Enable CORS in Tomcat

Question

SCENARIO:

Frontend: Angular application living in NGINX

Backend: java application living in Tomcat 8.5

The frontend needs to call backend Rest API. As far as I understand I need to allow CORS for this to happen:

so I went through Tomcat documentation and I added the cors filter to web.xml:

<filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
        <param-name>cors.allowed.origins</param-name>
        <param-value>http://dev.retex.global</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.methods</param-name>
        <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.headers</param-name>
        <param-value>Content-Type,X-Requested-With,Accept,Accept-Encoding,Accept-Language,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Connection,Host</param-value>
    </init-param>
    <init-param>
        <param-name>cors.exposed.headers</param-name>
        <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Then I restarted tomcat service

This setup is not working as expected:

$ curl -v \
> -H 'Accept: */*' \
> -H 'Accept-Encoding:gzip, deflate' \
> -H 'Accept-Language:en-US,en;q=0.9,es;q=0.8' \
> -H 'Access-Control-Request-Headers:authorization,content-type' \
> -H 'Access-Control-Request-Method:POST' \
> -H 'Connection:keep-alive' \
> -H 'Origin:http://dev.retex.global' \
> -H 'Host:dev.retex.global:8080' \
> -X OPTIONS \
> http://dev.retex.global:8080/returnitRest/rest/pickup/label
* timeout on name lookup is not supported
*   Trying 13.55.221.200...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to dev.retex.global (13.55.221.200) port 8080 (#0)
> OPTIONS /returnitRest/rest/pickup/label HTTP/1.1
> Host:dev.retex.global:8080
> User-Agent: curl/7.47.1
> Accept: */*
> Accept-Encoding:gzip, deflate
> Accept-Language:en-US,en;q=0.9,es;q=0.8
> Access-Control-Request-Headers:authorization,content-type
> Access-Control-Request-Method:POST
> Connection:keep-alive
> Origin:http://dev.retex.global
>
< HTTP/1.1 403
< Content-Type: text/plain
< Content-Length: 0
< Date: Mon, 20 Nov 2017 09:54:22 GMT
<
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host dev.retex.global left intact

QUESTION: What am I doing wrong?

Answer 1

This is what I did to solve this issue:

<filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
        <param-name>cors.allowed.origins</param-name>
        <param-value>http://domainA.com,https://domainA.com,http://localhost:4200</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.methods</param-name>
        <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.headers</param-name>
        <param-value>Content-Type,X-Requested-With,Accept,Accept-Encoding,Accept-Language,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Connection,Host,authorization</param-value>
    </init-param>
    <init-param>
        <param-name>cors.exposed.headers</param-name>
        <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Hope this helps