Thanks, Christopher. I think, for now, I'll just use * when developing and turned off when in production.
I wonder if changing that method to protected might be a potential security hole. Thanks! Blake McBride On Thu, Jan 6, 2022 at 10:34 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > Blake, > > On 1/6/22 10:29, Blake McBride wrote: > > Greetings, > > > > I have been using the following with success: > > > > <filter> > > <filter-name>CorsFilter</filter-name> > > <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> > > <init-param> > > <param-name>cors.allowed.headers</param-name> > > > <param-value>Content-Type,X-Requested-With,Accept,Accept-Encoding,Accept-Language,Cache-Control,Connection,Host,Pragma,Origin,Referer,User-Agent,Access-Control-Request-Method,Access-Control-Request-Headers</param-value> > > </init-param> > > <init-param> > > <param-name>cors.exposed.headers</param-name> > > > <param-value>Access-Control-Allow-Origin,Content-Length,Content-Type,Date,Server,Access-Control-Allow-Credentials</param-value> > > </init-param> > > <init-param> > > <param-name>cors.allowed.origins</param-name> > > <param-value>http://localhost:63342</param-value> > > </init-param> > > <init-param> > > <param-name>cors.allowed.methods</param-name> > > <param-value>GET, POST, HEAD, OPTIONS</param-value> > > </init-param> > > </filter> > > <filter-mapping> > > <filter-name>CorsFilter</filter-name> > > <url-pattern>/*</url-pattern> > > </filter-mapping> > > > > > > It allows me to allow CORS but only from http://localhost:63342. I'd > like > > to change it to allow CORS from any IP but only ports 63342 and 8002. > How > > can I specify that? > > > > I am using Tomcat 9.0.42 with JDK 8. > > I don't think you can do that with Tomcat's CORS filter. You can either > "allow all" or you can list every origin. > > If you would like to hack on Tomcat, you could look at the private > CorsFilter.isOriginAllowed method to see if you could come up with a > more complicated way to evaluate the allowed-origins. > > Better yet, change the method to protected and then subclass the > existing CorsFilter, adding whatever complexity you require. > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >