CORS filter with Tomcat

[tp1984]

Hello everybody,

as this is my first post here, thanks for the great library. It really saved me LOADS of time so far.

Now to the point: just noticed that there seems to be a flaw with cors filtering, didn't have the time to further track this yet but just be warned for now that if you follow this documentation:

https://jamesagnew.github.io/hapi-fhir/doc_cors.html

AND use Tomcat (mine is 8.0.20), you'll end up with multiple "Access-Control-Allow-Credentials" and "Access-Control-Allow-Origin" header entries, which some (or most) clients won't take very well:

The 'Access-Control-Allow-Origin' header contains multiple values 'http://example.com, http://example.com', but only one is allowed. Origin 'http://example.com' is therefore not allowed access.

Reason for this is that you will always end up with two CorsFilters in the Filterchain being

org.apache.catalina.filters.CorsFilter

org.ebaysf.web.cors.CORSFilter

Where both of them add those header entries to the response.

At least if you use Hapi-Fhir 1.0 for your servers in conjunction with Tomcat 8.

My temporary workaround is to set a non existing url-pattern for one of the filters, however I'll try to dig a little bit deeper when I find the time to to find a more satisfiying solution.

In case anybody already has more insight regarding this I'd be also be grateful.

Regards,

tp