Hi Jens,
I think I have found the problem, there is a minor error in the documentation which incorrectly lists the entry as 'handle-preflight', the correct entry is 'handle-pre-flight'.
Once this is corrected, you should expect to get a response to matching requests when:
- The request contains the OPTIONS method
- The 'Origin' header is present
- The 'Access-Control-Request-Method' header is present
For example:
$ curl -k https://192.168.42.202 -v -X OPTIONS -H "Origin: test.ibm.com" -H "Access-Control-Request-Method: PUT"
...
> OPTIONS / HTTP/2
> Host: 192.168.42.202
> user-agent: curl/7.68.0
> accept: */*
> origin: test.ibm.com
> access-control-request-method: PUT
>
...
< HTTP/2 204
< p3p: CP="NON CUR OTPi OUR NOR UNI"
< vary: origin
< access-control-allow-origin: test.ibm.com
< access-control-allow-methods: PUT
< access-control-allow-headers: origin, x-requested-with
< access-control-max-age: 3600
< access-control-allow-credentials: true
< strict-transport-security: max-age=31536000; includeSubDomains
<
For reference, I was using a policy similar to yours:
[cors-policy:TEST]
request-match = *
handle-pre-flight = true
allow-origin = *
allow-credentials = true
allow-header = origin
allow-header = x-requested-with
allow-method =
max-age = 3600
expose-header =
I am very sorry for the confusion caused by the typo, I will get it corrected ASAP.
Let me know if you still encounter issues and I will do my best to help.
------------------------------
Keiran Robinson
IBM Application Gateway Development
IBM Security Verify Access Development
IBM Security
------------------------------
Original Message:
Sent: Wed July 06, 2022 04:08 AM
From: Jens Petersen
Subject: ISAM - How to enable cors on ISAM 10
just did some better screenshots to visualize he problem
Following the documentation and the RFC I would expect a preflight request with method OPTIONS to receive
Connection: keep-aliveAccess-Control-Allow-Origin: <value of origin request header>Access-Control-Allow-Methods: POST, GET, OPTIONSAccess-Control-Max-Age: 3600
Access-Control-Allow-Credentials: True
Here is what I really get:
so the access-control-allow-method and access-control-max-age headers are missing
Also, removing all config entries except the match and origin and allow-credentials comes back with exactly the same result
the leads to the assumption that max-age, allow-header and allow-method as well as handle-preflight has no effect on cars policy.
The documentation https://www.ibm.com/docs/en/sva/10.0.4?topic=stanza-handle-preflight easy that preflight is matched as soon as method OPTIONS and origin as well as request-method Header is present. That also doesn't work at all. Also there is described that allow-header, allow-method and max age will result in the corresponding response headers, which just doesn't happen. Seems I did something wrong with the matching, but I really don't know what, as the policy seems to work, at least partly.
------------------------------
Jens Petersen
Original Message:
Sent: Tue July 05, 2022 05:15 PM
From: Scott Exton
Subject: ISAM - How to enable cors on ISAM 10
Jens,
I don't quite understand what you are trying to achieve, but the CORS policy configuration which you showed in your last post was for resources which start with '/jct'' and the postman screenshot which you included was for the '/snoop' resource. So, I wouldn't expect the configured CORS policy to be invoked for the postman request which you made. The request-match configuration entry is used to indicate the requests for which the CORS policy will be invoked, by performing a pattern match against the HTTP request line.
I hope that this helps.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 7/5/2022 10:10:00 AM
From: Jens Petersen
Subject: RE: ISAM - How to enable cors on ISAM 10
Hi Jon,
I'm running into trouble using that configuration. Funny it doesn't work with http transformation nor with cors policy support (while I don't understand how to attach the policy) nor can I get the expected response with POP or configuring the [cores-policy:policy] Stanca
Sending a preflight request using Postman doesn`t responds with the expected headers.
[cors-policy:TEST]
request-match = GET /jct* *
allow-origin = *
allow-credentials = true
handle-preflight = true
max-age = 3600
allow-header = *
allow-method = PUT
As mentioned I also tried with HTML Transformation but didn`t have any luck as well. Also sending with OPTIONS instead of GET results in the same response.
Any hint on what is wrong with the configuration?
THX
jens
------------------------------
Jens Petersen
Original Message:
Sent: Thu November 19, 2020 03:51 AM
From: Jon Harry
Subject: ISAM - How to enable cors on ISAM 10
Mukesh,
The configuration you've added is simply going to add a static header to responses. This is not related to the new CORS support in Verify Access v10.
Have a look at this section of the Knowledge Center for information on configuring a CORS policy. You can create these policies directly in the Reverse Proxy configuration file or by using the API Access Control functionality in the LMI.
https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/wrp_config/concept/con_cors_support.html
https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/admin/concept/con_api_access_ctrl.html
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Thu November 19, 2020 03:43 AM
From: Mukesh Bhati
Subject: ISAM - How to enable cors on ISAM 10
Hello Team,
How to enable the cors on ISAM 10
I have put Access-Control-Allow-Origin = * inside [rsp-header-names] stanza.
still getting cors error.
can anyone help me
------------------------------
Mukesh
------------------------------