Tomcat CORS：預檢成功，但實際請求失敗，403禁止

我的REST服務部署在Tomcat 7.0.64（http://localhost:8080/xxx）下。我使用HTML頁面提供的JavaScript庫調用這些服務。這些HTML頁面由另一個orgin提供（http://localhost:9090/html/yyy.html）。Tomcat CORS：預檢成功，但實際請求失敗，403禁止

要啓用跨起源請求，在服務器上，我已經在web.xml配置CORSFilter如下：

<filter> 
    <filter-name>CorsFilter</filter-name> 
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> 
    <init-param> 
     <param-name>cors.allowed.origins</param-name> 
     <param-value>*</param-value> 
    </init-param> 
    <init-param> 
     <param-name>cors.allowed.methods</param-name> 
     <param-value>GET,POST,HEAD,OPTIONS,PUT,PATCH,DELETE</param-value> 
    </init-param> 
    <init-param> 
     <param-name>cors.allowed.headers</param-name> 
     <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,X-CUSTOM1,X-CUSOM2,X-CUSTOM3</param-value> 
    </init-param> 
    <init-param> 
     <param-name>cors.exposed.headers</param-name> 
     <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,X-CUSTOM3</param-value> 
    </init-param> 
    <init-param> 
     <param-name>cors.support.credentials</param-name> 
     <param-value>true</param-value> 
    </init-param> 
    <init-param> 
     <param-name>cors.preflight.maxage</param-name> 
     <param-value>10</param-value> 
    </init-param> 
</filter> 
<filter-mapping> 
    <filter-name>CorsFilter</filter-name> 
    <url-pattern>*</url-pattern> 
</filter-mapping>

從以下從RequestDumper輸出，你可以看到，從瀏覽器的預檢要求已經獲得成功的響應（ 200）。然而，隨之失敗，403的實際要求禁止：

預檢Request和Response

http-apr-8080-exec-6 =============================================================== 
http-apr-8080-exec-8 START TIME  =26-Sep-2015 21:28:53 
http-apr-8080-exec-8   requestURI=/xxxx/zzzz 
http-apr-8080-exec-8   authType=null 
http-apr-8080-exec-8 characterEncoding=null 
http-apr-8080-exec-8  contentLength=-1 
http-apr-8080-exec-8  contentType=null 
http-apr-8080-exec-8  contextPath=/xxxx 
http-apr-8080-exec-8    header=host=localhost:8080 
http-apr-8080-exec-8    header=connection=keep-alive 
http-apr-8080-exec-8    header=pragma=no-cache 
http-apr-8080-exec-8    header=cache-control=no-cache 
http-apr-8080-exec-8    header=access-control-request-method=POST 
http-apr-8080-exec-8    header=origin=http://localhost:9090 
http-apr-8080-exec-8    header=user-agent=Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.42 Safari/537.36 
http-apr-8080-exec-8    header=access-control-request-headers=x-custom1, x-custom2 
http-apr-8080-exec-8    header=accept=*/* 
http-apr-8080-exec-8    header=referer=http://localhost:9090/html/yyyy.html 
http-apr-8080-exec-8    header=accept-encoding=gzip, deflate, sdch 
http-apr-8080-exec-8    header=accept-language=en-US,en;q=0.8,ta;q=0.6 
http-apr-8080-exec-8    locale=en_US 
http-apr-8080-exec-8    method=OPTIONS 
http-apr-8080-exec-8   pathInfo=null 
http-apr-8080-exec-8   protocol=HTTP/1.1 
http-apr-8080-exec-8  queryString=null 
http-apr-8080-exec-8   remoteAddr=127.0.0.1 
http-apr-8080-exec-8   remoteHost=127.0.0.1 
http-apr-8080-exec-8   remoteUser=null 
http-apr-8080-exec-8 requestedSessionId=null 
http-apr-8080-exec-8    scheme=http 
http-apr-8080-exec-8   serverName=localhost 
http-apr-8080-exec-8   serverPort=8080 
http-apr-8080-exec-8  servletPath=/zzzz 
http-apr-8080-exec-8   isSecure=false 
http-apr-8080-exec-8 ------------------=-------------------------------------------- 
http-apr-8080-exec-8 ------------------=-------------------------------------------- 
http-apr-8080-exec-8   authType=null 
http-apr-8080-exec-8  contentType=null 
http-apr-8080-exec-8    header=Access-Control-Allow-Origin=http://localhost:9090 
http-apr-8080-exec-8    header=Access-Control-Allow-Credentials=true 
http-apr-8080-exec-8    header=Access-Control-Max-Age=10 
http-apr-8080-exec-8    header=Access-Control-Allow-Methods=POST 
http-apr-8080-exec-8    header=Access-Control-Allow-Headers=content-type,x-custom1,access-control-request-headers,accept,access-control-request-method,x-custom2,origin,x-custom3,x-requested-with 
http-apr-8080-exec-8   remoteUser=null 
http-apr-8080-exec-8    status=200 
http-apr-8080-exec-8 END TIME   =26-Sep-2015 21:28:53 
http-apr-8080-exec-8 ===============================================================

