JasperReports Server 8.0.0 Deployed on Tomcat CORS Errors
When calling any of the REST web services from my Angular front-end application (or via cURL), I receive a CORS error in the console window.
Access to XMLHttpRequest at 'http://<base_url>:8083/jasperserver/rest_v2/login?j_username=username&j_password=password' from origin 'http://<base_url>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I have tried other endpoints in the web services library, such as:
- {{jasper_url}}/jasperserver/rest_v2/resources?type=reportUnit
- {{jasper_url}}/jasperserver/rest_v2/reports/Reports/Case_Status.html?report_date=2022-03-07
- {{jasper_url}}/jasperserver/rest_v2/serverInfo
I have the same issue when running Angular locally or on the server where JasperReports Server is installed.
I have followed this tutorial to whitelist my server's domain, and I've also tried to whitelist all domains with "*", but with no luck, even after restarting Tomcat.
I have updated the apache-tomcat/conf/web.xml with the below config by following the answer from this Stack Overflow question, but with no luck, even after restarting Tomcat.
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
AFter the above filter was applied to Tomcat, I can confirm by using cURL to test that "Access-Control-Allow-Origin: *" is returned for http://base_url:8083, but NOT for http://base_url:8083/jasperserver. This leads me to believe that my problem is purely with JasperReports Server, and not with Tomcat at all.
Upon further investigation as detailed in this video by Dr. Jaspersoft, an OPTIONS request returns a 403, but a GET request returns a 200 and "Access-Control-Allow-Origin: *"
I've since removed the CORS filter from apache-tomcat/conf/web.xml and rather added a similar one directly to the jasperserver web app (apache-tomcat/webapps/jasperserver/WEB-INF/web.xml), where base_url is obviously replaced with teh server's URL.
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>http://base_url, https://base_url, http://localhost:8080</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,HEAD,PUT,OPTIONS,DELETE,PATCH</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Cache-Control,X-Suppress-Basic,Origin,Accept,X-Requested-With,Content-Type,Pragma,accept-timezone,withCredentials,X-Remote-Domain,X-Is-Visualize,x-jrs-base-url,Content-Disposition,Content-Description,Content-Type,X-Requested-With,Accept,Accept-Encoding,Accept-Language,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Connection,Host,authorization,Options</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Authorization</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>300</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The above CORS configuration yielded positive results when testing with cURL on the {{jasper_url}}/jasperserver/rest_v2/serverInfo endpoint, but other endpoints that require credentials are still giving CORS errors.
I can't be the only one struggling with this, so if anyone else has resolved CORS errors with later versions of JasperReports Server, please help out!
A an aside, I'm using NGINX and thought that I may be able to use that to prevent the CORS errors, simlar to the answers in this ServerFault question. However, I have not gone that far as I'm sure there must be an easier way to do this by configuring JasperReports Server.
Server information
- Operating system: Linux Debian 11
- JasperReports version: 8.0.0
- Tomcat version: 9.0.5
After MUCH trial and error, I've somewhat resolved the error.
I added the following to the /apache-tomcat/webapps/jasperserver/WEB-INF/web.xml file:
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<!-- Update allowed origins and remove localhost for non-dev environments -->
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>http://dev.greydom.com, https://dev.greydom.com, http://localhost:8080</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,HEAD,PUT,OPTIONS,DELETE,PATCH</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Cache-Control,X-Suppress-Basic,Origin,Accept,X-Requested-With,Content-Type,Pragma,accept-timezone,withCredentials,X-Remote-Domain,X-Is-Visualize,x-jrs-base-url,Content-Disposition,Content-Description,Content-Type,X-Requested-With,Accept,Accept-Encoding,Accept-Language,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Connection,Host,Authorization,Options</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Authorization</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>300</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
My only mistake was that I needed a capital A for Authorized in allowed headers.
I can now access the web services with no CORS errors
- The requested resource is not available using HelloWorld servlet
- Exposing resources from jar files in web applications (Tomcat7)
- Grails 6 on Tomcat 9 gives "The response object has been recycled and is no longer associated with this facade" after running fine for 2-3 hours
- Why is MIME type of uploaded rar files application/octet-stream and how to change it to application/rar?
- UnsupportedClassVersionError - JDKs have same version
- What does "The APR based Apache Tomcat Native library was not found" mean?
- How I return HTTP 404 JSON/XML response in JAX-RS (Jersey) on Tomcat?
- Spring Cloud Gateway returning HTML error instead of relaying service error
- Access-Control-Allow-Origin: * in tomcat
- Running sudo command from Tomcat servlet
- Are multiple requests handled by single thread in Spring Boot until certain requests threshold is reached?
- Java and Tomcat - CodeCache is full. Compiler has been disabled
- jakarta.servlet.ServletException: java.lang.NoClassDefFoundError: javax/servlet/jsp/tagext/TagLibraryValidator
- Tomcat 8: How to overcome common error: The CATALINA_HOME environment variable is not defined correctly
- Wait until tomcat finishes starting up
- Struts2 <filter> and <filter-mapping> causing error
- How to install and use CDI on Tomcat?
- Spring Boot application failed to start when tomcat version is set
- Unable to create a breakpoint in Eclipse and Tomcat
- Running a Java application deployed as WAR on Tomcat server
- getting, java.lang.IllegalStateException: Error starting child, in Tomcat 10
- Spring boot with embedded tomcat + access log with authentication user
- Tomcat and Spring: Issue with Query Param Being Truncated (EVAL Keyword)
- @PathVariable containing backslash quote returns 400 Bad Request
- Spring Java app not finding the keystore file
- Spring Boot Application Not Reading Application.properties in Tomcat
- JAX-WS Web service on Tomcat without sun-jaxws.xml
- How do I send an e-mail in Java?
- Remote Debugging with JPDA won't connect to Tomcat through eclipse when using Docker-Compose
- ERR_TOO_MANY_REDIRECTS error occurs in load balanced geoserver with nginx