Hi,
We are setting up a REST API using IWS. Our IWS REST API is being called from a single page app (SPA) inside a user's web browser. The user's web browser complains about the call to the IWS web API due to CORS policies.
The problem I'm having is that IBM suggests setting Basic Auth and CORS headers in the same directive within the HTTP Server configuration file. I can't get this work. I would appreciate any ideas or suggestions.
Here are the details.
According to page 153 of the Integrated Web Services Server Administration and Programming Guide, Basic Authentication is set up as follows:
<Location />
AuthType Basic
AuthName "IBM Server"
PasswdFile %%SYSTEM%%
require valid-user
</Location>
According an IBM support page (
https://www.ibm.com/support/pages/enabling-cross-origin-resource-sharing-cors-http-apache), the CORS directive is set up as follows for V7R2 and above (Apache 2.4.x):
<Location />
Require All granted
Header set Access-Control-Allow-Origin "*"
</Location>
For those with additional requirements for CORS the following can be used:
<Location/>
Require all granted
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST,GET,OPTIONS,DELETE,PUT"
Header always set Access-Control-Max-Age "3600"
Header always set Access-Control-Allow-Headers "Content-Type,Authorization"
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
</Location>
I have tried various ways to get Basic Auth and CORS to play nice together within the <Location/> directive. Nothing has worked.
Thanks,
Kelly Cookson
Senior Software Engineer II
Dot Foods, Inc.
1-217-773-4486 ext. 12676
www.dotfoods.com<
http://www.dotfoods.com>
As an Amazon Associate we earn from qualifying purchases.