javascriptajaxasp.net-corexmlhttprequestsiteminder

Same domain AJAX calls being redirected by 3rd party authentication


In our asp.net core application, I need to make an AJAX call to an IIS 8.0 Server. The server URL is protected by CA SiteMinder SSO.

When I make Get requests using AJAX I get the desired response. But on the contrary, whenever a Put or Post request is made, I get a 302 response and the url which suggests SiteMinder is requesting credentials.

I was of the opinion, that as long as a User is authenticated by SiteMinder, then requests made to the same domain from the same browser session would not explicitly require users credentials.

As far as I can see, SiteMinder is requesting user credentials even when the user has been authenticated and the requests (PUT & POST) are being made to the same domain. CA SiteMinder provides a cookie (HttpOnly), which I believe is used to authenticate requests made to the server. I can confirm that the SiteMinder cookie is being included in the requests headers.

My question is why does SiteMinder treat GET and POST/Put requests differently? Or is there any way I can make my POST/PUT request work(without getting a redirect from SiteMinder) with Siteminder using the XHR?

Here is the link to function that makes the XHR request.

function fixRecords() {
	_buildingId = ($("input:hidden[id='buildingIdModal']").val());
    _roomNo = $("#roomNoModal").val();
      if ((_roomNo === "" || _roomNo == null) && _suggestedRoomNo) {
          _roomNo = document.getElementById("roomNoModal").value;
     }
    var xhttp = new XMLHttpRequest();
    xhttp.onreadystatechange = function () {
        if (this.readyState == 4 && this.status.toString() == 200) {
            var message = "Record updated sucessfully.";
            var jsonResponse = JSON.parse(this.responseText);
            console.log(jsonResponse);
            _roomNo = jsonResponse.roomNo;
            _buildingId = jsonResponse.building;
            _runId = jsonResponse.runId;
            var _prevRoomId = _roomId;
            _roomId = jsonResponse.roomId;
            _recId = jsonResponse.recordId;
            message = jsonResponse.comment;
            _valid = jsonResponse.valid;
            _suggestion = '<div class="glyphicon glyphicon-alert text-info">' + jsonResponse.suggestion+'</div>';
            _suggestedRoomId = jsonResponse.suggestedRoomId;
            _suggestedRoomNo = jsonResponse.suggestedRoomNo;
            var _protocol = jsonResponse.protocol;
            var _invAcct = jsonResponse.account;
            var _pi = jsonResponse.pi;
			displayInformationInFixModal(message + _suggestion, null);
            $('#fixModal').on('show.bs.modal', inflateModal(message, _buildingId, _cageId, _roomId, _roomNo, _recId, _runId, _frequencyId, _frequencyType, _valid, _suggestedRoomId, _suggestedRoom, _suggestion, _protocol, _pi, _invAcct));
            $('#fixModal').modal('show').on("hide", function () {
                $('#fixModal').modal('hide');
            });
            //document.write(this.responseText);
        }
        $('#showLoadingImage').modal('hide');
        return false;
     };
     if (_roomNo == null || _roomNo.trim()===''|| _roomNo==="Room Num Unknown") {
         alert("Please enter a valid Room No.");
         var message = "Please enter a valid Room No.";
         $('#fixModal').on('show.bs.modal', populateModalMessage(message));
         $('#fixModal').modal('show').on("hide", function () {
             $('#fixModal').modal('hide');
         });
     }
	if (_recId <=0) {
		xhttp.open("POST", "/FileUploads/InsertFixRecordToDB?BuildingId=" + _buildingId );
        }
    else {
		xhttp.open("PUT", "/FileUploads/FixARecord?BuildingId=" + _buildingId );
        }
        $('#showLoadingImage').modal('show');
        $('#showLoadingImage').css('zIndex', 1500);
        xhttp.send();
    }


Solution

  • If the SiteMinder cookie is HttpOnly then it explicitly will not be sent by the ajax engine. That's what HttpOnly means.

    Separately, SiteMinder (now called CA SSO) definitely distinguishes between different HTTP methods, so the SiteMinder rules can be different for GET POST and PUT. Your SiteMinder admin will need to check the rules applicable for your application to make sure they specifically cover GET POST and PUT (PUT especially is often not included).

    HTH!