Disable HTTP Authentication for OPTIONS requests in Tomcat

Question

I have an API protected by HTTP Basic Authentication.

When I want to make AJAX requests against the API, the browser send an OPTIONS request which doesn't carry the Authorization header so it gets rejected and thus my AJAX call is not allowed by the browser.

I tried to configure Tomcat to not authenticate OPTIONS requests but I've not managed to get it to work.

How can I disable HTTP Auth for OPTIONS requests in Tomcat?

score 1 · Answer 1 · answered Aug 17 '18 at 10:21

Maybe this answer will help. In short, we have to configure Tomcat server to forward the request to the CorsFilter even when unauthenticated, using something like this:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
        <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <!-- no auth-constraint here -->
</security-constraint>

make sure you DON'T include the "auth-constraint" element. So, the following example will NOT WORK:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
        <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint/><!-- this will prevent OPTIONS request -->
</security-constraint>

score 0 · Answer 2 · edited Apr 13 '17 at 12:14

0

you must write a white list for your porpose

for more info see : Disallowing HTTP methods on Tomcat is case sensitive?

edited Apr 13 '17 at 12:14

Community

1

answered Oct 01 '15 at 10:15

MohammadReza moeini

241
1
4

Hi, I don't see how this can help me with my issue. – 4e4c52 Oct 01 '15 at 10:39

Disable HTTP Authentication for OPTIONS requests in Tomcat

2 Answers2

Linked