for the CORS configuration as specified in the documentation in web.xml <filter> <filter-name>CorsFilter</filter-name> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> <init-param> <param-name>cors.allowed.origins</param-name> <param-value>*</param-value> </init-param> <init-param> <param-name>cors.allowed.methods</param-name> <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value> </init-param> <init-param> <param-name>cors.allowed.headers</param-name> <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value> </init-param> <init-param> <param-name>cors.exposed.headers</param-name> <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value> </init-param> <init-param> <param-name>cors.support.credentials</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>cors.preflight.maxage</param-name> <param-value>10</param-value> </init-param> </filter> <filter-mapping> <filter-name>CorsFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> i get the following error printed in the log file 26-Sep-2018 14:43:52.535 SEVERE [main] org.apache.catalina.core.StandardContext.filterStart Exception starting filter [CorsFilter] javax.servlet.ServletException: It is not allowed to configure supportsCredentials=[true] when allowedOrigins=[*] at org.apache.catalina.filters.CorsFilter.parseAndStore(CorsFilter.java:759) at org.apache.catalina.filters.CorsFilter.init(CorsFilter.java:183) at javax.servlet.GenericFilter.init(GenericFilter.java:61) at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:270) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:251) at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:102) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4491) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5135) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:743) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:719) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:703) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1141) at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1876) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:1053) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:428) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1585) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:308) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:424) at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:367) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:969) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:839) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1429) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1419) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:944) at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:261) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:422) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:770) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.startup.Catalina.start(Catalina.java:682) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:350) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492) This filter used to work in the tomcat 8.33 version
Created attachment 36164 [details] Attaching tomcat log for Cors Filter issue
Your configuration is insecure and exposes you to the issue specified in CVE-2018-8014 (bug 62343). This is no longer allowed. BTW, the "more advanced configuration" example at [1](9.0.12) [2](nightly) suffers from the same issue as your configuration and should be updated. [1] http://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Add_Default_Character_Set_Filter/Initialisation_parameters [2] https://ci.apache.org/projects/tomcat/tomcat9/docs/config/filter.html#CORS_Filter
I can confirm that this is definitely a bug in this documentation page in tomcat 7, 8 and 9. The CORS behaviour has been changed but not this part of the docs. https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#CORS_Filter The broken example is under "Here's an example of a more advanced configuration, that overrides defaults:"
Fixed in: - trunk for 9.0.13 onwards - 8.5.x for 8.5.35 onwards - 7.0.x for 7.0.92 onwards