I have a web service that I access from multiple domains. For reasons I'm unable to fathom, the session seems to be shared between different sites.
- So, I make a request from WebAppA to the API. This works.
-
Then I make a same request from WebAppB, to the same web service. This reports that it's blocked due to the CORS policy, e.g.
The 'Access-Control-Allow-Origin' header has a value 'WebAppA' that is not equal to the supplied origin. Origin 'WebAppB' is therefore not allowed access.
But the Tomcat code for the web service claims that it allows CORS:
I have this in my web.xml:
<param-name>Access-Control-Allow-Origin</param-name>
<param-value>*</param-value>
and this in the java class that handles requests:
if (StringUtils.isNotBlank(origin)) {
response.setHeader("Access-Control-Allow-Origin", origin);
}
Logically, this should be allowing the requests from WebAppB through, but instead it still sees WebAppA as the only permitted origin. Given the snippet above, one option that springs to mind is that the Origin
header might be blank. But if it was, then surely it wouldn't say WebAppB isn't allow access, because it wouldn't know that the origin was WebAppB!?
Clearing the cache fixes the issue, so it's clearly session-associated somehow, but I can't see any cookies that look like they're relevant.
Question How can I fix this so that both webapp A and B can access the same web service, without clearing the cache in between?
Disclaimer: This is a follow-on from Possible CORS issue. What's going on and how can I fix it?, but I've done a lot more investigation since so I can define the issue more clearly. (I hope).