On Sat, Apr 26, 2014 at 12:53 AM, Terence M. Bandoian <tere...@tmbsw.com>wrote:
> On 4/24/2014 11:16 PM, Ankit Singhal wrote: > >> Hi >> >> I did more research on this and figure out the issue.If you see the >> headers >> from Android and look into Origin Header. >> >> Origin: file:// >> >> Tomcat CORS filter tries to validate the URI in Origin header and >> considers >> "file://" as an invalid URI and returns back 403. >> >> I have applied <accept-origin>*</accept-origin> params. So shouldn't CORS >> filter honor this ? >> >> I agree that Client also has the problem , but still server should also >> allow... >> > > > Hi, Ankit- > > Have you tried disabling or removing the CORS filter when you're testing > from the Android device? The flowchart in the Tomcat CORS documentation > indicates that the filter will attempt to validate the origin before it > determines whether or not it is allowed. Apparently, the file scheme is not > considered valid. > > Please Note: The convention on this list is to bottom-post. When you > reply to a message, please do so at the bottom of the message or inline, as > I've done here. Additional information may be found on the Tomcat web > site: http://tomcat.apache.org/lists.html#tomcat-users > > Hope that helps. > > -Terence Bandoian > > > >> >> >> On Fri, Apr 25, 2014 at 1:36 AM, Terence M. Bandoian <tere...@tmbsw.com >> >wrote: >> >> On 4/24/2014 1:14 PM, Jose María Zaragoza wrote: >>> >>> 2014-04-24 19:00 GMT+02:00 Terence M. Bandoian <tere...@tmbsw.com>: >>>> >>>> On 4/22/2014 1:37 PM, Jose María Zaragoza wrote: >>>>> >>>>> ---------- Forwarded message ---------- >>>>>> From: Terence M. Bandoian <tere...@tmbsw.com> >>>>>> Date: 2014-04-22 20:12 GMT+02:00 >>>>>> Subject: Re: CORS issue with Tomcat and Android Webview >>>>>> To: Tomcat Users List <users@tomcat.apache.org> >>>>>> >>>>>> >>>>>> On 4/22/2014 11:03 AM, Ankit Singhal wrote: >>>>>> >>>>>> Also we tried to give the same call from Android App to some >>>>>>> different >>>>>>> Node >>>>>>> server and things worked fine. So it seems some problem with Tomcat >>>>>>> only. >>>>>>> >>>>>>> A silly question: >>>>>>> >>>>>> What does it have to do Tomcat's CORS support with W3C Widget Access >>>>>> specification ? >>>>>> >>>>>> I have no idea about Phonegap but it looks like that it prefers to >>>>>> follow that specification for managing requests to different domains , >>>>>> right ? >>>>>> >>>>>> >>>>> Hi, Jose- >>>>> >>>>> The request/response headers in the original post were difficult for me >>>>> to >>>>> follow but basically, requests to Tomcat are successful when tested >>>>> with >>>>> Chrome (desktop? laptop? server? same as Tomcat?) and unsuccessful when >>>>> tested from an Android device. What are the differences between the two >>>>> environments? Do those differences have any effect on request >>>>> processing >>>>> by >>>>> the Tomcat CORS filter? If it were me, I'd find out. >>>>> >>>>> Well , I have no idea, but according this page >>>> >>>> http://www.html5rocks.com/en/tutorials/cors/ >>>> >>>> if Content-Type is application/json , then request is a "not simple >>>> request" ( sic. ) and it requires a OPTIONS preflight request ( >>>> including "Origin" header) >>>> And "Once the preflight request gives permissions, the browser makes >>>> the actual request" >>>> >>>> First case (Chrome browser) did but, but the second didn't >>>> >>>> Are you test to change the Content-Type ? >>>> >>>> Regards >>>> >>>> >>> Hi, Jose- >>> >>> From the page you cited: >>> >>> "The use-case for CORS is simple. Imagine the site alice.com has some >>> data that the site bob.com wants to access. This type of request >>> traditionally wouldn’t be allowed under the browser’s same origin policy. >>> However, by supporting CORS requests, alice.com can add a few special >>> response headers that allows bob.com to access the data." >>> >>> In this case, alice.com would be the server that hosts Tomcat. As you >>> suggest, the problem may very well be in the client but - FOR ME - it's >>> worth the effort to understand what should happen on both the client and >>> the server and to ensure that both are configured correctly. >>> >>> -Terence Bandoian >>> >>> >>> >>> >>>> On Tue, Apr 22, 2014 at 9:22 PM, Ankit Singhal >>>> >>>>> <ankising...