Enabling CORS for WebSphere Commerce REST

Commerce-CORSI have two servers, one application server (JSP based) and one WebSphere Commerce server. I want to be able to call the REST API’s on the Commerce server via JavaScript served up by the application server. So my JavaScript would look like this:

      url: myCommerceServerRestURL,
      method: "GET",
      crossDomain: true,
      contentType: "application/json",
      dataType: "json"

The problem is, if CORS is not enabled on the WebSphere Commerce server you will receive the infamous No ‘Access-Control-Allow-Origin’ header is present on the requested resource. And the call fails.

Now WebSphere Commerce can be a little tricky if your server has a web server in front of it. You essentially have to enable it in both places – or at least that is what I had to do. If I only had to do one of these please let me know – I got tired of testing the different tips from the netverse.

I have IHS in front of WebSphere Commerce, so, after hours of playing around with different configurations I came up with these steps:

First configure httpd.conf in the IHS/conf directory and add these lines  if you want all domains to be able to access your data:

 <IfModule mod_headers.c>
        Header set Access-Control-Allow-Origin "*"
        Header set Access-Control-Allow-Methods "GET, PUT, OPTIONS"
        Header set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"

Remember, you can always override the Access-Control-Origin with a domain or multiple domains to prevent access for everyone.

Next, you have to update the WebSphere Commerce server. You can actually see the Commerce Insights enabling documentation for this (my colleague pointed me to this, thanks J).  You will be editing the WC configuration file and the WC Search configuration file.

 <_config:configgrouping name="HttpSecuritySettings_Rest">
          <_config:property name="CORSAccessControlAllowOrigin" value="*"/>
          <_config:property name="CORSAccessControlAllowMethods" value="GET, HEAD, POST, OPTIONS, PUT, DELETE"/>
          <_config:property name="CORSAccessControlAllowCredentials" value="true"/>
          <_config:property name="CORSAccessControlAllowHeaders" value="Origin,X-Requested-With,Content-Type,Accept,Authorization,cache-control,expires,pragma,wclogonid,wctoken,wctrustedtoken,wcuserid,X-RequestId"/>
          <_config:property name="CORSAccessControlExposeHeaders" value="Access-Control-Allow-Headers"/>
          <_config:property name="CORSAccessControlMaxAge" value="3600"/> 


If you found this useful follow this site! I also have a YouTube channel for IBM Commerce.