3

I have an API protected by HTTP Basic Authentication.

When I want to make AJAX requests against the API, the browser send an OPTIONS request which doesn't carry the Authorization header so it gets rejected and thus my AJAX call is not allowed by the browser.

I tried to configure Tomcat to not authenticate OPTIONS requests but I've not managed to get it to work.

How can I disable HTTP Auth for OPTIONS requests in Tomcat?

MrWhite
  • 11,643
  • 4
  • 25
  • 40
4e4c52
  • 153
  • 2
  • 6

2 Answers2

1

Maybe this answer will help. In short, we have to configure Tomcat server to forward the request to the CorsFilter even when unauthenticated, using something like this:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
        <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <!-- no auth-constraint here -->
</security-constraint>

make sure you DON'T include the "auth-constraint" element. So, the following example will NOT WORK:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
        <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint/><!-- this will prevent OPTIONS request -->
</security-constraint>
Mladen B.
  • 192
  • 1
  • 6
0

you must write a white list for your porpose

for more info see : Disallowing HTTP methods on Tomcat is case sensitive?