Cross-origin resource sharing on IBM Bluemix

Update: A newer version of this post has been published to the IBM Bluemix blog.

The IBM Bluemix Platform-as-a-Service (based on Cloud Foundry) naturally supports applications that are composed of many services that are in turn deployed to different hostnames.

For example, if you push an application to Bluemix, the name you provide will be prepended to resulting in an address such as:


If your cloud-native app follows the best practices of a microservices architecture you’ll probably have two or more subcomponents that live on discrete hostnames like this.

But what if you have a JavaScript based front-end that needs to aggregate information from the disparate hosts? By default you won’t have access to data on these other subdomains.

The solution is to take advantage of the HTTP headers that are available to allow you to control cross-origin resource sharing (CORS).

To illustrate the problem and the solution, consider the simple Ajax application here:

If you click the red box, you’ll initiate an asynchronous HTTP call in JavaScript to a servlet on another host at:

The source of this servlet shows that no particular HTTP headers are set, thus the JavaScript call never reaches it.

However, if you click the blue box, you’ll initiate a call to a different servlet on that host:

This time the Ajax call will successfully consume data from the service, because the HTTP headers allow services from a different domain to access the servlet.

[code lang=”java”]



If you need to allow access to all client hostnames, replace the whitelist with a wildcard:
[code lang=”java”]

There you have it; a simple way to build dynamic JavaScript applications composed of several microservices on IBM Bluemix (or any other Cloud Foundry PaaS).

I used Java in this example, but the same HTTP headers apply whether you’re using Ruby, Node.js, PHP, Python or any other runtime.


2 Responses to 'Cross-origin resource sharing on IBM Bluemix'

Subscribe to comments with RSS

  1. J.S. said,

    03 June 2015 at 3:39 pm

    Thanks a lot, solve my issue.

  2. Denis said,

    07 May 2017 at 4:15 am

    Good afternoon!
    I’m writing a script for transferring data to the blumix, when sending the request we get No ‘Access-Control-Allow-Origin’ header. I read your article, but I could not do it. Help me understand the situation.

    type: ‘POST’,
    url: ‘’,
    headers: {

    ‘Authorization’: ‘Basic ‘ + auth,


    withCredentials: true,
    crossDomain: true,
    data: jsonString,
    dataType: ‘json’,
    success : function(data) {


Leave a Reply