@gmail.com>wrote: >>>>>>> >>>>>>> Hi All >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> I am facing a strange problem with Tomcat 8 and CORS. I am >>>>>>>> developing >>>>>>>> a >>>>>>>> Hybrid web app using ionicframework, AngularJS, Cordova as front end >>>>>>>> and >>>>>>>> Tomcat 8 and Spring 3 as back-end. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> For easy development I am testing the functionality in chrome , >>>>>>>> where >>>>>>>> things are working fine. I added CORS filter with standard >>>>>>>> configuration >>>>>>>> to >>>>>>>> allow CROSS ORIGIN requests from browser. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Today I converted my app into Android App and started making AJAX >>>>>>>> calls >>>>>>>> to >>>>>>>> tomcat server. To my surprise things stopped working . I debugged >>>>>>>> further >>>>>>>> and anomalies in the headers of browser and Android webview. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Browser sends 2 requests for same call OPTION and POST. But Android >>>>>>>> Webview only send POST request. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Browser Request Headers: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> OPTION: >>>>>>>> >>>>>>>> Remote Address:54.254.159.166:80 >>>>>>>> >>>>>>>> Request URL:http://medistreet.in/auth2 >>>>>>>> >>>>>>>> Request Method:OPTIONS >>>>>>>> >>>>>>>> Status Code:200 OK >>>>>>>> >>>>>>>> Request Headers >>>>>>>> >>>>>>>> OPTIONS /auth2 HTTP/1.1 >>>>>>>> >>>>>>>> Host: medistreet.in >>>>>>>> >>>>>>>> Connection: keep-alive >>>>>>>> >>>>>>>> Access-Control-Request-Method: POST >>>>>>>> >>>>>>>> Origin: http://localhost >>>>>>>> >>>>>>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 >>>>>>>> (KHTML, >>>>>>>> like Gecko) Chrome/34.0.1847.116 Safari/537.36 >>>>>>>> >>>>>>>> Access-Control-Request-Headers: accept, content-type >>>>>>>> >>>>>>>> Accept: */* >>>>>>>> >>>>>>>> Referer: http://localhost/ >>>>>>>> >>>>>>>> Accept-Encoding: gzip,deflate,sdch >>>>>>>> >>>>>>>> Accept-Language: en-US,en;q= >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> POST: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Remote Address:54.254.159.166:80 >>>>>>>> >>>>>>>> Request URL:http://medistreet.in/auth2 >>>>>>>> >>>>>>>> Request Method:POST >>>>>>>> >>>>>>>> Status Code:200 OK >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Request Headers >>>>>>>> >>>>>>>> Accept:application/json, text/plain, */* >>>>>>>> >>>>>>>> Accept-Encoding:gzip,deflate,sdch >>>>>>>> >>>>>>>> Accept-Language:en-US,en;q= >>>>>>>> >>>>>>>> Connection:keep-alive >>>>>>>> >>>>>>>> Content-Length:39 >>>>>>>> >>>>>>>> Content-Type:application/json;charset=8 >>>>>>>> >>>>>>>> >>>>>>>> Host:medistreet.in >>>>>>>> >>>>>>>> Origin:http://localhost >>>>>>>> >>>>>>>> Referer:http://localhost/ >>>>>>>> >>>>>>>> User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 >>>>>>>> (KHTML, >>>>>>>> like Gecko) Chrome/34.0.1847.116 Safari/537.36 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Android Request Headers: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Request URL:http://medistreet.in/auth2 >>>>>>>> >>>>>>>> Request Method:POST >>>>>>>> >>>>>>>> Status Code:403 Forbidden >>>>>>>> >>>>>>>> Request Headers >>>>>>>> >>>>>>>> POST http://medistreet.in/auth2 >>>>>>>> HTTP/1.1<http://medistreet.in/auth2%20HTTP/1.1> >>>>>>>> >>>>>>>> Accept: application/json, text/plain, */* >>>>>>>> >>>>>>>> Origin: file:// >>>>>>>> >>>>>>>> User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; XT1033 >>>>>>>> Build/KXB20.25-1.31) >>>>>>>> AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 >>>>>>>> Mobile >>>>>>>> Safari/537.36 >>>>>>>> >>>>>>>> Content-Type: application/json;charset=8 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> The difference here I see is with Number of headers and specially >>>>>>>> Origin >>>>>>>> Header which contains "file://". To