Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

cross origin requests are blocked in tomcat 8 with HTTP status code 403

Tags:

post

http-status-code-403

cors

tomcat8

it may seem like a known issue and many questions exist on the topic, however, my situation is very strange. I have a simple web application that is deployed on tomcat 8.0.36. I have configured the CORS properly:

<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

The cross-origin requests are blocked by the browser:

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.mytestpage.com' is therefore not allowed access. The response had HTTP status code 403.

In the tomcat log file I also see the response code of 403. What is interesting is that the code of my application is never executed in case of cross-origin requests. The requests are blocked before reaching my application and 403 is sent immediately. I have no apache in front of tomcat, it's plain tomcat. I have tried many things, including whitelisting the origins and specifying allowed headers - nothing helped. I've also tried to set the header programmatically until I found that the code in case of cross-origin request is never executed.

UPD: The end point accepts POST requests. Those POST requests are sent as XmlHttpRequests from the JS snippet.

Any ideas what it can be?

p.s I can make successful same origin requests.

like image 239
bekon Avatar asked Jul 27 '16 20:07

bekon

2 Answers

I found what was the issue - I had to set the Content-Type header in the request, otherwise the request would be blocked. - Tomcat CORS filter

like image 93
bekon Avatar answered Nov 17 '22 21:11

bekon

You actually have to set both Access-Control-Allow-Origin and Access-Control-Allow-Methods. Here is an example:

Access-Control-Allow-Origin: http://www.myhost.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE

Also you have to accept "OPTIONS" method returning both Access-Control-Allow-* header lines. Some browsers may issue this kind of request prior to your actual request (e.g. "PUT" request) to get the access information of the service.

like image 36
Boris Brodski Avatar answered Nov 17 '22 20:11

Boris Brodski
Sign in to Comment

Related questions

Is Django post_save triggered before/after saving instance to database?
Error in searching specific post_type form post_type column using WooCommerce product search
Build multipart/form-data POST request in Angular2 and validate Input type File
Amazon S3 POST upload (from iPhone)
HTML Form POST Cross Domain
How to upload multiple files with AsyncHttpClient Android
Swagger-ui only sending OPTIONS not POST http method despite working API
HTTP verbs - When to use GET/POST/PUT/Delete
REST PUT vs POST with UUID
REST HATEOAS: How to know what to POST?
Send Web request working with rest client app, but not working with c#
Passing Array from jQuery to MVC.NET Controller giving null result on controller but values present on jQuery function
AJAX post with jQuery changing the name of an array parameter
Is it possible to use Content-Encoding: gzip in a HTTP POST request?
telnet send a http request [closed]
Cant get POST data in codeigniter controller [duplicate]
How to send HTTP POST requests using only Rebol3
after validating data from a registration form, redirect to another page to log in
trouble changing request headers in Firefox with AngularJS
swift error "Domain=NSCocoaErrorDomain Code=3840 "Invalid value around character 1."

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!