Re: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 2/6/15 11:58 AM, Mark Eggers wrote: CORS basically doesn't with Internet Explorer 10. IE 8, and CORS does not work at all. IE 8 - Microsoft has a 'special mechanism' for CORS IE 9 - Microsoft breaks the 'special mechanism' IE 10 - Microsoft tells people to use CORS http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx . . . been there, fought that Hmm. Sounds like it's worth adding that to the CORSFilter documentation, at least in summary (similar to above, including the link). Could you make a docs patch? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJU2MHkAAoJEBzwKT+lPKRYcV4P/1b1N+BztmSHThMp7UQ993P/ vA4xbeU7ueskAciAiFAcfHtjOKlA1614YJPhOxNSLYVKOBlOyMhfJPjSFbhFazbH ZgDY1ZyVVtqje5/5SmCL8lolMSNAGhktzgDOKB+yINQzzTnqtmOUBOzz3ZpDV4yi TNnj8e79Cy/2Ubq24vp6FFxemEnoYbcy87zEW4U0uBqchlUCRqGVncQ1WKA3glBo q4QozYiQorxY40nbNC6zEy1LxjlAjdWpimY/Sqrmgb9wb9lkmn5P9ZUEowM+y7SL ULENuHAXZk+2P5RbTB02VNgwZ3Hz1Rb4FEbIUfDO1sF49fVmQxyFLo1AgzFNLXyJ IK+Jm274K8wmdRC66duXbaKW5yqsF9TWehxKTNidvblFLbTENKbCZf+UIGBsb7qf LhNcIutD5ZhoXtfUVCT0HtvC2/Fa8THI/qIUJaJ6rp2Zi2m1fZt2uWroFmpoFeik RU7f+99QtBKzxxQ4TlhORBtmig1fuKhlAmlcXbwIi4eeHezsgkq7y6O9UtKNHo8c WWCwdcJGq8e+RVbwO33+jFbuyo5hPotL3DiQmG0aaJvMYfeJCo2Ma6nUiK8PEjyR FuyBESUdBdeCrc5f3fPZGzYsYraHyC+zuOqAwEwTr6JBEUO0MhBd7vTWNtNF9x95 gs2LQSgBikYX/MpNDOeU =qhUC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens?
On 05/02/2015 23:14, Brian wrote: Hello David, Not, it is not the case. No exceptions whatsoever. And about 1/100 (or less) of the requests return a 403 to the users, and all those requests are doing the same thing. Thanks a lot for your help! Is any authentication configured for this web application? What filters are configured (the CORS filter might return a 403 for example)? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens?
On 06/02/2015 10:21, Brian wrote: Hello Mark, 1- No authentication at all, since the user authenticates sending a parameter in the query string. 2- I have two filters: org.tuckey.web.filters.urlrewrite.UrlRewriteFilter (which has been working fine for years now) and CORS, yes!!! Actually, the CORS filter (org.apache.catalina.filters.CorsFilter) is the first filter in my web.xml file, so it is the first to run. This is the way I have configured it: filter filter-nameCorsFilter/filter-name filter-classorg.apache.catalina.filters.CorsFilter/filter-class init-param param-namecors.allowed.origins/param-name param-value*/param-value /init-param init-param param-namecors.support.credentials/param-name param-valuefalse/param-value /init-param /filter filter-mapping filter-nameCorsFilter/filter-name url-pattern/*/url-pattern /filter-mapping I added the CORS filter probably two months ago, and probably I have started seen the 403 errors since then, yes! And now that I think about it, probably it is the CORS filter the reason of the 403 indeed, since my API is being called not only from servers but also from Javascript running in all kind of browsers and maybe some of them don't deal with CORS properly. That would explain why the 403s happens ocasionally. In fact, I see this 403 ocurring in most of the cases by one specific user (authenticated by a parameter in the query string) that calls my API from javacript! In what conditions does this filter return a 403 error? What are the Headers involved when that happens? How can I avoid this problem? Where (on the internet) can I learn more about this specific problem? Thanks Mark! There have been some changes to the best bet is to look at the source code for version you are using: http://svn.apache.org/viewvc/tomcat/tc7.0.x/tags/TOMCAT_7_0_50/java/org/apache/catalina/filters/CorsFilter.java?view=annotate If I recall, clients that send a null origin will be rejected when * is used. That got fixed recently. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens?
