CAS authentication and redirects with jQuery AJAX

Question

I've got an HTML page that needs to make requests to a CAS-protected (Central Authentication Service) web service using the jQuery AJAX functions. I've got the following code:

$.ajax({
    type: "GET",
    url: request,
    dataType: "json",
    complete: function(xmlHttp) {
        console.log(xmlHttp);
        alert(xmlHttp.status);
    },
    success: handleRedirects
});

The request variable can be either to the CAS server (https://cas.mydomain.com/login?service=myServiceURL) or directly to the service (which should then redirect back to CAS to get a service ticket). Firebug shows that the request is being made and that it comes back as a 302 redirect. However, the $.ajax() function isn't handling the redirect.

I wrote this function to work around this:

var handleRedirects = function(data, textStatus) {
    console.log(data, textStatus);
    if (data.redirect) {
       console.log("Calling a redirect: " + data.redirect);
       $.get(data.redirect, handleRedirects);
    } else {
        //function that handles the actual data processing
        gotResponse(data);
    }
};

However, even with this, the handleRedirects function never gets called, and the xmlHttp.status always returns 0. It also doesn't look like the cookies are getting sent with the cas.mydomain.com call. (See this question for a similar problem.)

Is this a problem with the AJAX calls not handling redirects, or is there more going on here than meets the eye?

Answer 1

There is indeed more going on than meets the eye.

After some investigation, it appears that jQuery AJAX requests made in this way fail if they're not made to the same subdomain. In this example, requests are being made to cas.mydomain.com from a different server. Even if it is also on mydomain.com, the request will fail because the subdomain doesn't match.

jQuery AJAX does handle redirects properly. I did some testing with scripts on the same subdomain to verify that. In addition, cookies are also passed as you would expect. See my blog post for this research.

Also keep in mind that the protocols must be the same. That is, since cas.mydomain.com is using HTTPS, the page from which you are calling it must also be on HTTPS or the request will fail.