Disable HTTP Authentication for OPTIONS requests in Tomcat

ajax authentication cors tomcat

I have an API protected by HTTP Basic Authentication.

When I want to make AJAX requests against the API, the browser send an OPTIONS request which doesn't carry the Authorization header so it gets rejected and thus my AJAX call is not allowed by the browser.

I tried to configure Tomcat to not authenticate OPTIONS requests but I've not managed to get it to work.

How can I disable HTTP Auth for OPTIONS requests in Tomcat?


Solution 1:

Maybe this answer will help. In short, we have to configure Tomcat server to forward the request to the CorsFilter even when unauthenticated, using something like this:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
        <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <!-- no auth-constraint here -->
</security-constraint>

make sure you DON'T include the "auth-constraint" element. So, the following example will NOT WORK:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
        <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint/><!-- this will prevent OPTIONS request -->
</security-constraint>

Related

logrotate security
Access AWS EC2 MySQL instance remotely - Best practice
IIS Connection String not being inherited
Preventing email blasts with Exchange 2010 IP Throttling (or any other technology)
Insufficient access when trying to set machine OS attributes when joining Linux server to Active Directory
Improve RSYNC scan speed / Alternate approach?
SQL Server 2008 Copy Database Wizard: Fail
What filesystem comes closest to matching NTFS for support of ACLs, and highly-granular permissioning?
Linux as a gateway (no NAT)
Small business VPN solution [closed]
Nginx Load Balance / Proxy to Upstream with Path / Rewrite
ELB health checks for freshly launched EC2 instances not working