It's all about the answers!

Ask a question

How to make ajax calls to IBM Jazz (RTC) info ... with authentication ?

Bill Higgins (4562423) | asked Nov 13 '14, 10:49 a.m.
I'm trying to use an ajax call to get info from our IBM Jazz RTC server using a REST API.

I'm having a problem with the Jazz login/authentication.


Some background ... What works



If i point my browser as the above url ... it first puts up a login screen , and after I enter my intranet userid and password  it successfully displays the requested REST info for that RTC workitem. .. Good !


So, now  I'd like to get  the same info using  an ajax call from a webpage on another server.


First step is to  create a proxy on our webserver so gets around ajax x-domain limitation.




And then I  have a webpage on this same webserver that makes an ajax call to url 2) above using the "get_url(..)" function listed below.


However, IT FAILS... trying to display the Jazz username/password screen ... it instead just displays "Loading..."  


I even tried manually including my username/password as part of the ajax call, hoping this might bypass the Jazz authentication login screen ... but no change.




What am I missing ? ... How does one successfully make xdomain ajax calls to pull RTC info from a IBM Jazz server that requires authentication ?


I assume this must be a common practice. 


Any suggestions / workarounds much appreciated !  Thanks !


	function get_url( urlx ) {
		var username = "";
		var password = "xxxxxxxxx";
		var txt = "";

      		url: urlx,
      		type: "GET",
      		dataType: "text",
	  		async: false,
    		beforeSend: function (xhr){ 
        		xhr.setRequestHeader('Authorization', make_base_auth(username, password)); 
			success: function(data){
				txt = data;
      		error: function(msg){
		return txt;

One answer

permanent link
Curtis d'Entremont (1.3k3) | answered Nov 17 '14, 12:09 p.m.
 Hi Bill,

HTTP Basic authentication will only work if the application server running RTC is configured to use it, or there is a fronting proxy that can handle both or do the translation, like on Here, it seems to be using Form (cookie) authentication, which is not as simple for programmatic clients.

I'm guessing you probably can't easily change the authentication settings on that server or add a proxy. If this is the case, the way you'd approach this depends on what user you want to be authenticated as to get the info. 

If you want to authenticate as the same user logged in to your server or have the user prompted for credentials, then the most secure solution is to use OAuth and register your server as a friend, then do the usual OAuth redirect dance. However this can take time to get right.

A less secure solution is to prompt the user yourself for credentials when the downstream RTC server challenges for authentication. To do this, you can:

1. Make the request and look for a 302 (redirect) response code and the header X-com-ibm-team-repository-web-auth-msg: authrequired. This is an authentication challenge which means you need to log in.
2. If you get this, prompt the user for their credentials and capture them, making sure to use HTTPS
3. Simulate the user submitting their credentials in the Jazz login dialog by issuing a standard HTTP POST to with the j_username and j_password parameters in the body, as per normal JEE authentication.
4. The response to this POST, if successful, will contain one or more Set-Cookie headers. You need to capture these. You should now be authenticated, but you must send these cookies. This is how the server knows you're logged in or not, by checking whether the cookies are valid.
5. Repeat the original request to get the data, but this time include the cookies in a Cookies header.

And of course, if you don't have any cookies to begin with, you can assume you're not logged in and skip step 1.

If you're trying to authenticate using a functional user, meaning you have a special account that is used for all communication with RTC and your users don't need to have an account on that server, you can skip step 1 and simply send the functional user credentials so the user wont' ever be prompted to log in, which is a nicer experience, but you have to be careful to not expose data to users who shouldn't have access to the RTC data.

This can also be optimized, since you are actually creating a whole new session for every request. You could hold on to the cookies longer by forwarding them on to your clients if you're using client auth, or by caching them locally if using a functional user.

Hope this helps.

Your answer

Register or to post your answer.