1

I have been trying to enable CORS on my Microsoft Azure Apache Tomcat server and I have tried quite a lot of techniques but I am still unable to get CORS up and running. I have added this to the web.xml file and no luck in getting that enabled. 

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

I keep getting an error:

XMLHttpRequest cannot load url&output=json. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://url.net' is therefore not allowed access.

Any suggestions on how I can achieve this quickly? I have been looking at loads of resources online and I can't get it to work unfortunately. Looking forward to your suggestions.

Neophile
  • 5,660
  • 14
  • 61
  • 107
  • I have tried that but I haven't found that answer helpful and I'm thinking that CORS is still not yet enabled on my server despite doing what I mentioned above. Any more steps to verify this? – Neophile May 11 '15 at 15:31
  • Ok Mikaveli. I'm giving that a go. I'll post back in a minute with my finding. – Neophile May 11 '15 at 15:44

1 Answers1

1

Your web.xml looks ok, so I'm expecting it does set the response header as requested (your question doesn't make this clear either way).

However on some modern browsers (Chrome, Firefox etc.), you'll find they won't allow wildcard origins:

<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
</init-param>

Instead, you'll need to specify an expected domain, for greater security:

<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>http://otherdomain.com</param-value>
</init-param>

Usefully, the list of origins can be comma separated:

A * can be specified to enable access to resource from any origin. Otherwise, a whitelist of comma separated origins can be provided. Eg: http://www.w3.org, https://www.apache.org. Defaults: * (Any origin is allowed to access the resource)

Source: https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html

Michael
  • 7,348
  • 10
  • 49
  • 86
  • Thanks for your answer. I am still getting an error in making my request and I feel CORS is yet not been enabled. I am changing the web.xml from the apache-tomcat-7.0.52/conf/web.xml area. I am getting an error: {"readyState":0,"status":0,"statusText":"NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'url'."} And my DOM shows the error I mentioned in my question. – Neophile May 11 '15 at 15:47
  • What do the server response headers look like? You can view them in your browsers developer perspective, in the network tab. – Michael May 11 '15 at 15:49
  • The server response header looks ok and gives a correct response i.e. 200. `Content-Length:66 Content-Type:application/json;charset=UTF-8 Date:Mon, 11 May 2015 15:45:43 GMT Server:Apache-Coyote/1.1` – Neophile May 11 '15 at 15:51
  • Also, remember things like your headers must be an exact match (see http://stackoverflow.com/questions/13146892/cors-access-control-allow-headers-wildcard-being-ignored). I'd suggest removing all the extra params in your question and retrying, to see if you have a misconfiguration somewhere there. – Michael May 11 '15 at 15:53
  • Yes I have removed all extra parameters and just keeping the one I need but still I keep getting an error. – Neophile May 11 '15 at 15:59
  • Is there a way I can know whether CORS is enabled or not on my server? – Neophile May 11 '15 at 16:00
  • 2
    Take a look at http://stackoverflow.com/q/21792759/827480. I had similar CORS problems in the past, and ended attaching a debugger to Tomcat to step through the filter. If memory serves, you can modify logger options to see debug statements from the filter, but I don't have access to the sources from here and don't remember them well enough offhand. – Eric B. May 11 '15 at 16:30
  • So its better I check the request and the response parameters and make sure I receive all back. Is there a way I can specify that I would like to have certain parameters in my response? – Neophile May 12 '15 at 09:05
  • 2
    The biggest thing is to make sure that all the headers you are sending are in the CORS filter defn. Case sensitive. You can use a proxy like fiddler or charles (or even the browser tools depending where your requests are coming from) and check that all the allowed headers are listed in your CORS defn. – Eric B. May 12 '15 at 15:17