實際的請求和響應 - 這失敗，403禁止

http-apr-8080-exec-9 START TIME  =26-Sep-2015 21:28:53 
http-apr-8080-exec-9   requestURI=/xxxx/zzzz 
http-apr-8080-exec-9   authType=null 
http-apr-8080-exec-9 characterEncoding=null 
http-apr-8080-exec-9  contentLength=0 
http-apr-8080-exec-9  contentType=null 
http-apr-8080-exec-9  contextPath=/xxxx 
http-apr-8080-exec-9    header=host=localhost:8080 
http-apr-8080-exec-9    header=connection=keep-alive 
http-apr-8080-exec-9    header=content-length=0 
http-apr-8080-exec-9    header=pragma=no-cache 
http-apr-8080-exec-9    header=cache-control=no-cache 
http-apr-8080-exec-9    header=origin=http://localhost:9090 
http-apr-8080-exec-9    header=x-custom1=aaaaa 
http-apr-8080-exec-9    header=x-custom2=bbbbb 
http-apr-8080-exec-9    header=user-agent=Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.42 Safari/537.36 
http-apr-8080-exec-9    header=accept=*/* 
http-apr-8080-exec-9    header=referer=http://localhost:9090/html/yyyy.html 
http-apr-8080-exec-9    header=accept-encoding=gzip, deflate 
http-apr-8080-exec-9    header=accept-language=en-US,en;q=0.8,ta;q=0.6 
http-apr-8080-exec-9    locale=en_US 
http-apr-8080-exec-9    method=POST 
http-apr-8080-exec-9   pathInfo=null 
http-apr-8080-exec-9   protocol=HTTP/1.1 
http-apr-8080-exec-9  queryString=null 
http-apr-8080-exec-9   remoteAddr=127.0.0.1 
http-apr-8080-exec-9   remoteHost=127.0.0.1 
http-apr-8080-exec-9   remoteUser=null 
http-apr-8080-exec-9 requestedSessionId=null 
http-apr-8080-exec-9    scheme=http 
http-apr-8080-exec-9   serverName=localhost 
http-apr-8080-exec-9   serverPort=8080 
http-apr-8080-exec-9  servletPath=/zzzz 
http-apr-8080-exec-9   isSecure=false 
http-apr-8080-exec-9 ------------------=-------------------------------------------- 
http-apr-8080-exec-9 ------------------=-------------------------------------------- 
http-apr-8080-exec-9   authType=null 
http-apr-8080-exec-9  contentType=text/plain 
http-apr-8080-exec-9   remoteUser=null 
http-apr-8080-exec-9    status=403 
http-apr-8080-exec-9 END TIME   =26-Sep-2015 21:28:53 
http-apr-8080-exec-9 ===============================================================

我使用Chrome作爲我的瀏覽器。

我想知道，當預檢請求成功時，實際響應是否可能獲得403禁止？

同時請注意，我已經測試發送從 Chrome的插件郵差此相同的請求，我能得到預期的迴應沒有成功403錯誤。

我經歷了Tomcat CORSFilter flowchart中給出的流程。我不清楚這裏發生了什麼問題。感謝您解決問題的幫助。謝謝。

來源

2015-09-26 nagu

我試過在wso2 das 3.10中使用tomcat進行日誌記錄，但是我失敗了。 log4j.properties:org.apache.catalina.filters=DEBUG 什麼是您的日誌記錄設置？ – shuttle

我遇到了完全相同的問題。實際上解決方案非常簡單。

「There I noticed that the HTTP POST requests are somehow required to have the Content-Type HTTP header filled.」

嘗試添加的Content-Type到您的POST請求。

來源

2015-10-30 07:46:40 Andreas

謝謝。這解決了這個問題。 – nagu

Tomcat CORS：預檢成功，但實際請求失敗，403禁止

回答

相關問題