Access-Control-Allow-Origin: * in tomcat

Question

I want to set a default http header in my tomcat container -

Access-Control-Allow-Origin: *

From various different links on stackoverslow and from google, most have pointed to a resource. This again says same on how to do it. I have replicated the same, but still the header is not shown. This is what I have done: 1) Copied cors.jar file in /lib folder of tomcat 2) Inserted this text in web.xml

<filter>
    <filter-name>CORS</filter-name>
    <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
    <init-param>
     <param-name>cors.allowOrigin</param-name>
        <param-value>*</param-value>
    </init-param>
    <init-param>
     <param-name>cors.supportedMethods</param-name>
        <param-value>GET, POST, HEAD, PUT, DELETE</param-value>
    </init-param>
    <init-param>
     <param-name>cors.supportedHeaders</param-name>
        <param-value>Content-Type, Last-Modified</param-value>
    </init-param>
    <init-param>
        <param-name>cors.exposedHeaders</param-name>
        <param-value>Set-Cookie</param-value>
    </init-param>
    <init-param>
        <param-name>cors.supportsCredentials</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>CORS</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

It doesn't work and I am helpless. My tomcat version is -6.0.6. Please help.

I don't think you can set cors.allowOrigin to everything (*) and set cors.supportsCredentials to true at the same time. — maximum, Feb 24 '20 at 15:46

score 19 · Answer 1 · answered Jul 03 '13 at 20:35

19

At the time of writing this, the current version of Tomcat 7 (7.0.41) has a built-in CORS filter http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter

answered Jul 03 '13 at 20:35

Pere Barceló

364
2
3

Jatin · Accepted Answer · 2014-03-04T06:44:54.423

The issue arose because of not including jar file as part of the project. I was just including it in tomcat lib. Using the below in web.xml works now:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>
        org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
</filter>

 <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter>
    <filter-name>CORS</filter-name>
    <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>

    <init-param>
        <param-name>cors.allowOrigin</param-name>
        <param-value>*</param-value>
    </init-param>
    <init-param>
        <param-name>cors.supportsCredentials</param-name>
        <param-value>false</param-value>
    </init-param>
    <init-param>
        <param-name>cors.supportedHeaders</param-name>
        <param-value>accept, authorization, origin</param-value>
    </init-param>
    <init-param>
        <param-name>cors.supportedMethods</param-name>
        <param-value>GET, POST, HEAD, OPTIONS</param-value>
    </init-param>
</filter>


<filter-mapping>
    <filter-name>CORS</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

And the below in your project dependency:

<dependency>
    <groupId>com.thetransactioncompany</groupId>
    <artifactId>cors-filter</artifactId>
    <version>1.3.2</version>
</dependency>

I am having issues as well. What file do you put the project dependency in? — Josh, Mar 20 '14 at 22:27
My project worked without the cors-filter dependency and suddenly stopped working. After adding it it works again. — Kenci, Feb 27 '15 at 09:40
My project was not a maven build, so do I need to add the project dependency? I've updated the jars and web.xml file, but it didn't work. — Giri, Jan 14 '16 at 16:31
If you don't have java-property-utils dependency already in your classpath add that also else NoClassDefFoundError will appear. Because cors filter has a dependancy on it. — Mohammed Javad, Oct 09 '19 at 13:30
official tomcat documentation can be found here: https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter — rip747, Aug 15 '20 at 22:27

score 10 · Answer 3 · answered Feb 12 '13 at 15:56

Change this:

<init-param>
    <param-name>cors.supportedHeaders</param-name>
    <param-value>Content-Type, Last-Modified</param-value>
</init-param>

To this

<init-param>
    <param-name>cors.supportedHeaders</param-name>
    <param-value>Accept, Origin, X-Requested-With, Content-Type, Last-Modified</param-value>
</init-param>

I had to do this to get anything to work.

score 8 · Answer 4 · answered Jul 04 '17 at 02:49

Try this.

1.write a custom filter

    package com.dtd.util;

    import javax.servlet.*;
    import javax.servlet.http.HttpServletResponse;
    import java.io.IOException;

    public class CORSFilter implements Filter {

        @Override
        public void init(FilterConfig filterConfig) throws ServletException {

        }

        @Override
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
            httpResponse.addHeader("Access-Control-Allow-Origin", "*");
            filterChain.doFilter(servletRequest, servletResponse);
        }

        @Override
        public void destroy() {

        }
    }

2.add to web.xml

<filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>com.dtd.util.CORSFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>/*</url-pattern>
 </filter-mapping>

score 3 · Answer 5 · answered Feb 08 '21 at 08:08

I was setting up cors.support.credentials to true along with cors.allowed.origins as *, which won't work.

When cors.allowed.origins is * , then cors.support.credentials should be false (default value or shouldn't be set explicitly).

https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html

score 1 · Answer 6 · edited Nov 01 '12 at 17:59

1

Please check your web.xml again. You might be making some silly mistake. As my application is working fine with the same init-param configuration...

Please copy paste the web.xml, if the problem still persists.

edited Nov 01 '12 at 17:59

McGarnagle

101,349
31
229
260

answered Nov 01 '12 at 17:39

Sudipta Ghorui

149
6

epsilonpsi · Answer 7 · 2014-03-04T18:56:36.750

1

I had to restart the browser after changing the ip address (laptop wireless DHCP) which was my "cross-host" I was referring to in my web app, which resolved the issue.

Also make sure all the cors headers being added by your browser/host are accepted/allowed by including then in the cors.allowed.headers

edited Mar 04 '14 at 18:56

answered Mar 03 '14 at 21:41

epsilonpsi

3,753
3
17
16

score 0 · Answer 8 · answered May 06 '22 at 00:58

I had the same problem. I tried following the tomcat reference at https://tomcat.apache.org/tomcat-10.0-doc/config/filter.html, but what really worked was using this:

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,PUT,DELETE,HEAD,OPTIONS</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

Access-Control-Allow-Origin: * in tomcat

8 Answers8

Linked