Hello Mark, 1- No authentication at all, since the user authenticates sending a parameter in the query string. 2- I have two filters: org.tuckey.web.filters.urlrewrite.UrlRewriteFilter (which has been working fine for years now) and CORS, yes!!! Actually, the CORS filter (org.apache.catalina.filters.CorsFilter) is the first filter in my web.xml file, so it is the first to run. This is the way I have configured it: filter filter-nameCorsFilter/filter-name filter-classorg.apache.catalina.filters.CorsFilter/filter-class init-param param-namecors.allowed.origins/param-name param-value*/param-value /init-param init-param param-namecors.support.credentials/param-name param-valuefalse/param-value /init-param /filter filter-mapping filter-nameCorsFilter/filter-name url-pattern/*/url-pattern /filter-mapping I added the CORS filter probably two months ago, and probably I have started seen the 403 errors since then, yes! And now that I think about it, probably it is the CORS filter the reason of the 403 indeed, since my API is being called not only from servers but also from Javascript running in all kind of browsers and maybe some of them don't deal with CORS properly. That would explain why the 403s happens ocasionally. In fact, I see this 403 ocurring in most of the cases by one specific user (authenticated by a parameter in the query string) that calls my API from javacript! In what conditions does this filter return a 403 error? What are the Headers involved when that happens? How can I avoid this problem? Where (on the internet) can I learn more about this specific problem? Thanks Mark! -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: viernes, 06 de febrero de 2015 04:47 a.m. To: Tomcat Users List Subject: Re: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens? On 05/02/2015 23:14, Brian wrote: Hello David, Not, it is not the case. No exceptions whatsoever. And about 1/100 (or less) of the requests return a 403 to the users, and all those requests are doing the same thing. Thanks a lot for your help! Is any authentication configured for this web application? What filters are configured (the CORS filter might return a 403 for example)? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens?
http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter The filter works by adding required Access-Control-* headers to HttpServletResponse object. The filter also protects against HTTP response splitting. If request is invalid, or is not permitted, then request is rejected with HTTP status code 403 (Forbidden) On Fri, Feb 6, 2015 at 5:45 AM, Mark Thomas ma...@apache.org wrote: On 06/02/2015 10:21, Brian wrote: Hello Mark, 1- No authentication at all, since the user authenticates sending a parameter in the query string. 2- I have two filters: org.tuckey.web.filters.urlrewrite.UrlRewriteFilter (which has been working fine for years now) and CORS, yes!!! Actually, the CORS filter (org.apache.catalina.filters.CorsFilter) is the first filter in my web.xml file, so it is the first to run. This is the way I have configured it: filter filter-nameCorsFilter/filter-name filter-classorg.apache.catalina.filters.CorsFilter/filter-class init-param param-namecors.allowed.origins/param-name param-value*/param-value /init-param init-param param-namecors.support.credentials/param-name param-valuefalse/param-value /init-param /filter filter-mapping filter-nameCorsFilter/filter-name url-pattern/*/url-pattern /filter-mapping I added the CORS filter probably two months ago, and probably I have started seen the 403 errors since then, yes! And now that I think about it, probably it is the CORS filter the reason of the 403 indeed, since my API is being called not only from servers but also from Javascript running in all kind of browsers and maybe some of them don't deal with CORS properly. That would explain why the 403s happens ocasionally. In fact, I see this 403 ocurring in most of the cases by one specific user (authenticated by a parameter in the query string) that calls my API from javacript! In what conditions does this filter return a 403 error? What are the Headers involved when that happens? How can I avoid this problem? Where (on the internet) can I learn more about this specific problem? Thanks Mark! There have been some changes to the best bet is to look at the source code for version you are using: http://svn.apache.org/viewvc/tomcat/tc7.0.x/tags/TOMCAT_7_0_50/java/org/apache/catalina/filters/CorsFilter.java?view=annotate If I recall, clients that send a null origin will be rejected when * is used. That got fixed recently. