Updated to support Firefox's Cross-site HTTP requests policy.

* Access-Control-Allow-Origin to specific host (wild card does not work with FF)
* Access-Control-Allow-Credentials true
* Set XMLHttpRequest.withCredentials = true

src/main/java/org/appfuse/examples/web/OptionsHeadersFilter.java

@@ -15,10 +15,11 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
             throws IOException, ServletException {
         HttpServletResponse response = (HttpServletResponse) res;
 
-        response.setHeader("Access-Control-Allow-Origin", "*");
+        response.setHeader("Access-Control-Allow-Origin", "http://"+req.getServerName());
         response.setHeader("Access-Control-Allow-Methods", "GET,POST");
         response.setHeader("Access-Control-Max-Age", "360");
         response.setHeader("Access-Control-Allow-Headers", "x-requested-with");
+        response.setHeader("Access-Control-Allow-Credentials", "true");
 
         chain.doFilter(req, res);
     }

src/main/webapp/index.jsp

@@ -92,6 +92,9 @@
         $('#status').click(function() {
             $.ajax({url: getHost() + '${ctx}/api/login.json',
                 type: 'GET',
+                beforeSend: function(xhr){
+                    xhr.withCredentials = true;
+                },
                 success: function(data, status) {
                     $(".status").remove();
                     $("#status").after("<span class='status'> Logged In: " + data.loggedIn + "</span>");

src/main/webapp/login.jsp

@@ -45,6 +45,9 @@
         e.preventDefault();
         $.ajax({url: getHost() + "${ctx}/api/login.json",
             type: "POST",
+            beforeSend: function(xhr){
+                xhr.withCredentials = true;
+            },
             data: $("#loginForm").serialize(),
             success: function(data, status) {
                 if (data.loggedIn) {