java - GET requests are being forbidden while POST requests go through fine -
in web application, need make calls to different web service (developed/managed me) start/manage resources through rest apis. web service runs on tomcat6. can see browser logs post requests getting through requests being forbidden. if make same calls web service itself, not seeing issues. have defined cross origin filter tomcat6 , mentioned in supported methods still problem persists..
i have defined cross origin filters way in web.xml @ application server level itself. using cors filter libraries http://software.dzhuvinov.com/cors-filter.html. tomcat6 server , filter has been defined @ ($tomcat6_home/conf/web.xml) follows
<filter> <filter-name>cors</filter-name> <filter-class>com.thetransactioncompany.cors.corsfilter</filter-class> <init-param> <param-name>cors.alloworigin</param-name> <param-value>*</param-value> </init-param> <init-param> <param-name>cors.supportedmethods</param-name> <param-value>get, post, head, put, delete, options</param-value> </init-param> <init-param> <param-name>cors.supportedheaders</param-name> <param-value>*</param-value> </init-param> </filter> <filter-mapping> <filter-name>cors</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
strangely, webservice accepting post calls calls, throwing 403 - forbidden error telling "access specified resource has been forbidden".
headers call follows
request url:https://remote.vm.mycompany.com/remote/tunnel?read:c2faeb31-4147-49e8-b8d3-53d89496e5ca:0 request method:get status code:403 forbidden request headersview source accept:*/* accept-encoding:gzip,deflate,sdch accept-language:en-us,en;q=0.8 connection:keep-alive host:remote.vm.mycompany.com origin:https://ec2-184-72-200-91.compute-1.amazonaws.com referer:https://ec2-184-72-200-91.compute-1.amazonaws.com/ user-agent:mozilla/5.0 (macintosh; intel mac os x 10_8_4) applewebkit/537.36 (khtml, gecko) chrome/28.0.1500.71 safari/537.36 query string parametersview sourceview url encoded read:c2faeb31-4147-49e8-b8d3-53d89496e5ca:0: response headersview source access-control-allow-credentials:true access-control-allow-origin:https://ec2-184-72-200-91.compute-1.amazonaws.com content-length:961 content-type:text/html;charset=utf-8 date:sun, 21 jul 2013 17:17:37 gmt server:apache-coyote/1.1
tomcat access logs reveal request has been forbidden does't give clue in of logs
- - - [21/jul/2013:17:17:37 +0000] post /remote/tunnel?connect http/1.1 200 - - - - [21/jul/2013:17:17:37 +0000] /remote/tunnel?read:c2faeb31-4147-49e8-b8d3-53d89496e5ca:0 http/1.1 403 -
here servlet code. trying integrate guacamole (html5 vnc client webservice )
package com.mycompany.html5remote; import java.util.arrays; import javax.servlet.http.httpservletrequest; import javax.servlet.http.httpsession; import org.slf4j.logger; import org.slf4j.loggerfactory; import net.sourceforge.guacamole.guacamoleexception; import net.sourceforge.guacamole.net.guacamolesocket; import net.sourceforge.guacamole.net.guacamoletunnel; import net.sourceforge.guacamole.net.inetguacamolesocket; import net.sourceforge.guacamole.protocol.configuredguacamolesocket; import net.sourceforge.guacamole.protocol.guacamoleclientinformation; import net.sourceforge.guacamole.protocol.guacamoleconfiguration; import net.sourceforge.guacamole.servlet.guacamolehttptunnelservlet; import net.sourceforge.guacamole.servlet.guacamolesession; public class httptunnel extends guacamolehttptunnelservlet { private logger logger = loggerfactory.getlogger(httptunnel.class); @override protected guacamoletunnel doconnect(httpservletrequest request) throws guacamoleexception { httpsession httpsession = request.getsession(true); logger.info("inside doconnect method."); guacamoleclientinformation info = new guacamoleclientinformation(); string hostname = request.getparameter("hostname"); string protocol = request.getparameter("protocol"); // create socket guacamoleconfiguration config = new guacamoleconfiguration(); config.setprotocol(protocol); config.setparameter("hostname", hostname); //config.setparameter("hostname", "ec2-184-73-104-108.compute-1.amazonaws.com"); if("vnc".equals(protocol)){ config.setparameter("port", "5901"); }else if ("rdp".equals(protocol)){ config.setparameter("port", "3389"); }else{ config.setparameter("port", "22"); } logger.info("set configuration. creating socket connection now.."); // return connected socket guacamolesocket socket = new configuredguacamolesocket( new inetguacamolesocket("localhost", 4822), config, info ); logger.info("successfully created socket connection."); // create tunnel now-configured socket guacamoletunnel tunnel = new guacamoletunnel(socket); // attach tunnel guacamolesession session = new guacamolesession(httpsession); session.attachtunnel(tunnel); logger.info("done"); return tunnel; } }
documentation guacamolehttptunnelservlet (gpl licenced) here
what possibly missing? there other places can clues? please help
do have security constraints related http methods configured in web.xml? not sure why go seperate api filtering request?
Comments
Post a Comment