Bug 62761

Summary: CORS filter example in docs not working in versions since 9.0.9
Product: Tomcat 9 Reporter: Sreenivasan <sreeganti72>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal CC: weston.sam
Priority: P2    
Version: 9.0.12   
Target Milestone: -----   
Hardware: PC   
OS: All   
Attachments: Attaching tomcat log for Cors Filter issue

Description Sreenivasan 2018-09-26 09:31:45 UTC
for the CORS configuration as specified in the documentation in web.xml

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>


 i get the following error printed in the log file

26-Sep-2018 14:43:52.535 SEVERE [main] org.apache.catalina.core.StandardContext.filterStart Exception starting filter [CorsFilter]
 javax.servlet.ServletException: It is not allowed to configure supportsCredentials=[true] when allowedOrigins=[*]
	at org.apache.catalina.filters.CorsFilter.parseAndStore(CorsFilter.java:759)
	at org.apache.catalina.filters.CorsFilter.init(CorsFilter.java:183)
	at javax.servlet.GenericFilter.init(GenericFilter.java:61)
	at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:270)
	at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:251)
	at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:102)
	at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4491)
	at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5135)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:743)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:719)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:703)
	at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1141)
	at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1876)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
	at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
	at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:1053)
	at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:428)
	at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1585)
	at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:308)
	at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
	at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:424)
	at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:367)
	at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:969)
	at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:839)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1429)
	at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1419)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
	at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134)
	at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:944)
	at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:261)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.core.StandardService.startInternal(StandardService.java:422)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:770)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:682)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:350)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)


This filter used to work in the tomcat 8.33 version
Comment 1 Sreenivasan 2018-09-26 09:34:03 UTC
Created attachment 36164 [details]
Attaching tomcat log for Cors Filter issue
Comment 2 Konstantin Kolinko 2018-09-26 13:42:55 UTC
Your configuration is insecure and exposes you to the issue specified in CVE-2018-8014 (bug 62343).

This is no longer allowed.

BTW, the "more advanced configuration" example at [1](9.0.12) [2](nightly) suffers from the same issue as your configuration and should be updated.

[1] http://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Add_Default_Character_Set_Filter/Initialisation_parameters
[2] https://ci.apache.org/projects/tomcat/tomcat9/docs/config/filter.html#CORS_Filter
Comment 3 Sam Weston 2018-10-02 13:37:22 UTC
I can confirm that this is definitely a bug in this documentation page in tomcat 7, 8 and 9. The CORS behaviour has been changed but not this part of the docs.

https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#CORS_Filter

The broken example is under "Here's an example of a more advanced configuration, that overrides defaults:"
Comment 4 Mark Thomas 2018-10-04 14:34:03 UTC
Fixed in:
- trunk for 9.0.13 onwards
- 8.5.x for 8.5.35 onwards
- 7.0.x for 7.0.92 onwards