Hi Jeremy,
Echoing what Jon said, the IWS system is designed to make simple apis very quickly, so if you want to move into mature api systems with customizations, I'd recommend looking at more industry standard tools.
As Scott mentioned, one common option is to set up a reverse proxy server in front of your IWS apis. Usually I use NginX for that kind of setup. NginX is an extremely popular open source web server which is available in PASE through the open source package management.
If I'm understanding you correctly, it sounds like you just want to open your apis to clients from any domain. In that case, the nginx configuration is pretty simple. You'd need something roughly like this:
server {
listen 4000;
add_header "Access-Control-Allow-Origin" "*";
location / {
proxy_pass http://your.iws.host:port;
}
}
That configuration will create a new webserver listening on port 4000 on your IBM i. Any calls going to that server will be redirected to your iws apis thanks to the location directive, and an additional header will be added to the responses. The Access-Control-Allow-Origin header will specify that requests should be allowed from any origin, so you shouldn't get cors errors anymore.
If you need a more specific configuration to only allow specific sites or allow based on logic, you can do that too with a slightly more complex configuration.
This would require a change in your api flow - api clients would call to your NginX server and it would pass the calls onto IWS, rather than clients calling IWS directly.
This kind of setup has become (in my experience) the dominant architecture in the Node.js world.
Let me know if you have any questions.
------------------------------
Aaron Magid
VP, Open Source Technologies
Eradani
510-295-9297
aaron@eradani.com
------------------------------
Original Message:
Sent: Fri March 25, 2022 01:22 PM
From: Jeremy Bowling
Subject: IBM i REST API with CORS validation
I have an open support case with IBM, but I am not getting anywhere with the tech so any help would be appreciated.
I want to provide an REST API interface using my IBM i to a couple of different websites. These websites run on different servers and are not a part of the IBM i. So with that in mind I have no problems when using Postman or something similar to access the API, but when using a browser I run into the dreaded CORS security validation.
I have looked through dozens of IBM support docs, websites, etc... but I can't find a solution. IBM has made me very aware that the problem is the IWS server runs on top of another Apache server and is the reason my apache config changes don't work. However, they haven't yet been able to tell me how to correct it. I can't believe that an application server built specifically for delivering REST and SOAP APIs wouldn't support websites, mobile apps or anything else that might use CORS. So I am really hoping that I have just missed the correct configuration and it is possible.
------------------------------
Jeremy Bowling
------------------------------