cancel
Showing results for 
Search instead for 
Did you mean: 

CORS filter not applied to login webscript

mathias_lin
Star Contributor
Star Contributor
In Alfresco 5.0.d, I enabled the CORS filter in the web.xml as below.


<!– CORS Filter Mappings Begin –>
   <filter-mapping>
      <filter-name>CORS</filter-name>
      <url-pattern>/api/*</url-pattern>
      <url-pattern>/service/*</url-pattern>
      <url-pattern>/s/*</url-pattern>
      <url-pattern>/cmisbrowser/*</url-pattern>
   </filter-mapping>
   <!– CORS Filter Mappings End –>

   <!– CORS Filter Begin –>
   <filter>
      <filter-name>CORS</filter-name>
      <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
      <init-param>
         <param-name>cors.allowGenericHttpRequests</param-name>
         <param-value>true</param-value>
      </init-param>
      <init-param>
         <param-name>cors.allowOrigin</param-name>
         <!– <param-value>http://localhost:3000 http://localhost:8081 http://localhost:8080 https://localhost</param-value> –>
         <param-value>*</param-value>
      </init-param>
      <init-param>
         <param-name>cors.allowSubdomains</param-name>
         <param-value>true</param-value>
      </init-param>
      <init-param>
         <param-name>cors.supportedMethods</param-name>
         <param-value>GET, HEAD, POST, PUT, DELETE, OPTIONS</param-value>
      </init-param>
      <init-param>
         <param-name>cors.supportedHeaders</param-name>
         <param-value>origin, authorization, x-file-size, x-file-name, content-type, accept, x-file-type</param-value>
      </init-param>
      <init-param>
         <param-name>cors.supportsCredentials</param-name>
         <param-value>true</param-value>
      </init-param>
      <init-param>
         <param-name>cors.maxAge</param-name>
         <param-value>3600</param-value>
      </init-param>
   </filter>
   <!– CORS Filter End –>


When I use curl to call two different Alfresco URLs, which are almost identical:

1. http://localhost:8080/alfresco/service/api/login
2. http://localhost:8080/alfresco/service/api/whatever

while simulating an external origin, I find that one returns a
Access-Control-Allow-Origin
response header as expected, and the other does not.

1. http://localhost:8080/alfresco/service/api/login:


curl -H "Origin: http://www.someotherhost.com" –verbose "http://localhost:8080/alfresco/service/api/login"

*   Trying ::1…
* Connected to localhost (::1) port 8080 (#0)
> GET /alfresco/service/api/login HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.43.0
> Accept: */*
> Origin: http://www.someotherhost.com
>
< HTTP/1.1 400 Bad Request
< Server: Apache-Coyote/1.1
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Pragma: no-cache
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Thu, 13 Aug 2015 12:49:46 GMT
< Connection: close
<


2. http://localhost:8080/alfresco/service/api/whatever:


curl -H "Origin: http://www.someotherhost.com" –verbose "http://localhost:8080/alfresco/service/api/whatever"

*   Trying ::1…
* Connected to localhost (::1) port 8080 (#0)
> GET /alfresco/service/api/whatever HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.43.0
> Accept: */*
> Origin: http://www.someotherhost.com
>
< HTTP/1.1 404 Not Found
< Server: Apache-Coyote/1.1
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Origin: http://www.someotherhost.com
< Vary: Origin
< Cache-Control: no-cache
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Pragma: no-cache
< Content-Type: text/html;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Thu, 13 Aug 2015 12:52:15 GMT
<


I don't understand why the /login url behaves differently than the /whatever url. They should both be covered by the CORS filter via
<url-pattern>/service/*</url-pattern>


<strong>Update:</strong>

I also tried the CORS filter of Tomcat instead, same result.


<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>
4 REPLIES 4

raghav_bhardwaj
Champ on-the-rise
Champ on-the-rise

Thanks for the info. Another workaround is to use POST instead of GET for the login, since the login API allows both http methods.

However, I experience the same issue now with the file upload API (POST method), and for that I do not have a workaround - other than having to write my own AbstractWebScript. Smiley Sad

wabson
Star Contributor
Star Contributor
Hi, I added some comments to https://issues.alfresco.com/jira/browse/ALF-21420 which appears to describe this issue pretty well. The Tomcat filter will not work when the response subsequently gets reset as is the case here, but the authors of the filter provided with Alfresco have put a helpful wrapper in place to prevent this resetting the CORS headers.

If you want to patch your existing installation (at your own risk!) then you'll need to remove the supplied cors-filter-1.9.3.jar from WEB-INF/lib and add in a newer version - I found the latest 2.5 version worked fine.

See https://bitbucket.org/thetransactioncompany/cors-filter for info. The downloads there do not seem to have been updated recently but I found 2.5 easily enough via Maven Central - <a href="http://search.maven.org/#search|ga|1|a%3A%22cors-filter%22%20g%3Acom.thetransactioncompany">search.maven.org</a>

Cheers,
Will

mlagneaux
Champ on-the-rise
Champ on-the-rise
Hi,

I'm using All in one archetype of the latest version of Alfresco Maven SDK. Is there a way (probably in pom.xml of the "alfresco-repo-amp" module) to replace cors-filter-1.9.3.jar by cors-filter-2.5.jar on the test server started from Maven?