Friday, July 22, 2016

How to address API Store console API invocation issue if browser completely disabled CORS and prevent calls to other domains - WSO2 API Manager

In internet explorer we can  set Access data sources across domains as follows. This option specifies whether components that connect to data sources should be allowed to connect to a different server to obtain data. This applies only to data binding, such as active data objects. The settings are as follows:
Enable allows database access to any source, even other domains.
Prompt prompts users before allowing database access to any source in other domains.
Disable allows database access only to the same domain as the page.

Due to some organization policies we do not allow any cross origin requests from the web browser. Which means we have to prevent browsers from doing CORS. API Store console function performs a cross origin request, if you don't allow the web browser to perform CORS the function simply cannot work.
 
The sole reason for the CORS specification to exist and be supported by standard web browsers is to allow cross origin requests safely.

So if you are allowing only store domain to access from browser then only solution is send gateway requests to same domain and map them to gateway.
In that case we may need reverse proxy or load balance to front API store node. Then mapping should be done as follows.

>apim.store.wso2.com/store
This should go to API store store_host_name:9443/store

>apim.store.wso2.com/gateway
This should route to API gateway api_gateway_host_name:8243/api_context/version/


Then in store node we need to configure gateway URL to point reverse proxy/load balancer as gateway URL. So from browser side it do not need to send requests to multiple domains. It sends all requests to same domain and sub context(/gateway, /store) will help to resolve exact host.

No comments:

Post a Comment