Configuring CORS for the REST API

By default, a web browser does not allow scripts, such as JavaScript, to invoke the administrative REST API when the script is not from the same origin as the REST API. That is, cross-origin requests are not enabled. You can configure Cross Origin Resource Sharing (CORS) to allow cross-origin requests from specified origins.

About this task

You can access the administrative REST API through a web browser, for example through a script. As these requests are from a different origin to the administrative REST API, the web browser refuses the request because it is a cross-origin request. The origin is different if the domain, port, or scheme is not the same.

For example, if you have a script that is hosted at http://example.com:1999/ you make a cross-origin request if you issue an HTTP GET on a website that is hosted at https://example.com:9443/. This request is a cross-origin request because the port numbers and scheme (HTTP) are different.

You can enable cross-origin requests by configuring CORS and specifying the origins that are allowed to access the administrative REST API.

Procedure

Use the setmqweb properties command from the mqcli prompt to configure CORS:

  • View the current configuration by entering the following command and viewing the mqRestCorsAllowedOrigins and mqRestCorsMaxAgeInSeconds entries: 
    dspmqweb properties -a
  • Specify the origins that are allowed to access the administrative REST API by entering the following command: 
    setmqweb properties -k mqRestCorsAllowedOrigins -v allowedOrigins
    where allowedOrigins specifies the origin that you want to allow cross-origin requests from. You can use an asterisk, *, to allow all cross-origin requests, or you can enter more than one origin in a comma-separated list. To allow no cross-origin requests, enter empty quotation marks as the value for allowedOrigins.
  • Specify the time, in seconds, that you want to allow a web browser to cache the results of any CORS pre-flight checks by entering the following command: 
    setmqweb properties -k mqRestCorsMaxAgeInSeconds -v time

Example

The following example shows cross-origin requests enabled for http://example.com:9883, https://example.com:1999, and https://example.com:9663. The maximum age of cached results of any CORS pre-flight checks is set to 90 seconds:
setmqweb -k mqRestCorsAllowedOrigins -v http://example.com:9883,https://example.com:1999,https://example.com:9663
setmqweb -k mqRestCorsMaxAgeInSeconds -v 90