On 06/02/2015 10:21, Brian wrote: > Hello Mark, > > 1- No authentication at all, since the user authenticates sending a parameter > in the query string. > > 2- I have two filters: "org.tuckey.web.filters.urlrewrite.UrlRewriteFilter" > (which has been working fine for years now) and.... CORS, yes!!! > Actually, the CORS filter (org.apache.catalina.filters.CorsFilter) is the > first filter in my web.xml file, so it is the first to run. > This is the way I have configured it: > > <filter> > <filter-name>CorsFilter</filter-name> > <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> > <init-param> > <param-name>cors.allowed.origins</param-name> > <param-value>*</param-value> > </init-param> > <init-param> > <param-name>cors.support.credentials</param-name> > <param-value>false</param-value> > </init-param> > </filter> > <filter-mapping> > <filter-name>CorsFilter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > I added the CORS filter probably two months ago, and probably I have started > seen the 403 errors since then, yes! > And now that I think about it, probably it is the CORS filter the reason of > the 403 indeed, since my API is being called not only from servers but also > from Javascript running in all kind of browsers and maybe some of them don't > deal with CORS properly. That would explain why the 403s happens ocasionally. > In fact, I see this 403 ocurring in most of the cases by one specific user > (authenticated by a parameter in the query string) that calls my API from > javacript! > > In what conditions does this filter return a 403 error? What are the Headers > involved when that happens? How can I avoid this problem? Where (on the > internet) can I learn more about this specific problem? > > Thanks Mark!
There have been some changes to the best bet is to look at the source code for version you are using: http://svn.apache.org/viewvc/tomcat/tc7.0.x/tags/TOMCAT_7_0_50/java/org/apache/catalina/filters/CorsFilter.java?view=annotate If I recall, clients that send a null origin will be rejected when * is used. That got fixed recently. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
