0

I have browsed all answers related to cors. I haven't found the actual solution to my problem. Any help would be appreciated.

I have an angular application from which is calling the apis of java web application which is in tomcat server.

If I remove all the security constraints in the web.xml by adding this CorsFilter I am able to make a GET request from the angular app. 

<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Accept,Accept-Encoding,Accept-Language,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,Connection,Content-Type,Host,Origin,Referer,Token-Id,User-Agent, X-Requested-With</param-value>
</init-param>
<init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
</init-param>
</filter>
<filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

However when I add the security constraint, 

 <security-constraint>
        <web-resource-collection>
            <web-resource-name>secure</web-resource-name>
            <url-pattern>/*</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
             <http-method>PUT</http-method>
             <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>PLATFORM Users</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>My Realm</realm-name>
    </login-config>

    <security-role>
        <description>The role that is required to log in pages.</description>
        <role-name>PLATFORM Users</role-name>
    </security-role>

It's giving 200 for OPTIONS request, 403 forbidden for GET request.

What's the reason for this behavior?

Ps. I am calling the java application from my localhost:4200

Prajwal
  • 563
  • 7
  • 22
  • Possible duplicate of [CORS - Calling rest services on Tomcat from angular](https://stackoverflow.com/questions/44437816/cors-calling-rest-services-on-tomcat-from-angular) – mkjh Jan 04 '19 at 06:45
  • Are you sure that 403 forbidden is really caused by cors filter, and not your user failing one of the security constraints like the role-name or you dont have the basic auth header set? – maslan Jan 04 '19 at 07:16
  • @maslan thanks for the response. I didn't quite understand what is basic auth header? and if the user fails the role-name check it should say 401 right? – Prajwal Jan 05 '19 at 18:59
  • When you do basic authentication (and you appear to do so cause of the auth-method=BASIC) you are required to do requests with an Authorization header with credentials base64'ed. If not that might be the reason you are getting 403 – maslan Jan 08 '19 at 12:58
  • @maslan I m sending it like that – Prajwal Jan 08 '19 at 18:33

0 Answers0