overcome this I added more >>>>>>>> option >>>>>>>> is CORS filter: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> <filter> >>>>>>>> >>>>>>>> <filter-name>CorsFilter</filter-name> >>>>>>>> >>>>>>>> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> >>>>>>>> >>>>>>>> <init-param> >>>>>>>> >>>>>>>> <param-name>cors.allowed.origins</param-name> >>>>>>>> >>>>>>>> <param-value>*</param-value> >>>>>>>> >>>>>>>> </init-param> >>>>>>>> >>>>>>>> </filter> >>>>>>>> >>>>>>>> <filter-mapping> >>>>>>>> >>>>>>>> <filter-name>CorsFilter</filter-name> >>>>>>>> >>>>>>>> <url-pattern>/*</url-pattern> >>>>>>>> >>>>>>>> </filter-mapping> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Another strange thing is that when we send the same Android request >>>>>>>> Headers from POSTMAN (chrome REST plugin) request is successful. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> POSTMAN Headers: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Remote Address:54.254.159.166:80 >>>>>>>> >>>>>>>> Request URL:http://medistreet.in/auth2 >>>>>>>> >>>>>>>> Request Method:POST >>>>>>>> >>>>>>>> Status Code:200 OK >>>>>>>> >>>>>>>> Request Headers >>>>>>>> >>>>>>>> Accept:application/json, text/plain, */* >>>>>>>> >>>>>>>> Accept-Encoding:gzip,deflate,sdch >>>>>>>> >>>>>>>> Accept-Language:en-US,en;q= >>>>>>>> >>>>>>>> >>>>>>>> Cache-Control:no-cache >>>>>>>> >>>>>>>> Connection:keep-alive >>>>>>>> >>>>>>>> Content-Length:39 >>>>>>>> >>>>>>>> Content-Type:application/json;charset=8 >>>>>>>> >>>>>>>> Cookie:fbm_464284963672217�se_domain=edistreet.in; >>>>>>>> JSESSIONID�435755F03D7B045DD6E33D1D16AC51; >>>>>>>> >>>>>>>> fbsr_464284963672217=SqF-nWquTFPk_-5wAtI0jTImBNkVxglUT-gHNSw. >>>>>>>> eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiJBUUQ0UEZZVXE4 >>>>>>>> eDFIa3V6OW9RV3RlVzE4clQ3SmtVRjBzU1VVcXhfV1BENG8tV1BZYjZuTVdD >>>>>>>> dDJGMmw4TjJUeUxLSzhIYUU1TUc2MkY5cXZOaXRMN3NGdklNZkhySmluYkdj >>>>>>>> MWs1THAyZnZYa2Zpa1lLVGJ0OWlZeXVvRDNWUDhTblp4czJCeTQ4RTlYY1Zj >>>>>>>> UmhGWGJsNnFMeG5YcWxxQ0d3b0hRM1ctRWhlLU02ejVITnhhakJtaVFRVk9P >>>>>>>> anFBVUtMSlk4Y3pLa0RtejFSY3RjTEFRaW16X1lkLUFkUngxUGwzajVNczdW >>>>>>>> OFdiMW9xeC05QjA0T2xraXktVU9ZalpSRUJsZjhibnZjQXQ2aUZTc1d2QTA3 >>>>>>>> TjVUYnFIekVxQ0JIYjJNRG4tSUJhajl6TEMwQlVpckM0YzJXbC1GVDNhcyIs >>>>>>>> Imlzc3VlZF9hdCI6MTM5ODE4MDg2NCwidXNlcl9pZCI6IjU3NjI1MjI2MiJ9 >>>>>>>> >>>>>>>> >>>>>>>> Host:medistreet.in >>>>>>>> >>>>>>>> Origin:chrome-extension://fdmmgilgnpjigdojojpjoooidkmcomcm >>>>>>>> >>>>>>>> User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 >>>>>>>> (KHTML, >>>>>>>> like Gecko) Chrome/34.0.1847.116 Safari/537.36 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> After this also there is no solution to the problem . I suspect >>>>>>>> that >>>>>>>> Android Webview is not sending something which Tomcat is rejecting. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Any help will highly be appreciated. >>>>>>>> >>>>>>>> >>>>>>>> Regards >>>>>>>> >>>>>>>> Ankit >>>>>>>> >>>>>>>> Hi, Ankit- >>>>>> >>>>>> I would double-check the documentation for the Tomcat CORS filter and >>>>>> the Cordova whitelist implementation: >>>>>> >>>>>> https://tomcat.apache.org/tomcat-7.0-doc/config/filter. >>>>>> html#CORS_Filter >>>>>> http://docs.phonegap.com/en/3.4.0/guide_appdev_whitelist_ >>>>>> index.md.html >>>>>> >>>>>> Hope that helps. >>>>>> >>>>>> -Terence Bandoian >>>>>> >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>> >>>>>> >>>>>> ------------------------------------------------------------ >>>>> --------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>> >>>>> >>>>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Hi Removing the CORS filter is not an option , as our site is serving the Web pages as well and also the JSON data for the mobile app created in Phonegap. @Chris: I checked the trunk code as well. If you see "dofilter()" method , it first do "checkRequestType ()" , where it checks for "isValidOrigin" first. Based of the results it makes it INVALID CORS. . I hacked the code and made "IsValidOrigin" always return true. Things started working after that..
