IBM Security Verify

 View Only
  • 1.  ISAM - How to enable cors on ISAM 10

    Posted Thu November 19, 2020 03:44 AM
    Hello Team,

    How to enable the cors on ISAM 10

    I have put Access-Control-Allow-Origin = * inside [rsp-header-names] stanza.
    still getting cors error.

    can anyone help me


  • 2.  RE: ISAM - How to enable cors on ISAM 10

    Posted Thu November 19, 2020 03:51 AM
    Edited by Jon Harry Thu November 19, 2020 03:54 AM

    The configuration you've added is simply going to add a static header to responses.  This is not related to the new CORS support in Verify Access v10.

    Have a look at this section of the Knowledge Center for information on configuring a CORS policy.  You can create these policies directly in the Reverse Proxy configuration file or by using the API Access Control  functionality in the LMI.

    Jon Harry
    Consulting IT Security Specialist

  • 3.  RE: ISAM - How to enable cors on ISAM 10

    Posted Tue July 05, 2022 10:10 AM
    Hi Jon,
    I'm running into trouble using that configuration. Funny it doesn't work with http transformation nor with cors policy support (while I don't understand how to attach the policy) nor can I get the expected response with POP or configuring the [cores-policy:policy] Stanca

    Sending a preflight request using Postman doesn`t responds with the expected headers.

    request-match = GET /jct* *
    allow-origin = *
    allow-credentials = true
    handle-preflight = true
    max-age = 3600
    allow-header = *
    allow-method = PUT

    As mentioned I also tried with HTML Transformation but didn`t have any luck as well. Also sending with OPTIONS instead of GET results in the same response.

    Any hint on what is wrong with the configuration?


    Jens Petersen

  • 4.  RE: ISAM - How to enable cors on ISAM 10

    Posted Tue July 05, 2022 05:16 PM



    I don't quite understand what you are trying to achieve, but the CORS policy configuration which you showed in your last post was for resources which start with '/jct'' and the postman screenshot which you included was for the '/snoop' resource.  So, I wouldn't expect the configured CORS policy to be invoked for the postman request which you made.  The request-match configuration entry is used to indicate the requests for which the CORS policy will be invoked, by performing a pattern match against the HTTP request line.


    I hope that this helps.


    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">




  • 5.  RE: ISAM - How to enable cors on ISAM 10

    Posted Tue July 05, 2022 06:20 PM

    Hi Scott,
    sirry for confusing screenshots. Basically the policy works as documented just with origin heade in pre flight request. The matching must include OPTIONS. 

    Following the documentation I would expect when preflight handling is set to yes or true all requests having an OPTIONS Method and origin header would be matched. That doesn't work at all the config for pre flight doesn't have any function, nothing changes whether it's on or off. Also allow-methods doesn't have any function   I donI get the expected response headers nor does I receive deny with any method other than allowed. I trier close to any possible combination without getting any change in behaviour. Also updating to 10.0.4 didn't help. I guess I missed something but can't find what it might be. 

    Jens Petersen

  • 6.  RE: ISAM - How to enable cors on ISAM 10

    Posted Wed July 06, 2022 04:08 AM
    just did some better screenshots to visualize he problem

    Following the documentation and the RFC I would expect a preflight request with method OPTIONS to receive 
    Connection: keep-alive
    Access-Control-Allow-Origin: <value of origin request header>
    Access-Control-Allow-Methods: POST, GET, OPTIONS
    Access-Control-Max-Age: 3600
    Access-Control-Allow-Credentials: True
    Here is what I really get:

    so the access-control-allow-method and access-control-max-age headers are missing

    Also, removing all config entries except the match and origin and allow-credentials comes back with exactly the same result

    the leads to the assumption that max-age, allow-header and allow-method as well as handle-preflight has no effect on cars policy.

    The documentation easy that preflight is matched as soon as method OPTIONS and origin as well as request-method Header is present. That also doesn't work at all. Also there is described that allow-header, allow-method and max age will result in the corresponding response headers, which just doesn't happen. Seems I did something wrong with the matching, but I really don't know what, as the policy seems to work, at least partly.

    Jens Petersen

  • 7.  RE: ISAM - How to enable cors on ISAM 10

    Posted Thu July 07, 2022 03:55 AM
    Hi Jens,

    I think I have found the problem, there is a minor error in the documentation which incorrectly lists the entry as 'handle-preflight', the correct entry is 'handle-pre-flight'. 

    Once this is corrected, you should expect to get a response to matching requests when:
    - The request contains the OPTIONS method
    - The 'Origin' header is present
    - The 'Access-Control-Request-Method' header is present

    For example:
    $ curl -k -v -X OPTIONS -H "Origin:" -H "Access-Control-Request-Method: PUT"
    > OPTIONS / HTTP/2
    > Host:
    > user-agent: curl/7.68.0
    > accept: */*
    > origin:
    > access-control-request-method: PUT
    < HTTP/2 204
    < p3p: CP="NON CUR OTPi OUR NOR UNI"
    < vary: origin
    < access-control-allow-origin:
    < access-control-allow-methods: PUT
    < access-control-allow-headers: origin, x-requested-with
    < access-control-max-age: 3600
    < access-control-allow-credentials: true
    < strict-transport-security: max-age=31536000; includeSubDomains

    For reference, I was using a policy similar to yours:

    request-match = *
    handle-pre-flight = true
    allow-origin = *
    allow-credentials = true
    allow-header = origin
    allow-header = x-requested-with
    allow-method =
    max-age = 3600
    expose-header =

    I am very sorry for the confusion caused by the typo, I will get it corrected ASAP.

    Let me know if you still encounter issues and I will do my best to help.

    Keiran Robinson
    IBM Application Gateway Development
    IBM Security Verify Access Development
    IBM Security

  • 8.  RE: ISAM - How to enable cors on ISAM 10

    Posted Thu July 07, 2022 09:53 AM
    Hi Keiran,
    thanks much, that solved the issue. ("minor error with use outcome ;))

    Jens Petersen