Exact Tomcat 8 version? Exact Tomcat 9 version? How is CORS configured in your application?
Mark On 06/02/2019 10:36, Jörg Schaible wrote: > Hi, > > we have a strange symptom after an upgrade from Tomcat 8 to Tomcat 9, because > we get a 403 for a call that works flawlessly with the previous version. > > Let's describe the scenario: We have a customer with a Wordpress application > hosted on an Apache server. Some pages perform XMLHttpRequests to load and > embed HTML snippets from other sources. One such source is our > (load-balanced) > web application running on Tomcat. These requests are using GET or POST, > depending on the situation. However, after the switch from Tomcat 8 to Tomcat > 9, the GET request is replied by Tomcat with 403. And the only trace is an > entry in the access_log. However, if we use the request URL directly in the > browser, the call succeeds. > > We are using a vanilla installation of Tomcat. The load-balancer will map the > HTTPS calls on port 443 to HTTP on port 8080. The only modification to the > configuration is in catalina.properties, where we skip the jar scanning: > > - tomcat.util.scan.StandardJarScanFilter.jarsToSkip=* > > And we have some additional attributes at the connector in the server.xml: > > <Connector > port="8080" protocol="HTTP/1.1" > connectionTimeout="20000" > redirectPort="8443" > maxThreads="1000" > acceptCount="400" > allowHostHeaderMismatch="true" /> > > Originally we suspected the "allowHostHeaderMismatch" attribute, because it > changed its default from true in Tomcat 8 to false in Tomcat 9, but it had no > effect on the communication > > If we look at the network analysis in the browser, we have following request > parameters (example): > > ====== %< ==== > GET https://tomcat.test-server.local/app/service?param=1 > > The HTTP request header contains: > - Host: tomcat.test-server.local > - Origin: https://www.test-server.local > - Referrer: https://www.test-server.local/ > - DNT: 1 > > The HTTP response header contains: > - Access-Control-Allow-Credentials: true > - Access-Control-Allow-Origin: https://www.test-server.local > - Cache-Control: no-cache > - Content-Type: text/xml;charset=UTF-8 > - Server: Apache-Coyote/1.1 > - Transfer-Encoding: chunked > ====== %< ==== > > We found the switched default for "allowHostHeaderMismatch" by chance. Are > there other parameters in the Tomcat configuration that are new or have > changed > their default, which may influence this communication? > > What's the best way to analyze this on the Tomcat side? Are there any special > logger settings to get more info about this 403? > > Regards, > Jörg > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org