24

I am trying to consume some web services which are cross domain. When I disable chrome's web-security it is working fine. I want it to work without this so I have tried adding cross-domain.xml and still it didnt work. When i searched more, came to know about CORS enabling in tomcat.

from http://www.w3.org/wiki/CORS_Enabled

For Apache Apache can be configured to expose this header using mod_headers. This is enabled by default in Apache, however you may want to ensure it's enabled in your deployment by running the following command:

a2enmod headers

To expose the header, you can add the following line inside , , and sections, or within an .htaccess file.

<IfModule mod_headers.c>
   Header set Access-Control-Allow-Origin "*"
 </IfModule>

Can anyone please let me know where to add these configurations in TOMCAT and in which files exactly. I am using tomcat from eclipse.

Appreciate any help.

fab
  • 317
  • 4
  • 20
Ravi Dasari
  • 453
  • 1
  • 4
  • 10

3 Answers3

19

CORS support in Tomcat is provided via a filter. You need to add this filter to your web.xml file and configure it to match your requirements. Full details on the configuration options available can be found in the Tomcat Documentation.

mimo
  • 6,221
  • 7
  • 42
  • 50
Mark Thomas
  • 16,339
  • 1
  • 39
  • 60
  • 15
    Thanks for your reply. But I have added that in my Web.xml and even tried using a servlet interceptor for adding header parameter for all responces with response.setHeader("Access-Control-Allow-Origin","*"). But it is not working. – Ravi Dasari Mar 20 '14 at 10:26
  • Even I have changed my configurations for web.xml and added response.setHeader("Access-Control-Allow-Origin", "*"); response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE"); response.setHeader("Access-Control-Max-Age", "3600"); But still facing the same issue. Can anyone help. – Tanvi Garg Oct 10 '17 at 05:15
  • 1
    This is an old thread. But if you are reading this comment chances are that you have already configured your tomcat correctly. The CORS headers like allowed-origin are only exposed to request that do have a ORIGIN header set. So if you are only rushing through documentation like me, you might be checking the dev tools of your browser and wondering where your headers are. Try this for testing: curl -I -H 'Origin: http://www.example.com' http://localhost:8080/ – hvsp Mar 30 '20 at 09:22
  • Can the same be done not only for CORS, but in general to allow certain methods overall? – Eli Halych Jan 05 '21 at 12:21
8

Check this answer: Set CORS header in Tomcat

Note that you need Tomcat 7.0.41 or higher.

To know where the current instance of Tomcat is located try this:

System.out.println(System.getProperty("catalina.base"));

You'll see the path in the console view.

Then look for /conf/web.xml on that folder, open it and add the lines of the above link.

jose
  • 256
  • 2
  • 7
1

Just to add a bit of extra info over the right solution. Be aware that you'll need this class org.apache.catalina.filters.CorsFilter. So in order to have it, if your tomcat is not 7.0.41 or higher, download 'tomcat-catalina.7.0.41.jar' or higher ( you can do it from http://mvnrepository.com/artifact/org.apache.tomcat/tomcat-catalina ) and put it in the 'lib' folder inside Tomcat installation folders. I actually used 7.0.42 Hope it helps!

Francisco López-Sancho
  • 3,227
  • 29
  • 22