Hello Mark,
1- No authentication at all, since the user authenticates sending a parameter
in the query string.
2- I have two filters: "org.tuckey.web.filters.urlrewrite.UrlRewriteFilter"
(which has been working fine for years now) and.... CORS, yes!!!
Actually, the CORS filter (org.apache.catalina.filters.CorsFilter) is the first
filter in my web.xml file, so it is the first to run.
This is the way I have configured it:
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I added the CORS filter probably two months ago, and probably I have started
seen the 403 errors since then, yes!
And now that I think about it, probably it is the CORS filter the reason of the
403 indeed, since my API is being called not only from servers but also from
Javascript running in all kind of browsers and maybe some of them don't deal
with CORS properly. That would explain why the 403s happens ocasionally. In
fact, I see this 403 ocurring in most of the cases by one specific user
(authenticated by a parameter in the query string) that calls my API from
javacript!
In what conditions does this filter return a 403 error? What are the Headers
involved when that happens? How can I avoid this problem? Where (on the
internet) can I learn more about this specific problem?
Thanks Mark!
> -----Original Message-----
> From: Mark Thomas [mailto:ma...@apache.org]
> Sent: viernes, 06 de febrero de 2015 04:47 a.m.
> To: Tomcat Users List
> Subject: Re: Sporadic HTTP 403 returned by Tomcat when this should not
> happen ever. How to find out why this happens?
>
> On 05/02/2015 23:14, Brian wrote:
> > Hello David,
> >
> > Not, it is not the case. No exceptions whatsoever. And about 1/100 (or
> > less) of
> the requests return a 403 to the users, and all those requests are doing the
> same
> thing.
> > Thanks a lot for your help!
>
> Is any authentication configured for this web application?
>
> What filters are configured (the CORS filter might return a 403 for
> example)?
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
