4

After configuring the webservice-server to support CORS by adding
Header set Access-Control-Allow-Origin "*"
to the apache virtual host conf, a new problem occured. I call the webservice using jquery 1.5:

$.ajax( {
    type: "GET",
    url: wsBaseUrl + "?action=xyz",
    dataType: "json",

    success: function(data){
        wsCallback(data);
    }
});

This one works cross-domain with the adapted server config. However if the webservice needs authentication, which is the case on production system, it breaks again.

For authentication I add the jquery ajax params

    username: "userx",
    password: "passx",

Authentication alone (not cross-domain) works. But as soon as it's combined (authentication + cross-domain), it's over. jQuery invokes the error-callback telling me that the request is not allowed. I logged the requests with TamperData in Firefox and no webservice request is logged there. It may however be that a so called preflight is not logged there (but if so, why does that depend on authentication?).

I tried all combinations on my test-system and I'm quite sure that's the correct conclusion.
Now I'm really stuck. What else can I do to debug / work around this?

didi_X8
  • 5,018
  • 10
  • 42
  • 46

1 Answers1

1

According to the MDC, simple GET requests are NOT preflighted but in the case of credentialed requests (like when you add the username, password in your example), the server MUST respond with Access-Control-Allow-Credentials: true in order for FF 1.5+ to allow the request to complete.

Update

See also Sending credentials with cross-domain posts?

Community
  • 1
  • 1
no.good.at.coding
  • 20,221
  • 2
  • 60
  • 51
  • I think that's the right hint! Now I'm trying to find out how to add that to the response header for code 401. – didi_X8 Apr 27 '11 at 14:18
  • The strange stuff continues. After adding this header, the ajax request fails with "401 (Authorization Required)". I'm sure authentication is correct as - again - w/o cross-domain invocation it works (I can easily check that by having different domains pointing to the same test server) – didi_X8 Apr 27 '11 at 14:33
  • I vote this answer as matching. It misses some things also required to solve this, but it brought me on the right track. Also check "http://stackoverflow.com/questions/2054316/jquery-sending-credentials-with-cross-domain-posts" for this issue. – didi_X8 Apr 27 '11 at 15:11
  • Glad to hear you've got it figured out and thanks for the heads up, I've added the link to that answer in my answer as well. – no.good.at.coding Apr 27 '11 at 23:54