jsp-api and servlet-api jars must NOT be deployed by your web app. They should be marked as provided but not deployed by your app.
The server rejects all jars that already belong to the server runtime (such as tomcat-.jar, servlet.jar). Consider substituting the CORS filter you're using for this one: https://goo.gl/ctQ7Fs
Don't give up yet. Our experts can help. Paste your full stack trace to get a solution.
You have a different solution? A short tip here would help you and many other users who saw this issue last week.