REST API: Cross-Origin requests blocked errors

Version 2
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    Remedy AR System Server


    BMC Remedy AR System Server





    Since version 9 it's possible to interact with the system via the REST API. Communication is done via RESTful web services.

    By default web applications are not allowed to access resources that are outside its domain. So if you send an AJAX call to a resource that is not within the current domain the browser will ot allow it. This is a security meausure and a known limitation called cross-origin restriction.

    To get around this you need to tell the server you're accessing to give you permission. This mechanism is known as cross-origin resource sharding (or CORS). The basic idea is that the server has a list of domains that are allowed access. It includes a header in the HTTP resonse which the browser checks. If okay, it will process the response.

    If this is not setup correctly, the request will be blocked. The browser will report these sort of errors:

    Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://<server>:8008/api/jwt/login. This can be fixed by moving the resource to the same domain or enabling CORS. login


    No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://<server>:8080' is therefore not allowed access.





    Legacy ID:KA426025


    This a known restriction on the browser side. The REST API uses Jetty as its web server and this is running on it's own port (8008), Because of the added port, the RESTful web service you're accessing  is always regarded as in a different domain, even if you use the same server. So from the browser's point-of-view you're attempting to access a resource which in a different domain, the  cross-origin restriction will apply.


    To get around this you need to configure the server to allow requests from specific domains (and methods). This is done via a filter in the server configuration. The web serer used by the REST API is called Jetty. It's possible in Jetty to do this, but our current integration prevents the web server from applying this correctly. Even with the filter in place the HTTP response will not included the HTTP header information.


    BMC is aware of this problem and we are currently working on a solution. This article will be updated once there's any news.

    Related Products:  
    1. BMC Remedy AR System Server


    Article Number:


    Article Type:

    Solutions to a Product Problem

      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles