date: 2014-04-22 20:12 GMT+02:00 >>>> Subject: Re: CORS issue with Tomcat and Android Webview >>>> To: Tomcat Users List <users@tomcat.apache.org> >>>> >>>> >>>> On 4/22/2014 11:03 AM, Ankit Singhal wrote: >>>> >>>>> Also we tried to give the same call from Android App to some different >>>>> Node >>>>> server and things worked fine. So it seems some problem with Tomcat >>>>> only. >>>>> >>>>> A silly question: >>>> >>>> What does it have to do Tomcat's CORS support with W3C Widget Access >>>> specification ? >>>> >>>> I have no idea about Phonegap but it looks like that it prefers to >>>> follow that specification for managing requests to different domains , >>>> right ? >>>> >>> >>> >>> Hi, Jose- >>> >>> The request/response headers in the original post were difficult for me >>> to >>> follow but basically, requests to Tomcat are successful when tested with >>> Chrome (desktop? laptop? server? same as Tomcat?) and unsuccessful when >>> tested from an Android device. What are the differences between the two >>> environments? Do those differences have any effect on request processing >>> by >>> the Tomcat CORS filter? If it were me, I'd find out. >>> >> >> Well , I have no idea, but according this page >> >> http://www.html5rocks.com/en/tutorials/cors/ >> >> if Content-Type is application/json , then request is a "not simple >> request" ( sic. ) and it requires a OPTIONS preflight request ( >> including "Origin" header) >> And "Once the preflight request gives permissions, the browser makes >> the actual request" >> >> First case (Chrome browser) did but, but the second didn't >> >> Are you test to change the Content-Type ? >> >> Regards >> > > > Hi, Jose- > > From the page you cited: > > "The use-case for CORS is simple. Imagine the site alice.com has some > data that the site bob.com wants to access. This type of request > traditionally wouldn’t be allowed under the browser’s same origin policy. > However, by supporting CORS requests, alice.com can add a few special > response headers that allows bob.com to access the data." > > In this case, alice.com would be the server that hosts Tomcat. As you > suggest, the problem may very well be in the client but - FOR ME - it's > worth the effort to understand what should happen on both the client and > the server and to ensure that both are configured correctly. > > -Terence Bandoian > > > >> >> >> On Tue, Apr 22, 2014 at 9:22 PM, Ankit Singhal >>>>> <ankising...@gmail.com>wrote: >>>>> >>>>> Hi All >>>>>> >>>>>> >>>>>> >>>>>> I am facing a strange problem with Tomcat 8 and CORS. I am developing >>>>>> a >>>>>> Hybrid web app using ionicframework, AngularJS, Cordova as front end >>>>>> and >>>>>> Tomcat 8 and Spring 3 as back-end. >>>>>> >>>>>> >>>>>> >>>>>> For easy development I am testing the functionality in chrome , where >>>>>> things are working fine. I added CORS filter with standard >>>>>> configuration >>>>>> to >>>>>> allow CROSS ORIGIN requests from browser. >>>>>> >>>>>> >>>>>> >>>>>> Today I converted my app into Android App and started making AJAX >>>>>> calls >>>>>> to >>>>>> tomcat server. To my surprise things stopped working . I debugged >>>>>> further >>>>>> and anomalies in the headers of browser and Android webview. >>>>>> >>>>>> >>>>>> >>>>>> Browser sends 2 requests for same call OPTION and POST. But Android >>>>>> Webview only send POST request. >>>>>> >>>>>> >>>>>> >>>>>> Browser Request Headers: >>>>>> >>>>>> >>>>>> >>>>>> OPTION: >>>>>> >>>>>> Remote Address:54.254.159.166:80 >>>>>> >>>>>> Request URL:http://medistreet.in/auth2 >>>>>> >>>>>> Request Method:OPTIONS >>>>>> >>>>>> Status Code:200 OK >>>>>> >>>>>> Request Headers >>>>>> >>>>>> OPTIONS /auth2 HTTP/1.1 >>>>>> >>>>>> Host: medistreet.in >>>>>> >>>>>> Connection: keep-alive >>>>>> >>>>>> Access-Control-Request-Method: POST >>>>>> >>>>>> Origin: http://localhost >>>>>> >>>>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 >>>>>> (KHTML, >>>>>> like Gecko) Chrome/34.0.1847.116 Safari/537.36 >>>>>> >>>>>> Access-Control-Request-Headers: accept, content-type >>>>>> >>>>>> Accept: */* >>>>>> >>>>>> Referer: http://localhost/ >>>>>> >>>>>> Accept-Encoding: gzip,deflate,sdch >>>>>> >>>>>> Accept-Language: en-US,en;q= >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> POST: >>>>>> >>>>>> >>>>>> >>>>>> Remote Address:54.254.159.166:80 >>>>>> >>>>>> Request URL:http://medistreet.in/auth2 >>>>>> >>>>>> Request Method:POST >>>>>> >>>>>> Status Code:200 OK >>>>>> >>>>>> >>>>>> >>>>>> Request