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2/6/2015 2:21 AM, Brian wrote: Hello Mark, 1- No authentication at all, since the user authenticates sending a parameter in the query string. 2- I have two filters: org.tuckey.web.filters.urlrewrite.UrlRewriteFilter (which has been working fine for years now) and CORS, yes!!! Actually, the CORS filter (org.apache.catalina.filters.CorsFilter) is the first filter in my web.xml file, so it is the first to run. This is the way I have configured it: filter filter-nameCorsFilter/filter-name filter-classorg.apache.catalina.filters.CorsFilter/filter-class init-param param-namecors.allowed.origins/param-name param-value*/param-value /init-param init-param param-namecors.support.credentials/param-name param-valuefalse/param-value /init-param /filter filter-mapping filter-nameCorsFilter/filter-name url-pattern/*/url-pattern /filter-mapping I added the CORS filter probably two months ago, and probably I have started seen the 403 errors since then, yes! And now that I think about it, probably it is the CORS filter the reason of the 403 indeed, since my API is being called not only from servers but also from Javascript running in all kind of browsers and maybe some of them don't deal with CORS properly. That would explain why the 403s happens ocasionally. In fact, I see this 403 ocurring in most of the cases by one specific user (authenticated by a parameter in the query string) that calls my API from javacript! In what conditions does this filter return a 403 error? What are the Headers involved when that happens? How can I avoid this problem? Where (on the internet) can I learn more about this specific problem? CORS basically doesn't with Internet Explorer 10. IE 8, and CORS does not work at all. IE 8 - Microsoft has a 'special mechanism' for CORS IE 9 - Microsoft breaks the 'special mechanism' IE 10 - Microsoft tells people to use CORS http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx . . . been there, fought that /mde/ Thanks Mark! -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: viernes, 06 de febrero de 2015 04:47 a.m. To: Tomcat Users List Subject: Re: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens? On 05/02/2015 23:14, Brian wrote: Hello David, Not, it is not the case. No exceptions whatsoever. And about 1/100 (or less) of the requests return a 403 to the users, and all those requests are doing the same thing. Thanks a lot for your help! Is any authentication configured for this web application? What filters are configured (the CORS filter might return a 403 for example)? Mark -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBAgAGBQJU1PLOAAoJEEFGbsYNeTwtg18H/j1yQF3474DOj7aqlV6coukt IHzxkKPADyxEZ/CeAlJrV/E/dGkhk4CI4hYsnYogzRZi0RNyf6ibiwCIS+nClYqD XqsuLrgVfULgqoo2C2rqRhVXgE6PruVv3C+Sw6PfqXLzVziNZANKaUEKUyzHdbfB CFc8pbPKdZ/cCUYB46FNfw0xH//3v05xs9lxB88GDzmpa1ByDKggyG8t8KDO8BN3 skyr/36yaE/Xecr6bpTserOQQu+2IWH+H386ucZr0WMWGxL4rYCZLOyQK57RzJFk regMSEgHZmKxluiEwf09VrgZD+crjN1MRI+eiYigQ5VxgQNliFIhluR58I8euxc= =c7fL -END PGP SIGNATURE- --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens?
On 6 February 2015 at 02:42, Brian brian...@emailbb.com wrote: Hi, I have a Restful service that receives a huge amount of HTTP requests per day. In some of these requests, Tomcat returns an HTTP 403 error status. Your servlet does something which throws a java.lang.Security exception (which is a runtime exception), and Tomcat is translating it into a 403 for you? (I didn't test it, but it might be a reasonable thing for a servlet-container to do).
RE: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens?
Hello David, Not, it is not the case. No exceptions whatsoever. And about 1/100 (or less) of the requests return a 403 to the users, and all those requests are doing the same thing. Thanks a lot for your help! -Original Message- From: David Bullock [mailto:david.bull...@machaira.com.au] Sent: jueves, 05 de febrero de 2015 06:04 p.m. To: Tomcat Users List Subject: Re: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens? On 6 February 2015 at 02:42, Brian brian...@emailbb.com wrote: Hi, I have a Restful service that receives a huge amount of HTTP requests per day. In some of these requests, Tomcat returns an HTTP 403 error status. Your servlet does something which throws a java.lang.Security exception (which is a runtime exception), and Tomcat is translating it into a 403 for you? (I didn't test it, but it might be a reasonable thing for a servlet-container to do). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org