7

This question: Servers that supports CORS? was about regular servlets; and I do know how to set headers to control CORS.

My question is how do I configure Tomcat to serve static content under CORS restrictions.

Community
  • 1
  • 1
Vlad Patryshev
  • 1,379
  • 1
  • 10
  • 16

3 Answers3

15

Starting with Tomcat 7.0.41, you can easily control CORS behavior via a built-in filter.

References:

Pretty much the only thing you have to do is edit the global web.xml in CATALINA_HOME/conf and add the filter definition:

     <!-- ================== Built In Filter Definitions ===================== -->

      ...

     <filter>
       <filter-name>CorsFilter</filter-name>
       <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
     </filter>
     <filter-mapping>
       <filter-name>CorsFilter</filter-name>
       <url-pattern>/*</url-pattern>
     </filter-mapping>

    <!-- ==================== Built In Filter Mappings ====================== -->

Be aware, though, that Firefox does not like Access-Control-Allow-Origin: * and requests with credentials (cookies): when responding to a credentialed request, server must specify a domain, and cannot use wild carding.

If you want to debugs requests in this situation, please be aware that CORS headers are only sent if there is a cross-origin request according to this flow-chart: CORS flow chart

(tomcat.apache.org/tomcat-8.0-doc/images/cors-flowchart.png)

Johannes Jander
  • 4,974
  • 2
  • 31
  • 46
1

Here is a Tomcat filter for adding CORS support: https://bitbucket.org/jsumners/corsfilter

monsur
  • 45,581
  • 16
  • 101
  • 95
1

Hi Vlad! This is a very late response, by now you must have figured it all out. In case anyone else comes across the same question, this is the answer.

Obviously, you know about the CORS filter and that Tomcat filters will be applied only to servlets.

To make all static content go through some servlet, Tomcat has a special DefaultServet - this is what you are looking for.

Basically, we just need to enabled it in deployment descriptor file (like WEB-INF/web.xml), for example like this:

<servlet-mapping>
  <servlet-name>default</servlet-name>
  <url-pattern>/</url-pattern>
</servlet-mapping>


<servlet>
  <servlet-name>default</servlet-name>
  <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
</servlet>

This way Tomcat filters, in our case CORS filter will be enabled for static content.

To test, for CORS filter to actually set headers, such as Access-Control-Allow-Origin, we will need to add some other header, like Origin in request. For example:

curl -H 'Origin: http://localhost/test' -i http://myserver/crossOrigin.resource

This way you will see something like:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: http://localhost/test
Access-Control-Allow-Credentials: true
Accept-Ranges: bytes
...
Renat Bekbolatov
  • 329
  • 4
  • 11
  • This was not required in my setup with Tomcat 8.5. I just had to apply the solution of @johannes-jander. I went into the trap that the CORS filter is very intelligent when to send the headers and when not (see https://tomcat.apache.org/tomcat-8.0-doc/images/cors-flowchart.png). Just doing a GET from the browser will not show the headers at all, because it is not a cross-origin request. – koppor Nov 23 '16 at 11:40