Where to enable cors?

Question

I have a very basic question.

I have an application www.myapp1.com hosted on tomcat server. It in turn calls apis hosted on myapis.com/api1 on apache server.

While loading the page, it breaks stating -

XMLHttpRequest cannot load myapis.com/api1. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'www.myapp1.com' is therefore not allowed access. The response had HTTP status code 403.

I understand I have to enable CORS. My question is which server do I enable CORS on? Should it be www.myapp1.com or myapis.com/api1?

I tried enabling CORS on www.myapp1.com, which is a tomcat7.0.59 server by adding the minimal filter (below) to /config/web.xml file and restarting the server. However, it is not working. Do I need to add/configure anything else?

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

Is the wildcard in url-pattern causing a problem? Do I have to do anything to setup the filter-class?

I am using chrome to test. Please help.

Possible duplicate of [How to enable CORS on a Wordpress Subdomain?](http://stackoverflow.com/questions/38378729/how-to-enable-cors-on-a-wordpress-subdomain) — Phill Healey, Aug 19 '16 at 21:15

score 1 · Accepted Answer · answered Jun 03 '16 at 15:18

1

The default value of cors.exposed.headers is "". Add this parameter could fix the issue.

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
</filter>

answered Jun 03 '16 at 15:18

Beck Yang

3,004
2
21
26

I have now added the init-params as mentioned in the advanced configuration http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter – TechiRik Jun 14 '16 at 23:55
No change. When I am looking at Dev Tools->Network in Chrome, I can see the following irrespective of whether I have CORS filter enabled. OPTIONS /api1 HTTP/1.1 Host: myapis.com Connection: keep-alive Access-Control-Request-Method: GET Origin: https://myapp1.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 Access-Control-Request-Headers: access-control-allow-origin, authorization Accept: */* Referer: https://myapp1.com Accept-Encoding: gzip, deflate, sdch, br Accept-Language: en-US,en;q=0.8 – TechiRik Jun 15 '16 at 00:11
What error do you see in **Dev Tools -> Console**? If the error is the same as before, please check the again, it is case sensitive. – Beck Yang Jun 15 '16 at 13:19
I forget most important thing. The setting of CORS filter must add to `myapis.com/api1` – Beck Yang Jun 15 '16 at 13:31

Where to enable cors?

1 Answers1