5

I have a GeoServer application, running on top of Tomcat. What I want is to set one extra response header - Access-Control-Allow-Origin: *. I need this because now I cannot implement on feature in my map application, since in browser I get

The operation is insecure

message

According to this thread, I need to set this header: "Access-Control-Allow-Origin: *" and according to this thread in Tomcat I can set it via CATALINA_HOME/conf/web.xml:

<filter>
   <filter-name>CorsFilter</filter-name>
   <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
 </filter>
 <filter-mapping>
   <filter-name>CorsFilter</filter-name>
   <url-pattern>/*</url-pattern>
 </filter-mapping>

I did exatly that, restarted the Tomcat, but still I do not see that header in response. This what server responds to the client:

enter image description here

So, how can I fix it? How can I force my GeoServer application (third party application) to respond with "Access-Control-Allow-Origin: *" ?

EDIT

I should add, that I'm using Tomcat 8. Besides, my filter now looks like:

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
  <param-name>cors.allowed.origins</param-name>
  <param-value>*</param-value>
  </init-param>
  <init-param>
  <param-name>cors.allowed.methods</param-name>
  <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
</filter>
<filter-mapping>
 <filter-name>CorsFilter</filter-name>
 <url-pattern>/*</url-pattern>
</filter-mapping>

I added this filter both to the main web.xml and to the web.xml of the application, but to no avail. So, it seems like all previous solutions to this problem are outdated.

Community
  • 1
  • 1
Jacobian
  • 10,122
  • 29
  • 128
  • 221
  • Look at this http://stackoverflow.com/questions/24386712/tomcat-cors-filter – pedrofb Dec 15 '16 at 16:49
  • I put your first filter definition into the `web.xml` of the ROOT app of my Tomcat 8.0.24 and the Access-Controls- headers appeared in the response. How did you test it? I'd suggest to use http://www.test-cors.org/ - put the url of your tomcat webapps into the remote server field and press "Send request". You should see a `Access-Control-Allow-Origin:http://www.test-cors.org` in the response. – gus27 Dec 16 '16 at 15:12
  • Is this an arcgis server or the open source geoserver application? – Steve Jan 11 '23 at 22:56

2 Answers2

3

I have just had the same problem and my solution was to add that code you mentioned in the geoserver web.xml

That was enough to solve the problem. No need to change anything in Tomcat

So just do:

CORS * for GeoServer with Tomcat add following to /var/lib/tomcat7/webapps/geoserver/WEB-INF/web.xml

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
<init-param>
  <param-name>cors.allowed.methods</param-name>
  <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
</init-param>   
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

At the end just restart tomcat (sudo systemctl restart tomcat.service)

BuZZ-dEE
  • 6,075
  • 12
  • 66
  • 96
dreieck
  • 39
  • 9
0

Make sure when testing you are adding an Origin header to the request. Otherwise CORS response headers won't be returned. This will be done by the browser with any actual cross origin requests.

jnewmoyer
  • 43
  • 4