2

I have a running instance with tomcat 7 and java app. I wanted to make a copy of the instance. in Amazon, I clicked "create image", and launched a new instance from it. after that, i tried to work with the new instance. when i make simple requests it works, but when i try from a browser i get CORS error:

Access to XMLHttpRequest at 'https://xxxxxx/getConfiguration' from origin 'http://xxxxxx:9000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

nothing has changed in my server or my front-end configuration. when i work with the old server it works. the cors filter is the same:

<filter>
    <filter-name>CORS</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>

    <init-param>
        <param-name>cors.allowOrigin</param-name>
        <param-value>*</param-value>
    </init-param>
    <init-param>
        <param-name>cors.supportsCredentials</param-name>
        <param-value>false</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.headers</param-name>
        <param-value>Accept, Origin, X-Requested-With, Content-Type, Last-Modified, Access-Control-Request-Method,Access-Control-Request-Headers,authorization</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.methods</param-name>
        <param-value>GET,POST,HEAD,OPTIONS,PUT,DELETE</param-value>
    </init-param>
</filter>


<filter-mapping>
    <filter-name>CORS</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
Moshe Shaham
  • 15,448
  • 22
  • 74
  • 114
  • please add ` cors.exposed.headers Access-Control-Allow-Origin,Access-Control-Allow-Credentials ` to your filter and let me know it works or not – Mohsen Dec 11 '18 at 12:25
  • @Spara not working – Moshe Shaham Dec 11 '18 at 12:33
  • [this](https://github.com/quickhack/tomcat/blob/master/src/main/java/org/apache/catalina/filters/CorsFilter.java) is CorsFilter of tomcat. and [this](https://i.stack.imgur.com/uzud1.png) is cors flowchart. maybe reading them help you to resolve the problem – Mohsen Dec 11 '18 at 12:51
  • @Spara but this already works. what can change when i copy an instance? – Moshe Shaham Dec 11 '18 at 13:02
  • Yeah I know thats kind of strange event! – Mohsen Dec 11 '18 at 13:06
  • @MosheShaham Check for any hardcoded URL calling to previous server? You can also check the access logs of frontend server, If you are receiving the request on copied server or not? – Nauman Rafique Apr 17 '19 at 11:34

2 Answers2

1

Compare the init parameter names that you used

<init-param>
    <param-name>cors.allowOrigin</param-name>
    <param-value>*</param-value>
</init-param>
<init-param>
    <param-name>cors.supportsCredentials</param-name>
    <param-value>false</param-value>
</init-param>

and configuration reference documentation of Tomcat 7. You are spelling them incorrectly.

The default value of cors.allowed.origins was changed in May 2018 (for Tomcat 7.0.89, 8.5.32, 9.0.9) to address CVE-2018-8014 (bug 62343).

Konstantin Kolinko
  • 3,854
  • 1
  • 13
  • 21
  • this answer is accurate. for some reason, the tomcat version was upgraded from under 7.0.89 to above 7.0.89 - so the parameters names indeed changed! – Moshe Shaham Apr 21 '19 at 06:42
0

Did you your javascript/html/css in same server with your old instance ?

When browser do some API call, if the API address is in different server/domain with javascript path, browser will check CORS header of API to ensure this server allow cross-origin request. In old instance, everything are same place, so no need to do. But in new instances, your app need to return CORS header to client.

You can see this question to know how to add CORS header to your application in Tomcat:

Set CORS header in Tomcat

namthienmenh
  • 76
  • 5