Menu
I had a static website hosted by Tomcat.
How to set a header for my site like:Access-Control-Allow-Origin: *
They are all static file, not any servlet application.
494
Tomcat Web Server Config To enable CORS support we have to use CORS Filter. If you want to enable CORS for all webapps, add the filter into $CATALINA_BASE/conf/web. xml. If you want to enable them only for the MOTECH application, add the filter into $CATALINA_BASE/webapps/motech-platform-server/WEB-INF/web.
CORS Filter Introduction. This filter is an implementation of W3C's CORS (Cross-Origin Resource Sharing) specification, which is a mechanism that enables cross-origin requests. The filter works by adding required Access-Control-* headers to HttpServletResponse object.
If it's a static site, then starting with Tomcat 7.0.41, you can easily control CORS behavior via a built-in filter.
References:
Pretty much the only thing you have to do is edit the global web.xml in CATALINA_HOME/conf and add the filter definition:
<!-- ================== Built In Filter Definitions ===================== --> ... <filter> <filter-name>CorsFilter</filter-name> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> </filter> <filter-mapping> <filter-name>CorsFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- ==================== Built In Filter Mappings ====================== -->
Be aware, though, that Firefox does not like Access-Control-Allow-Origin: * and requests with credentials (cookies): when responding to a credentialed request, server must specify a domain, and cannot use wild carding.
If you want to debugs requests in this situation, please be aware that CORS headers are only sent if there is a cross-origin request according to this flow-chart. 
(tomcat.apache.org/tomcat-8.0-doc/images/cors-flowchart.png)
162
Here is a very basic filter that will add the CORS headers. Note that by default, this will enable all domains and methods so you should customize it to fit your needs.
It also needs to be the first filter in your web.xml.
package com.conductiv.api.listener; import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; public class CORSFilter implements Filter { public void destroy() { } public static String VALID_METHODS = "DELETE, HEAD, GET, OPTIONS, POST, PUT"; public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws ServletException, IOException { HttpServletRequest httpReq = (HttpServletRequest) req; HttpServletResponse httpResp = (HttpServletResponse) resp; // No Origin header present means this is not a cross-domain request String origin = httpReq.getHeader("Origin"); if (origin == null) { // Return standard response if OPTIONS request w/o Origin header if ("OPTIONS".equalsIgnoreCase(httpReq.getMethod())) { httpResp.setHeader("Allow", VALID_METHODS); httpResp.setStatus(200); return; } } else { // This is a cross-domain request, add headers allowing access httpResp.setHeader("Access-Control-Allow-Origin", origin); httpResp.setHeader("Access-Control-Allow-Methods", VALID_METHODS); String headers = httpReq.getHeader("Access-Control-Request-Headers"); if (headers != null) httpResp.setHeader("Access-Control-Allow-Headers", headers); // Allow caching cross-domain permission httpResp.setHeader("Access-Control-Max-Age", "3600"); } // Pass request down the chain, except for OPTIONS if (!"OPTIONS".equalsIgnoreCase(httpReq.getMethod())) { chain.doFilter(req, resp); } } public void init(FilterConfig config) throws ServletException { } } If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
