TOMCAT 7 , Native CORS FILTER and Spring Security

Thu, 23 Jul 2015 07:51:08 -0700 

Hi, 

I am using TOMCAT 7, and I have enable the CORS FILTER as per the explanation 
on the official website: 
https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter

I use the actual configuration: 


<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    
<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

I do it in my Web.xml that is in the conf folder. 

However the app that i am trying to access have a spring security filter.  I 
show below the application configuration in question. I have no control over 
that application. In fact this is a vendor application. I can only modify the 
configuration file to enable the CORS FILTER.

<!-- Spring Security START -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/</url-pattern>
    </filter-mapping>
    <!-- Spring Security END -->

or a larger view


  <filter>
        <filter-name>MessageFilter</filter-name>
        <filter-class>at.punkt.PoolParty.Management.MessageFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>MessageFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter>
        <filter-name>TransactionFilter</filter-name>
        
<filter-class>biz.poolparty.thesaurus.web.support.TransactionFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>TransactionFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter>
        <filter-name>SpringLocaleFilter</filter-name>
        
<filter-class>biz.poolparty.thesaurus.web.support.SpringLocaleFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>SpringLocaleFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!-- Spring Security START -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/</url-pattern>
    </filter-mapping>
    <!-- Spring Security END -->

    <listener>
        <description>ServletContextListener</description>
        
<listener-class>at.punkt.PoolParty.Management.PoolPartyListener</listener-class>
    </listener>

    <!-- Location of the XML file that defines the root application context -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:/applicationContext.xml</param-value>
    </context-param>

    <listener>
        
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <!-- Include spring dispatcher servlet -->
    <servlet>
        <servlet-name>dispatcher</servlet-name>
        
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>2</load-on-startup>
        <async-supported>true</async-supported>
    </servlet>
    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/!/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/api/*</url-pattern>
    </servlet-mapping>
    

I wonder if there is an issue between the Spring Security Filter and the Native 
Cors Filter coming with tomcat ?

What are the work around ?

If not how can I know what is exactly stop the CORS FILTER FROM WORKING RIGHT ?

-- 
Maatari Daniel Okouya
Sent with Airmail

Reply via email to