tomcat 7 cors filter

0
votes
Ubuntu 12.10   
Tomcat 7.0.41   
Chrome 27.0.1453.116

I would like to use Tomcat's new, native CORS filter to allow Access-Control-Allow-Origin: * . The configuration seems simple enough but when I use Chrome's "Developer tools" or Firefox' Firebug to check for Access-Control-Allow-Origin: *, it does not appear in the response header: 

Request URL:http://XXX.XXX.XX.99:8984/SimpleServlet/simple-servlet   
Request Method:GET   
Status Code:200 OK   
Request Headersview source   
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8   
Accept-Encoding:gzip,deflate,sdch   
Accept-Language:en-US,en;q=0.8   
Cache-Control:max-age=0    
Connection:keep-alive    
DNT:1     
Host:198.100.45.99:8984     
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36     
Response Headersview source   
Content-Length:103       
Content-Type:text/html;charset=ISO-8859-1     
Date:Mon, 24 Jun 2013 00:19:30 GMT      
Server:Apache-Coyote/1.1

For testing, I've deployed a simple servlet and have configured the following in WEB-INF/web.xml.

<?xml version="1.0" encoding="ISO-8859-1"?>   
<web-app
    xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3.0.xsd"
    version="3.0">   
    <servlet>   
        <servlet-name>SimpleServlet</servlet-name>   
        <servlet-class>com.javaranch.codebarn.servletjsp.SimpleServlet</servlet-class>   
    </servlet>   
    <servlet-mapping>   
        <servlet-name>SimpleServlet</servlet-name>   
        <url-pattern>/simple-servlet</url-pattern>    
    </servlet-mapping>   
    <filter>     
        <filter-name>CorsFilter</filter-name>     
        <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>    
        <init-param>     
            <param-name>cors.allowed.origins</param-name>     
            <param-value>*</param-value>     
        </init-param>     
        <init-param>     
            <param-name>cors.allowed.headers</param-name>     
            <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>     
        </init-param>     
        <init-param>     
            <param-name>cors.exposed.headers</param-name>      
            <param-value>Access-Control-Allow-Origin</param-value>       
        </init-param>     
        <!--     
        <init-param>     
            <param-name>cors.logging.enabled</param-name>     
            <param-value>true</param-value>     
        </init-param>     
        -->     
    </filter>     
    <filter-mapping>     
        <filter-name>CorsFilter</filter-name>     
        <url-pattern>/*</url-pattern>     
    </filter-mapping>    
</web-app>

What am I missing? I've also tried Dzhuvinov's java classes/filter and have tried configuring the filter in WEB-INF/web.xml and $CATALINA_BASE/conf/web.xml. What could be blocking this configuration?

How can I troubleshoot this? It appears that in the original eBay cors-filter offering, there was a parameter to toggle logging, but this is not reflected in the Tomcat v7.0.41 documentation.

1
tomcattomcat7corsweb.xml
Can you provide request headers as well ? The first thing that I would do is to check if browser is adding 'Origin' header to request. As per spec, when browsers detect that a request is a cross-origin request, they add an 'Origin' header along. If request doesn't contain an 'Origin' header then CorsFilter will let the request pass. - mohitsoni
If browser is not adding a 'Origin' header to request, that means the request is not a cross-origin request. - mohitsoni
You might want to check if request is really a cross origin request. For ex: If a page is served on origin http://localhost:8080, then it should be making a request to any origin, but http://localhost:8080 (for request to be cross origin). To simulate, you can edit your /etc/hosts, and map 127.0.0.1 to ex: localhost.cors. Then change your JavaScript to make a request to http://localhost.cors:8080 from the page which was served from http://localhost:8080 (or vice-versa). - mohitsoni

1 Answers

1
votes

The issue was not in the web.xml filter configuration; rather, it was in the way the results of the test were measured. Rather than using Chrome's Developer Tools, use test-cors.org (http://client.cors-api.appspot.com/client). See also https://groups.google.com/forum/#!topic/gs-discussion/kgdCFuJoTt4.