Headers >>>>>> >>>>>> Accept:application/json, text/plain, */* >>>>>> >>>>>> Accept-Encoding:gzip,deflate,sdch >>>>>> >>>>>> Accept-Language:en-US,en;q= >>>>>> >>>>>> Connection:keep-alive >>>>>> >>>>>> Content-Length:39 >>>>>> >>>>>> Content-Type:application/json;charset=8 >>>>>> >>>>>> >>>>>> Host:medistreet.in >>>>>> >>>>>> Origin:http://localhost >>>>>> >>>>>> Referer:http://localhost/ >>>>>> >>>>>> User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 >>>>>> (KHTML, >>>>>> like Gecko) Chrome/34.0.1847.116 Safari/537.36 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Android Request Headers: >>>>>> >>>>>> >>>>>> >>>>>> Request URL:http://medistreet.in/auth2 >>>>>> >>>>>> Request Method:POST >>>>>> >>>>>> Status Code:403 Forbidden >>>>>> >>>>>> Request Headers >>>>>> >>>>>> POST http://medistreet.in/auth2 >>>>>> HTTP/1.1<http://medistreet.in/auth2%20HTTP/1.1> >>>>>> >>>>>> Accept: application/json, text/plain, */* >>>>>> >>>>>> Origin: file:// >>>>>> >>>>>> User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; XT1033 >>>>>> Build/KXB20.25-1.31) >>>>>> AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 >>>>>> Mobile >>>>>> Safari/537.36 >>>>>> >>>>>> Content-Type: application/json;charset=8 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> The difference here I see is with Number of headers and specially >>>>>> Origin >>>>>> Header which contains "file://". To overcome this I added more >>>>>> option >>>>>> is CORS filter: >>>>>> >>>>>> >>>>>> >>>>>> <filter> >>>>>> >>>>>> <filter-name>CorsFilter</filter-name> >>>>>> >>>>>> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> >>>>>> >>>>>> <init-param> >>>>>> >>>>>> <param-name>cors.allowed.origins</param-name> >>>>>> >>>>>> <param-value>*</param-value> >>>>>> >>>>>> </init-param> >>>>>> >>>>>> </filter> >>>>>> >>>>>> <filter-mapping> >>>>>> >>>>>> <filter-name>CorsFilter</filter-name> >>>>>> >>>>>> <url-pattern>/*</url-pattern> >>>>>> >>>>>> </filter-mapping> >>>>>> >>>>>> >>>>>> >>>>>> Another strange thing is that when we send the same Android request >>>>>> Headers from POSTMAN (chrome REST plugin) request is successful. >>>>>> >>>>>> >>>>>> >>>>>> POSTMAN Headers: >>>>>> >>>>>> >>>>>> >>>>>> Remote Address:54.254.159.166:80 >>>>>> >>>>>> Request URL:http://medistreet.in/auth2 >>>>>> >>>>>> Request Method:POST >>>>>> >>>>>> Status Code:200 OK >>>>>> >>>>>> Request Headers >>>>>> >>>>>> Accept:application/json, text/plain, */* >>>>>> >>>>>> Accept-Encoding:gzip,deflate,sdch >>>>>> >>>>>> Accept-Language:en-US,en;q= >>>>>> >>>>>> >>>>>> Cache-Control:no-cache >>>>>> >>>>>> Connection:keep-alive >>>>>> >>>>>> Content-Length:39 >>>>>> >>>>>> Content-Type:application/json;charset=8 >>>>>> >>>>>> Cookie:fbm_464284963672217�se_domain=edistreet.in; >>>>>> JSESSIONID�435755F03D7B045DD6E33D1D16AC51; >>>>>> >>>>>> fbsr_464284963672217=SqF-nWquTFPk_-5wAtI0jTImBNkVxglUT-gHNSw. >>>>>> eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiJBUUQ0UEZZVXE4 >>>>>> eDFIa3V6OW9RV3RlVzE4clQ3SmtVRjBzU1VVcXhfV1BENG8tV1BZYjZuTVdD >>>>>> dDJGMmw4TjJUeUxLSzhIYUU1TUc2MkY5cXZOaXRMN3NGdklNZkhySmluYkdj >>>>>> MWs1THAyZnZYa2Zpa1lLVGJ0OWlZeXVvRDNWUDhTblp4czJCeTQ4RTlYY1Zj >>>>>> UmhGWGJsNnFMeG5YcWxxQ0d3b0hRM1ctRWhlLU02ejVITnhhakJtaVFRVk9P >>>>>> anFBVUtMSlk4Y3pLa0RtejFSY3RjTEFRaW16X1lkLUFkUngxUGwzajVNczdW >>>>>> OFdiMW9xeC05QjA0T2xraXktVU9ZalpSRUJsZjhibnZjQXQ2aUZTc1d2QTA3 >>>>>> TjVUYnFIekVxQ0JIYjJNRG4tSUJhajl6TEMwQlVpckM0YzJXbC1GVDNhcyIs >>>>>> Imlzc3VlZF9hdCI6MTM5ODE4MDg2NCwidXNlcl9pZCI6IjU3NjI1MjI2MiJ9 >>>>>> >>>>>> >>>>>> Host:medistreet.in >>>>>> >>>>>> Origin:chrome-extension://fdmmgilgnpjigdojojpjoooidkmcomcm >>>>>> >>>>>> User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 >>>>>> (KHTML, >>>>>> like Gecko) Chrome/34.0.1847.116 Safari/537.36 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> After this also there is no solution to the problem . I suspect that >>>>>> Android Webview is not sending something which Tomcat is rejecting. >>>>>> >>>>>> >>>>>> >>>>>> Any help will highly be appreciated. >>>>>> >>>>>> >>>>>> Regards >>>>>> >>>>>> Ankit >>>>>> >>>>> >>>> >>>> Hi, Ankit- >>>> >>>> I would double-check the documentation for the Tomcat CORS filter and >>>> the Cordova whitelist implementation: >>>> >>>> https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter >>>> http://docs.phonegap.com/en/3.4.0/guide_appdev_whitelist_index.md.html >>>> >>>> Hope that helps. >>>> >>>> -Terence Bandoian >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
