TL; DR
This is not a JSF or Java bug, but an internet security issue when attempting to make Ajax to another domain.
Solutions include changing the destination server to allow Ajax, using your server as a kind of intermediary to authenticate to the destination server, or dynamically creating an HTML form on your page and making a submit to it.
The reason for the error
The error in the question says that the request ( request ) was not allowed because it was for a different domain ( cross-origin in>). When you attempt to do an Ajax to another domain, the browser will by default deny this call for security reasons.
On the other hand, there is an exception to this rule, in case the other server returns specific headers such as Access-Control-Allow-Origin
and Access-Control-Allow-Credentials
, which can authorize certain actions. Basically, before running Ajax, the browser pre-browses for those headers. See the operation in the following diagram:
This article explains the issue very well.
Solution # 1 - Allow requests from another domain
The first solution is to change the destination server to allow the necessary actions. This is explained in the article mentioned in the previous topic.
However, in your case it seems to be neither feasible nor possible, as this would have to be done on "any site" (see comment).
Solution # 2 - Create an intermediate service
It could be an Ajax request to its own server, which would be fully allowed by security rules, and then your server would make a request to the other site to authenticate and return the results to your page.
Think of a Servlet that functions as a proxy or intermediary:
It receives the Ajax POST request
Make a POST connection with the same data on the target site
Get the site response
Returns the same response for Ajax
Solution # 3 - Use a hidden form
One last alternative would be to dynamically create a hidden form where:
- The
action
is the page of the other site that checks the login
- The login values go in
hidden
- The
target
is a iframe
also hidden, so as not to interfere with the local page
This answer in StackOverflow slightly develops this technique. It will only take a little more work to capture the submit return from within the form.