GET REST request with authorization yields 403 in preflight


Hi there,

I have a problem with running the REST engine with both CORS and basic authentication enabled. Following leads to the problem:

var xhr = new XMLHttpRequest();'GET', 'http://localhost:8082/engine-rest/process-definition');
xhr.setRequestHeader('Authorization', 'Basic ZmVsaXg6cHc=');

Pretty basic. As specified, setting the Authorization header yields in an preflight request. However, this results in the status code 403 with no CORS headers set. As described in this forum post this is an issue with the authentication filter, but it isn’t. It is a problem of setting the Authorization header. If I disable basic authentication but keep setting the header, the problem still occurs.

A quick sidenote: If I test the same OPTIONS request in Postman, it works fine unless I set the Origin header to the same value as of my browser’s request. (Might be something Postman related though, as this is not the “true” origin.)

So there are two problems:

  1. Why does the request result in status code 403?
  2. Why are no CORS headers set when an error code appears? This doesn’t allow me to handle the error in code and instead it will be handled by the browser.

How could I go on about this?

Best regards


This was an error with the cors.allowed.headers of the org.apache.catalina.filters.CorsFilter filter. Adding Authorization to the default headers solved the problem.