AnsweredAssumed Answered

CORS filter not applied to login webscript

Question asked by mathias.lin on Aug 13, 2015
Latest reply on Aug 12, 2016 by mlagneaux
In Alfresco 5.0.d, I enabled the CORS filter in the web.xml as below.


<!– CORS Filter Mappings Begin –>
   <filter-mapping>
      <filter-name>CORS</filter-name>
      <url-pattern>/api/*</url-pattern>
      <url-pattern>/service/*</url-pattern>
      <url-pattern>/s/*</url-pattern>
      <url-pattern>/cmisbrowser/*</url-pattern>
   </filter-mapping>
   <!– CORS Filter Mappings End –>

   <!– CORS Filter Begin –>
   <filter>
      <filter-name>CORS</filter-name>
      <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
      <init-param>
         <param-name>cors.allowGenericHttpRequests</param-name>
         <param-value>true</param-value>
      </init-param>
      <init-param>
         <param-name>cors.allowOrigin</param-name>
         <!– <param-value>http://localhost:3000 http://localhost:8081 http://localhost:8080 https://localhost</param-value> –>
         <param-value>*</param-value>
      </init-param>
      <init-param>
         <param-name>cors.allowSubdomains</param-name>
         <param-value>true</param-value>
      </init-param>
      <init-param>
         <param-name>cors.supportedMethods</param-name>
         <param-value>GET, HEAD, POST, PUT, DELETE, OPTIONS</param-value>
      </init-param>
      <init-param>
         <param-name>cors.supportedHeaders</param-name>
         <param-value>origin, authorization, x-file-size, x-file-name, content-type, accept, x-file-type</param-value>
      </init-param>
      <init-param>
         <param-name>cors.supportsCredentials</param-name>
         <param-value>true</param-value>
      </init-param>
      <init-param>
         <param-name>cors.maxAge</param-name>
         <param-value>3600</param-value>
      </init-param>
   </filter>
   <!– CORS Filter End –>


When I use curl to call two different Alfresco URLs, which are almost identical:

1. http://localhost:8080/alfresco/service/api/login
2. http://localhost:8080/alfresco/service/api/whatever

while simulating an external origin, I find that one returns a
Access-Control-Allow-Origin
response header as expected, and the other does not.

1. http://localhost:8080/alfresco/service/api/login:


curl -H "Origin: http://www.someotherhost.com" –verbose "http://localhost:8080/alfresco/service/api/login"

*   Trying ::1…
* Connected to localhost (::1) port 8080 (#0)
> GET /alfresco/service/api/login HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.43.0
> Accept: */*
> Origin: http://www.someotherhost.com
>
< HTTP/1.1 400 Bad Request
< Server: Apache-Coyote/1.1
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Pragma: no-cache
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Thu, 13 Aug 2015 12:49:46 GMT
< Connection: close
<


2. http://localhost:8080/alfresco/service/api/whatever:


curl -H "Origin: http://www.someotherhost.com" –verbose "http://localhost:8080/alfresco/service/api/whatever"

*   Trying ::1…
* Connected to localhost (::1) port 8080 (#0)
> GET /alfresco/service/api/whatever HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.43.0
> Accept: */*
> Origin: http://www.someotherhost.com
>
< HTTP/1.1 404 Not Found
< Server: Apache-Coyote/1.1
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Origin: http://www.someotherhost.com
< Vary: Origin
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Pragma: no-cache
< Content-Type: text/html;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Thu, 13 Aug 2015 12:52:15 GMT
<


I don't understand why the /login url behaves differently than the /whatever url. They should both be covered by the CORS filter via
<url-pattern>/service/*</url-pattern>


<strong>Update:</strong>

I also tried the CORS filter of Tomcat instead, same result.


<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

Outcomes