I have an application deployed on Tomcat 9.0.8 that displays several pages with select fields that contain a large number of items. To expedite displaying these pages, I load the select boxes via an AJAX call. In my latest build, the AJAX call is not working. It appears that the logged-in user's session is not being carried over in the AJAX call. If I debug the script, the result of the call doesn't contain the expected XML, it contains the login page. If I exempt the XML source from the security constraints, the XML loads as expected. Am I missing something on how AJAX and authentication are supposed to work?
I tried to simplify the code as much as possible:
The security section of web.xml:
Note that if the data web resource is commented out, the data loads fine. If it is uncommented, the data does not load.
Note that for testing purposes, I'm using the built-in Tomcat user database. You should have an entry for the role and a user in $TOMCAT_HOME/conf/tomcat-users.xml like the following: