1. Access Control Http Headers
The first problem is that browsers require the access control headers to be set, in order for a cross-domain Ajax call to succeed. This problem is quite simpl to solve. From the server side, just add the following headers to the response:
For my app to work, I have the following settings:
Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, X-Requested-With
Note that the allowed origin is set to a wildcard. For server-sdie services in production, it may be a good idea to specify the domains that are allowed to access. The complete discussion on access control headers can be found here.
2. Maintaining Sessions
Fortunately, Java allows session ids to be specified in the request urls. For
http://www.example.org/;jsessionid=abcde12345. One may write an
appendSession() function to append session ids to the urls of Ajax calls.
(The actual GET parameter is container-specific and may not be
Also, the second requirement for this solution is to create the ability for the
client needs to be able to get the session id elsewhere. My solution is,
therefore, to expose the current session id in one of the RESTful services.
However, since I’m not a security expert, I’m not sure if there would be any
security concerns around this practice. I will update this post if I find any.
It seems that, unlike Flash, making cross-domain Ajax calls is easy enough. Thumbs up for open technology.