Trying to use JQuery widgets -- actually JQGrid, in particular -- with a Rails 3 application. I'm using ruby-openid to do authentication with Google, and used Seth Ladd's nice recipe to get that working.
Which it does -- for page views and POSTS from web forms.
However, whenever JQGrid does a POST to update data on the server, two things happen:
Even if the user's browser is already authenticated via logging in to Google, the POST appears to the server as if it were coming from an unauthenticated one, and gets redirected to the OpenID authentication dance. That wouldn't be a showstopper except that
As soon as the server sends back the 401 that's supposed to initiate the redirect-and-authenticate thing, the whole enchilada just stops dead. Normally (as in, say, a POST request from a form submission), the browser sees the 401, reads the enclosed "authenticate over here" info, does the dance, comes back with the session set up, and the cycle continues. But from JQuery/JQGrid...not so much.
Any ideas? I'm confident that I'm missing something obvious here, but I've got one of Rumsfeld's "unknown unknowns" going, I don't know what it is that I'm missing, much less how to fix it! Seems like this should be a long-solved problem, eh?
I could be running afoul of XSS defenses, but if so I've no idea how to proceed other than **-canning the serious investment we've already made in OpenID (including users already signing up & having to furnish/remember passwords -- ick!).
Thanks in advance, my expert colleagues.
(Rails 3.0.7, ruby-openid 2.1.8, JQGrid 3.5.3, JQuery 1.3.2, using Google as the OP so that user never has to type in their identity URL.)
OK, further testing confirms that that's a wrap, ladies and gents.
Of course then I had to figure out how to get the Javascript working with protect_from_forgery, but it turns out that's really easy, you just grab the authenticity token and include it in all Ajax requests, as detailed at http://henrik.nyh.se/2008/05/rails-authenticity-token-with-jquery. Very slick, since this technique automagically builds the token into everything, you don't have to go hunting down all your POST requests.
Oleg, thanks for your help. And I will take your advice.
Thanks too to Sante on the OpenID Code mailing list, who gave me the pointer to the protect_from_forgery header stuff.