- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- HCP - API Management - CORS Configuration
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
HCP - API Management - CORS Configuration
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2016 5:20 PM
Hi experts,
I'm using API Management in the HCP trial edition.
I have created an API connected to a remote non-SAP API server. The API seems to work correctly: I can POST requests and get the expected XML response using the following URL:
https://trial.apim1.hanatrial.ondemand.com:443/pxxxxxxxxxxtrial/XmlAPIService
Now I want to consume this API from a SAPUI5 app deployed in the same HCP.
Unfortunately, the app doesn't work because it isn't compliant with SOP: the SAPUI5 app is on an slightly different domain of the API.
https://appname-pxxxxxxxxxtrial.dispatcher.hanatrial.ondemand.com/?hc_reset
How can we configure the API so that we can consume it from the SAPUI5 app?
Can we configure CORS between SAPUI5 and the API in HCP API Management?
Thanks in advance,
Jon
- SAP Managed Tags:
- API
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2016 1:14 AM
Hi Jon,
Very good question. I've been trying to plunk around with generating an SAPUI5 app, pointing to SAP API Management, but alas my UI5 skills are not yet where I'd like them to be. So my response will be a bit more theoretical than I typically like it to be.
The short answer is, yes, SAP API Management can be configured to support CORS between an App and its API data source. We are still in the process of generating more robust documentation around how to do that, but in the short term, I can provide a small look into how to do it.
In SAP API Management, there is a policy called "Assign Message" whose function is to add data into the stream, e.g. headers, queryparams, etc. in here we add headers to allow the cross origin request. This policy would be placed in the TargetEndPoint Response flow.
Code:
<AssignMessage async="false" continueOnError="false" enabled="true" xmlns='http://www.sap.com/apimgmt'>
<Add>
<Headers>
<Header name="Access-Control-Allow-Origin">*</Header>
<Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept </Header>
<Header name="Access-Control-Max-Age">3628800</Header>
<Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
</Headers>
</Add>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<AssignTo createNew="false" type="response">response</AssignTo>
</AssignMessage>
This is the simple scenario, where the target supports the Preflight method. If this is not supported, more advanced policy controls will need to be added. I hope that this helps answer your question.
Regards,
Elijah
- SAP Managed Tags:
- API
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2016 1:14 AM
Hi Jon,
Very good question. I've been trying to plunk around with generating an SAPUI5 app, pointing to SAP API Management, but alas my UI5 skills are not yet where I'd like them to be. So my response will be a bit more theoretical than I typically like it to be.
The short answer is, yes, SAP API Management can be configured to support CORS between an App and its API data source. We are still in the process of generating more robust documentation around how to do that, but in the short term, I can provide a small look into how to do it.
In SAP API Management, there is a policy called "Assign Message" whose function is to add data into the stream, e.g. headers, queryparams, etc. in here we add headers to allow the cross origin request. This policy would be placed in the TargetEndPoint Response flow.
Code:
<AssignMessage async="false" continueOnError="false" enabled="true" xmlns='http://www.sap.com/apimgmt'>
<Add>
<Headers>
<Header name="Access-Control-Allow-Origin">*</Header>
<Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept </Header>
<Header name="Access-Control-Max-Age">3628800</Header>
<Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
</Headers>
</Add>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<AssignTo createNew="false" type="response">response</AssignTo>
</AssignMessage>
This is the simple scenario, where the target supports the Preflight method. If this is not supported, more advanced policy controls will need to be added. I hope that this helps answer your question.
Regards,
Elijah
- SAP Managed Tags:
- API
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2016 9:48 AM
Hi Elijah
Thank you for the quick and complete answer!
Unfortunately we finished the PoC before we managed to enable CORS and at the moment my development team is working in other projects.
We will try the proposed solution as soon as the impacted project starts. It looks promising!
Thank you again, best regards,
Jon
- SAP Managed Tags:
- API
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-09-2019 7:35 PM
Hey Elijah.
Two years later your asnwer is contained in policies templates available on API Management services and some step-by-step tutorials published. However, it is still a challenge to achieve correct CORS configuration.
Right now we are working on the publishing of back-end (CRM) OData services by means of APIM and we are not able to do so even when we are following this steps:
- Steps to config CORS for APIM: https://www.youtube.com/watch?v=e3ht_WJTPpo
- Step-by-step on how to config CORS for APIM: https://help.sap.com/doc/c008301836ef40e1960d6a5f40cb9d01/CLOUD/en-US/Unit%2004.4.11%20-%20CORS%20Po...
Do you have further datails/mecanism to do it so at this days?
It would be so helpful if you can share.
Best regards.
- SAP Managed Tags:
- API
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2019 10:19 AM
Hi Andres - Can you please generate a new question out of this, as any replies will not be searchable, for others who may face a similar issue to you.
In the new question if you can provide some additional details around the issue you are facing that would help. In general the resources you mentioned are what we suggest people look into - API Business Hub, Step by Step on YouTube and Documented CORS walkthrough you posted.
Regards,
Elijah
- SAP Managed Tags:
- API
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-22-2019 7:45 PM
Hey Elijah, thanks for your reply.
I already opened another question regarding this issue and I noticed you answered me by that way (question: https://answers.sap.com/questions/12839285/cors-configuration-on-api-management.html).
I already searched for Youtube info about this and I opened also a support ticket for SAP. We have not any resolution still.
Regards!
- SAP Managed Tags:
- API
