I have an application deployed on Tomcat 9.0.8 that displays several pages with select fields that contain a large number of items. To expedite displaying these pages, I load the select boxes via an AJAX call. In my latest build, the AJAX call is not working. It appears that the logged-in user's session is not being carried over in the AJAX call. If I debug the script, the result of the call doesn't contain the expected XML, it contains the login page. If I exempt the XML source from the security constraints, the XML loads as expected. Am I missing something on how AJAX and authentication are supposed to work?
I tried to simplify the code as much as possible:
The security section of web.xml:
Note that if the data web resource is commented out, the data loads fine. If it is uncommented, the data does not load.
Note that for testing purposes, I'm using the built-in Tomcat user database. You should have an entry for the role and a user in $TOMCAT_HOME/conf/tomcat-users.xml like the following:
Description: Application source that demonstrates the above issue
I had tried experimenting with the various security options available in Tomcat last month, so I figured something was configured wrong. I installed Tomcat fresh and the demo app works fine with full constraints.
I went back to my security notes and the first step is to change session-config setting in the $TOMCAT_HOME/conf/web.xml file to the following:
With the cookie-config set up this way, the app does not work. I commented out the "secure" tag and the app works fine. ¯\_(ツ)_/¯
Since this application is an internal network app, I can safely leave these options out.
I think I've gotten to the bottom of this. It turns out that secure cookies are not sent to the server with an HTTP request see here and here.
I tried the demo with HTTPS and it works fine with secure cookies.