The document provides an overview of Cross-Origin Resource Sharing (CORS) support in IBM Streams version 4.1, explaining how it allows web scripts to make API calls to different domains. It details the necessary configurations for making cross-origin requests, including setting trusted origins and ensuring server certificates are trusted by browsers. Additionally, it highlights considerations such as browser support and specific requirements for request authorization.

1. © 2015 IBM Corporation
REST API support for Cross-Origin Resource Sharing (CORS)
IBM Streams Version 4.1
Janet Weber
InfoSphere Streams Development
For questions about this presentation contact Janet Weber
jeweber@us.ibm.com

2. 2 © 2015 IBM Corporation
Important Disclaimer
THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL
PURPOSES ONLY.
WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE
INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY
OF ANY KIND, EXPRESS OR IMPLIED.
IN ADDITION, THIS INFORMATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY,
WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE.
IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR
OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION.
NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF:
• CREATING ANY WARRANTY OR REPRESENTATION FROM IBM (OR ITS AFFILIATES OR ITS OR
THEIR SUPPLIERS AND/OR LICENSORS); OR
• ALTERING THE TERMS AND CONDITIONS OF THE APPLICABLE LICENSE AGREEMENT
GOVERNING THE USE OF IBM SOFTWARE.
IBM’s statements regarding its plans, directions, and intent are subject to change or
withdrawal without notice at IBM’s sole discretion. Information regarding potential
future products is intended to outline our general product direction and it should not
be relied on in making a purchasing decision. The information mentioned regarding
potential future products is not a commitment, promise, or legal obligation to deliver
any material, code or functionality. Information about potential future products may
not be incorporated into any contract. The development, release, and timing of any
future features or functionality described for our products remains at our sole
discretion.
THIS INFORMATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE.
IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION.

3. 3 © 2015 IBM Corporation
Agenda
 Cross Origin Resource Sharing (CORS) overview
 How to make cross-origin requests to the Streams REST API
 Demo
 Additional considerations
 Questions

4. 4 © 2015 IBM Corporation
High-Level Overview
 Same origin policy – Web browsers prevent scripts from retrieving data from
a different host or a different port than used to serve the page containing the
script
 This means you could not make make Streams REST API calls from a script
 Streams 4.1 added cross-origin resource sharing (CORS) support to address
this restriction
 CORS – mechanism for browser and server to work together to determine
whether to allow cross-origin requests
 Streams uses a new configuration setting to determine which requests to
allow

5. 5 © 2015 IBM Corporation
Making a Cross-origin Request
1. Make sure your browser supports CORS
1. Configure the list of trusted origins (streamtool, domain console, JMX)
streamtool addtrustedorigin-d domainName http://myhost.com:1234
1. Ensure the Streams server certificate is trusted by the browser
1. Make the cross-origin request
var xhr = new XMLHttpRequest();
xhr.withCrendentials = true;
xhr.open('GET', 'https://myhost.com:8443/streams/rest/resources');
xhr.setRequestHeader('Authorization','Basic ' + btoa('user:password'));
xhr.send()

6. 6 © 2015 IBM Corporation
Demo

7. 7 © 2015 IBM Corporation
Considerations
 Browser support
– Some browsers had limited support in earlier releases and more complete
support in newer releases
– Some browsers impose addition security restrictions on cross-origin requests
 Trusted origins
– Includes the scheme, host, port
– Exact match to HTTP Origin header value
• Can view with browser's debugger
– Can add multiple entries to handle different options
• Default port: http://host.com and http://host.com:8080
• Host identifier: http://host.com:5678 and http://1.2.3.4:5678
 Product documentation
http://www.ibm.com/support/knowledgecenter/SSCRJU_4.1.0/
com.ibm.streams.dev.doc/doc/restapi-cfgcors.html
 Streamsdev article coming soon

8. 8 © 2015 IBM Corporation
Questions?

9. 9 © 2015 IBM Corporation

10. 10 © 2015 IBM Corporation
Demo Screenshots
Firefox – Server certificate not trusted

11. 11 © 2015 IBM Corporation
Demo Screenshots
Firefox – Origin not in trusted list

12. 12 © 2015 IBM Corporation
Demo Screenshots
Firefox – Origin not in trusted list

13. 13 © 2015 IBM Corporation
Demo Screenshots
Firefox – Successful request with preflight