Configure CORS for the REST API

By default, a web browser does not allow scripts, such as JavaScript, to invoke the REST API when the script is not from the same origin as the REST API. That is, cross-origin requests are not enabled. We can configure Cross Origin Resource Sharing (CORS) to allow cross-origin requests from specified origins.


We can access the REST API through a web browser, for example through a script. As these requests are from a different origin to the REST API, the web browser refuses the request because it is a cross-origin request. The origin is different if the domain, port, or scheme is not the same.

For example, if you have a script that is hosted at http://localhost:1999/ you make a cross-origin request if we issue an HTTP GET on a website that is hosted at https://localhost:9443/. This request is a cross-origin request because the port numbers and scheme (HTTP) are different.

We can enable cross-origin requests by configuring CORS and specifying the origins that are allowed to access the REST API.

For more information about CORS, see https://www.w3.org/TR/cors/ and https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS.


Procedure

  1. View the current configuration by entering the following command:

    dspmqweb properties -a

    The mqRestCorsAllowedOrigins entry specifies the allowed origins. The mqRestCorsMaxAgeInSeconds entry specifies the time, in seconds, that the web browser can cache the results of any CORS pre-flight checks.

  2. Specify the origins that are allowed to access the REST API by entering the following command:

    setmqweb properties -k mqRestCorsAllowedOrigins -v allowedOrigins

    where allowedOrigins specifies the origin that we want to allow cross-origin requests from. We can use an asterisk surrounded by double quotation marks, "*", to allow all cross-origin requests. We can enter more than one origin in a comma-separated list, surrounded by double quotation marks. To allow no cross-origin requests, enter empty quotation marks as the value for allowedOrigins.

  3. Specify the time, in seconds, that we want to allow a web browser to cache the results of any CORS pre-flight checks by entering the following command:

    setmqweb properties -k mqRestCorsMaxAgeInSeconds -v time


Example

The following example shows cross-origin requests enabled for http://localhost:9883, https://localhost:1999, and https://localhost:9663. The maximum age of cached results of any CORS pre-flight checks is set to 90 seconds:
setmqweb properties -k mqRestCorsAllowedOrigins -v "http://localhost:9883,https://localhost:1999,https://localhost:9663"
setmqweb properties -k mqRestCorsMaxAgeInSeconds -v 90
Parent topic: IBM MQ Console and REST API security