We're developing a REST-api using OERealm form-based authentication (oe 11.5).
The goal is to create an independent api that will be used by our Angular developers to create a website. We prefer to use a token instead of something like basic security.
Everything works when you work with the standard login-form in the browser. A cookie (jessionid) is generated & passed around.
But, when I try to use ajax, it fails. I know (/think) the cookie can't be used from javascript. But I was under the impression that the X-CLIENT-CONTEXT-ID could be used instead of the cookie.
I can't get this to work however.
So, my question: is it possible to access the api passing around a token in the header (or body)?
If so, any ideas how?
I've tried something like this, but it returns "forbidden":
$(document).ready(function () {
alert("before call");
$.ajax({
url : "localhost:8980/.../customer",
headers: {"X-CLIENT-CONTEXT-ID": "F4913D668091CB818096F31FC70801E8" },
type : 'GET',
contentType: "application/json",
success : function (data) {
alert("ok");
debugger;
},
error : function (data, errorThrown) {
alert(errorThrown);
debugger;
}
});
});
I think your answer is in: [View:http://stackoverflow.com/questions/2870371/why-is-jquerys-ajax-method-not-sending-my-session-cookie:550:50]
in short:
$.ajax({
url: a_cross_domain_url,
xhrFields: {
withCredentials: true
}
});I think your answer is in: [View:http://stackoverflow.com/questions/2870371/why-is-jquerys-ajax-method-not-sending-my-session-cookie:550:50]
in short:
$.ajax({
url: a_cross_domain_url,
xhrFields: {
withCredentials: true
}
});Thx for your answer. I stumbled on the same solution as yours. And indeed, it solved my problem.
Only now I'm wondering: what is the purpose of having the 'x-client-contextid' at the client?
well, it seems that at least the JSDO needs it: