http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter
"The filter works by adding required Access-Control-* headers to HttpServletResponse object. The filter also protects against HTTP response splitting. If request is invalid, or is not permitted, then request is rejected with HTTP status code 403 (Forbidden)" On Fri, Feb 6, 2015 at 5:45 AM, Mark Thomas <ma...@apache.org> wrote: > On 06/02/2015 10:21, Brian wrote: > > Hello Mark, > > > > 1- No authentication at all, since the user authenticates sending a > parameter in the query string. > > > > 2- I have two filters: > "org.tuckey.web.filters.urlrewrite.UrlRewriteFilter" (which has been > working fine for years now) and.... CORS, yes!!! > > Actually, the CORS filter (org.apache.catalina.filters.CorsFilter) is > the first filter in my web.xml file, so it is the first to run. > > This is the way I have configured it: > > > > <filter> > > <filter-name>CorsFilter</filter-name> > > <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> > > <init-param> > > <param-name>cors.allowed.origins</param-name> > > <param-value>*</param-value> > > </init-param> > > <init-param> > > <param-name>cors.support.credentials</param-name> > > <param-value>false</param-value> > > </init-param> > > </filter> > > <filter-mapping> > > <filter-name>CorsFilter</filter-name> > > <url-pattern>/*</url-pattern> > > </filter-mapping> > > > > I added the CORS filter probably two months ago, and probably I have > started seen the 403 errors since then, yes! > > And now that I think about it, probably it is the CORS filter the reason > of the 403 indeed, since my API is being called not only from servers but > also from Javascript running in all kind of browsers and maybe some of them > don't deal with CORS properly. That would explain why the 403s happens > ocasionally. In fact, I see this 403 ocurring in most of the cases by one > specific user (authenticated by a parameter in the query string) that calls > my API from javacript! > > > > In what conditions does this filter return a 403 error? What are the > Headers involved when that happens? How can I avoid this problem? Where (on > the internet) can I learn more about this specific problem? > > > > Thanks Mark! > > There have been some changes to the best bet is to look at the source > code for version you are using: > > > http://svn.apache.org/viewvc/tomcat/tc7.0.x/tags/TOMCAT_7_0_50/java/org/apache/catalina/filters/CorsFilter.java?view=annotate > > If I recall, clients that send a null origin will be rejected when * is > used. That got fixed recently. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
