'JasperReports Server 8.0.0 Deployed on Tomcat CORS Errors

When calling any of the REST web services from my Angular front-end application (or via cURL), I receive a CORS error in the console window.

Access to XMLHttpRequest at 'http://<base_url>:8083/jasperserver/rest_v2/login?j_username=username&j_password=password' from origin 'http://<base_url>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I have tried other endpoints in the web services library, such as:

  • {{jasper_url}}/jasperserver/rest_v2/resources?type=reportUnit
  • {{jasper_url}}/jasperserver/rest_v2/reports/Reports/Case_Status.html?report_date=2022-03-07
  • {{jasper_url}}/jasperserver/rest_v2/serverInfo

I have the same issue when running Angular locally or on the server where JasperReports Server is installed.

I have followed this tutorial to whitelist my server's domain, and I've also tried to whitelist all domains with "*", but with no luck, even after restarting Tomcat.

enter image description here

I have updated the apache-tomcat/conf/web.xml with the below config by following the answer from this Stack Overflow question, but with no luck, even after restarting Tomcat.

<filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>*</url-pattern>
</filter-mapping>

AFter the above filter was applied to Tomcat, I can confirm by using cURL to test that "Access-Control-Allow-Origin: *" is returned for http://base_url:8083, but NOT for http://base_url:8083/jasperserver. This leads me to believe that my problem is purely with JasperReports Server, and not with Tomcat at all.

enter image description here

Upon further investigation as detailed in this video by Dr. Jaspersoft, an OPTIONS request returns a 403, but a GET request returns a 200 and "Access-Control-Allow-Origin: *"

enter image description here

I've since removed the CORS filter from apache-tomcat/conf/web.xml and rather added a similar one directly to the jasperserver web app (apache-tomcat/webapps/jasperserver/WEB-INF/web.xml), where base_url is obviously replaced with teh server's URL.

   <filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
        <param-name>cors.allowed.origins</param-name>
        <param-value>http://base_url, https://base_url, http://localhost:8080</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.methods</param-name>
        <param-value>GET,POST,HEAD,PUT,OPTIONS,DELETE,PATCH</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.headers</param-name>
        <param-value>Cache-Control,X-Suppress-Basic,Origin,Accept,X-Requested-With,Content-Type,Pragma,accept-timezone,withCredentials,X-Remote-Domain,X-Is-Visualize,x-jrs-base-url,Content-Disposition,Content-Description,Content-Type,X-Requested-With,Accept,Accept-Encoding,Accept-Language,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Connection,Host,authorization,Options</param-value>
    </init-param>
    <init-param>
        <param-name>cors.exposed.headers</param-name>
        <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Authorization</param-value>
    </init-param>
    <init-param>
        <param-name>cors.support.credentials</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>cors.preflight.maxage</param-name>
        <param-value>300</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

The above CORS configuration yielded positive results when testing with cURL on the {{jasper_url}}/jasperserver/rest_v2/serverInfo endpoint, but other endpoints that require credentials are still giving CORS errors.

enter image description here

I can't be the only one struggling with this, so if anyone else has resolved CORS errors with later versions of JasperReports Server, please help out!

A an aside, I'm using NGINX and thought that I may be able to use that to prevent the CORS errors, simlar to the answers in this ServerFault question. However, I have not gone that far as I'm sure there must be an easier way to do this by configuring JasperReports Server.

Server information

  • Operating system: Linux Debian 11
  • JasperReports version: 8.0.0
  • Tomcat version: 9.0.5


Solution 1:[1]

After MUCH trial and error, I've somewhat resolved the error.

I added the following to the /apache-tomcat/webapps/jasperserver/WEB-INF/web.xml file:

<filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <!--  Update allowed origins and remove localhost for non-dev environments -->
    <init-param>
        <param-name>cors.allowed.origins</param-name>
        <param-value>http://dev.greydom.com, https://dev.greydom.com, http://localhost:8080</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.methods</param-name>
        <param-value>GET,POST,HEAD,PUT,OPTIONS,DELETE,PATCH</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.headers</param-name>
        <param-value>Cache-Control,X-Suppress-Basic,Origin,Accept,X-Requested-With,Content-Type,Pragma,accept-timezone,withCredentials,X-Remote-Domain,X-Is-Visualize,x-jrs-base-url,Content-Disposition,Content-Description,Content-Type,X-Requested-With,Accept,Accept-Encoding,Accept-Language,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Connection,Host,Authorization,Options</param-value>
    </init-param>
    <init-param>
        <param-name>cors.exposed.headers</param-name>
        <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Authorization</param-value>
    </init-param>
    <init-param>
        <param-name>cors.support.credentials</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>cors.preflight.maxage</param-name>
        <param-value>300</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

My only mistake was that I needed a capital A for Authorized in allowed headers.

I can now access the web services with no CORS errors

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Jason Collier