-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2/6/2015 2:21 AM, Brian wrote: > Hello Mark, > > 1- No authentication at all, since the user authenticates sending a > parameter in the query string. > > 2- I have two filters: > "org.tuckey.web.filters.urlrewrite.UrlRewriteFilter" (which has > been working fine for years now) and.... CORS, yes!!! Actually, the > CORS filter (org.apache.catalina.filters.CorsFilter) is the first > filter in my web.xml file, so it is the first to run. This is the > way I have configured it: > > <filter> <filter-name>CorsFilter</filter-name> > <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> > > <init-param> > <param-name>cors.allowed.origins</param-name> > <param-value>*</param-value> </init-param> <init-param> > <param-name>cors.support.credentials</param-name> > <param-value>false</param-value> </init-param> </filter> > <filter-mapping> <filter-name>CorsFilter</filter-name> > <url-pattern>/*</url-pattern> </filter-mapping> > > I added the CORS filter probably two months ago, and probably I > have started seen the 403 errors since then, yes! And now that I > think about it, probably it is the CORS filter the reason of the > 403 indeed, since my API is being called not only from servers but > also from Javascript running in all kind of browsers and maybe some > of them don't deal with CORS properly. That would explain why the > 403s happens ocasionally. In fact, I see this 403 ocurring in most > of the cases by one specific user (authenticated by a parameter in > the query string) that calls my API from javacript! > > In what conditions does this filter return a 403 error? What are > the Headers involved when that happens? How can I avoid this > problem? Where (on the internet) can I learn more about this > specific problem?
CORS basically doesn't with Internet Explorer < 10. IE < 8, and CORS does not work at all. IE 8 - Microsoft has a 'special mechanism' for CORS IE 9 - Microsoft breaks the 'special mechanism' IE 10 - Microsoft tells people to use CORS http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx . . . been there, fought that /mde/ > > Thanks Mark! > > > >> -----Original Message----- From: Mark Thomas >> [mailto:ma...@apache.org] Sent: viernes, 06 de febrero de 2015 >> 04:47 a.m. To: Tomcat Users List Subject: Re: Sporadic HTTP 403 >> returned by Tomcat when this should not happen ever. How to find >> out why this happens? >> >> On 05/02/2015 23:14, Brian wrote: >>> Hello David, >>> >>> Not, it is not the case. No exceptions whatsoever. And about >>> 1/100 (or less) of >> the requests return a 403 to the users, and all those requests >> are doing the same thing. >>> Thanks a lot for your help! >> >> Is any authentication configured for this web application? >> >> What filters are configured (the CORS filter might return a 403 >> for example)? >> >> Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJU1PLOAAoJEEFGbsYNeTwtg18H/j1yQF3474DOj7aqlV6coukt IHzxkKPADyxEZ/CeAlJrV/E/dGkhk4CI4hYsnYogzRZi0RNyf6ibiwCIS+nClYqD XqsuLrgVfULgqoo2C2rqRhVXgE6PruVv3C+Sw6PfqXLzVziNZANKaUEKUyzHdbfB CFc8pbPKdZ/cCUYB46FNfw0xH//3v05xs9lxB88GDzmpa1ByDKggyG8t8KDO8BN3 skyr/36yaE/Xecr6bpTserOQQu+2IWH+H386ucZr0WMWGxL4rYCZLOyQK57RzJFk regMSEgHZmKxluiEwf09VrgZD+crjN1MRI+eiYigQ5VxgQNliFIhluR58I8euxc= =c7fL -----END PGP SIGNATURE----- --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
