Dear Labkey community
we are having some issues while enabling CORS in labkey for some external collaborators. Our labkey instances work fine without CORS but as soon as we enable it, some labkey functionality does not work. As far as we could test, only file deletion stops working, but still is a problem.
Our labkey server has the following versions:
- apache-tomcat: 8.5.53
- openjdk:13.0.2
- LabKey19.3.10-65330.20
The CORS configuration is as follows, although I've tried using just the default values without any luck.
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>https://bc2-labkey-dev.bc2.unibas.ch, https://bc2-labkey-dev.bc2.unibas.ch, https://labkey-dev.scicore.unibas.ch, https://labkey-dev.scicore.unibas.ch, https://wiki.biozentrum.unibas.ch, https://labkey.scicore.unibas.ch</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,OPTIONS</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Access-Control-Expose-Headers,Access-Control-Allow-Origin,X-Requested-With,Content-type,Authorization</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Expose-Headers,Access-Control-Allow-Origin,X-Requested-With,Content-type,Authorization</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>1800</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Even with a simpler CORS setup it does not work:
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Upon trying to delete a file I have just uploaded in the files tab, I get "Failed to delete" message. Firefox devel tools show:
Request URL:https://bc2-labkey-dev.bc2.unibas.ch/labkey/_webdav/home/%40files/afile_to_delete.txt?method=DELETE&pageId=4267287a-97a1-1038-bf7a-3c9cbf81b968
Request Method:POST
Remote Address:0.0.0.0:443
Status Code:
403
Version:HTTP/1.1
Referrer Policy:origin-when-cross-origin
The logs don't show any error during this request.
Is there anything else we should modify, or add for this to work? I'm currently out of ideas.
Best regards,
Iñaki