Tomcat Cors on 40x requests.

Fri, 20 May 2016 02:34:27 -0700 

Hello,


We have some issues with getting cors to work for requests within the 40x 
status code range.

So we are curious if anyone else has gotten this to work perhaps?

I think our very first question actually is if cors is meant to be on 40x 
requests or only on 20x requests?

Now our actual web.xml looks as following:
<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>http://tomcat.example.com,https://example.com
</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    
<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,soapaction</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>


If I would test this it actually works for all 200 requests:
curl -i -H "Origin:  https://tomcat.example.com"; -H 
"Access-Control-Request-Method: GET" -H "Access-Control-Request-Headers: 
Content-Type, soapaction" -X GET -i http://localhost:8080/lol/test /1.json
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: https://tomcat.example.com
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: 
Access-Control-Allow-Origin,Access-Control-Allow-Credentials
Cache-Control: public, max-age=10


However if I would do this on a requests that would generate a 404 requests it 
does not work:
curl -i -H "Origin:  https://tomcat.example.com"; -H 
"Access-Control-Request-Method: GET" -H "Access-Control-Request-Headers: 
Content-Type, soapaction" -X GET -i http://localhost:8080/lol/test /xxx.json
HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Cache-Control: public, must-revalidate, max-age=10
Content-Type: application/json
Content-Length: 128
Date: Fri, 20 May 2016 09:28:42 GMT

What would we need to do to make it show those cors headers also on those 404 
requests?, and this counts the same for any kind of 401 requests (401 as in 
application authentication not the tomcat authentication).

We would applicate any feedback or arguments if we do this wrong.


Thank you in advanced,
//Sjir Bagmeijer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to