IBM i Global

 View Only
Expand all | Collapse all

IBM i REST API with CORS validation

  • 1.  IBM i REST API with CORS validation

    Posted Fri March 25, 2022 01:22 PM
    I have an open support case with IBM, but I am not getting anywhere with the tech so any help would be appreciated. 

    I want to provide an REST API interface using my IBM i to a couple of different websites. These websites run on different servers and are not a part of the IBM i. So with that in mind I have no problems when using Postman or something similar to access the API, but when using a browser I run into the dreaded CORS security validation. 

    I have looked through dozens of IBM support docs, websites, etc... but I can't find a solution. IBM has made me very aware that the problem is the IWS server runs on top of another Apache server and is the reason my apache config changes don't work. However, they haven't yet been able to tell me how to correct it. I can't believe that an application server built specifically for delivering REST and SOAP APIs wouldn't support websites, mobile apps or anything else that might use CORS. So I am really hoping that I have just missed the correct configuration and it is possible. 

    Jeremy Bowling

  • 2.  RE: IBM i REST API with CORS validation

    Posted Sat March 26, 2022 06:08 AM
    I don't get the flow. IIUC, you have created a REST API that runs on the IBM i, and the underlying program reaches out to other websites.

    Then you have some javascript on the browser that calls your API. Does that first call get blocked or is it blocked later? 

    If it is the first call, then you have to understand the CORS dance (called pre-flight-check). I'm not sure if I understand it completely but the gist is this:

    * When a browser makes a POST call to another domain it is deemed CROSS ORIGIN
    * Before the actual POST call, an OPTIONS call is made by the browser. (it is the browser that is worried, postman, CURL, etc.., don't care)
    * The OPTIONS call must therefore be implemented by your REST API
    * The OPTIONS call does nothing but authorizes the upcoming POST (by adding the cross-origin headers)
    * If the browser sees a valid return from the OPTIONS call the POST call is made. Otherwise, it throws the CORS exception

    So in short, you have to implement the OPTIONS call in your API, check the origin (if required), and, if OK, add the cors headers.


    Wim Jongman
    Remain Software
    IBM i Devops / MiWorkplace / Enterprise Wide Cross Reference / OpenAPI Studio for RPG Free

    Wim Jongman

  • 3.  RE: IBM i REST API with CORS validation

    IBM Champion
    Posted Sun March 27, 2022 09:21 PM
    Please check if these articles help with your case or not:

    Fixing Common Problems with CORS and JavaScript

    CORS Tutorial: A Guide to Cross-Origin Resource Sharing

    Satid Singkorapoom

  • 4.  RE: IBM i REST API with CORS validation

    IBM Champion
    Posted Mon March 28, 2022 10:36 AM

    If you are actually using IWS then I am not surprised that you are having issues when you need to go "outside the box".

    IWS is designed to provide a simple wizard type interface to permit SQL statements or conventional programs/service programs to be deployed as web services. It is not a full function tool with the kind of additional hooks it sounds like you need. All the "plumbing" is under the covers.

    Sounds to me like you need one of the API toolkits provided by software vendors like Remain, Profound Logic, Eradani or Midrange just to name a few. Either that or write the code yourself using the raw APIs or one of the open source web service toolkits.

    Jon Paris

  • 5.  RE: IBM i REST API with CORS validation

    IBM Champion
    Posted Mon March 28, 2022 10:50 AM
    Have you tried the options specified at the following URL?

    Have you considered making your API calls from the back-end program instead of calling them from the browser?

    Have you considered setting up a reverse proxy on the origin server instead of making a cross-origin call?

    Scott Klement
    Profound Logic Software
    Oak Creek WI

  • 6.  RE: IBM i REST API with CORS validation

    IBM Champion
    Posted Tue March 29, 2022 11:09 PM
    Edited by Aaron Magid Tue March 29, 2022 11:11 PM
    Hi Jeremy,
    Echoing what Jon said, the IWS system is designed to make simple apis very quickly, so if you want to move into mature api systems with customizations, I'd recommend looking at more industry standard tools.
    As Scott mentioned, one common option is to set up a reverse proxy server in front of your IWS apis. Usually I use NginX for that kind of setup. NginX is an extremely popular open source web server which is available in PASE through the open source package management.
    If I'm understanding you correctly, it sounds like you just want to open your apis to clients from any domain. In that case, the nginx configuration is pretty simple. You'd need something roughly like this:
    server {
        listen 4000;
        add_header "Access-Control-Allow-Origin" "*";
        location / {
    That configuration will create a new webserver listening on port 4000 on your IBM i. Any calls going to that server will be redirected to your iws apis thanks to the location directive, and an additional header will be added to the responses. The Access-Control-Allow-Origin header will specify that requests should be allowed from any origin, so you shouldn't get cors errors anymore.
    If you need a more specific configuration to only allow specific sites or allow based on logic, you can do that too with a slightly more complex configuration.
    This would require a change in your api flow - api clients would call to your NginX server and it would pass the calls onto IWS, rather than clients calling IWS directly.

    This kind of setup has become (in my experience) the dominant architecture in the Node.js world.

    Let me know if you have any questions.

    Aaron Magid
    VP, Open Source Technologies

  • 7.  RE: IBM i REST API with CORS validation