No 'Access-Control-Allow-Origin' header is present on the requested resource.The response had HTTP status code 401

Question

I am calling a cross doamin REST web-service(Spring) using angular $http. Please find code below.

$http({    
url: ' http://xxx.yyy.zzz:8080/..../sponsors',
method: 'GET',
   headers: {  'Token' : 'abc'  }
}).success(function(sponsors){
      $scope.sponsorList = sponsors;
}).error(function(sponsors){
       alert('failed to get sponsors')
});

I am getting the below error

"Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."

Restful webservices are deployed on Tomcat-8.

I have added a CORS filter in tomcat/conf/web.xml as below.

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

Even though i am getting the same error .

Can anybody please help me how to fix this? Did i miss any headers at client side? Anything else needs to be done at server side?

Thanks in advance

Answer 1

This would help you based on this link

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

Answer 2

I found the root cause.

I have created simple hello world REST service without authentication on the same server and called the service.

I got the response without any issues.

I am getting the below error with existing production application which has authentication
No 'Access-Control-Allow-Origin' header is present on the requested resource.The response had HTTP status code 401

So i concluded that authentication is needed for PREFLIGHT request also.

Can anybody tell me how to send authentication headers in PREFLIGHT request? Do we have control on PREFLIGHT Requests?