jQuery and Http Posts to Sharepoint
// August 13th, 2010 // Uncategorized
My current project required me to fire an AJAX POST to provision a mysite. The provisioning was done using the built in Self Site Creation method.
I used jQuery’s ajax POST function to create a post to my code-behind method. Simple right? wrong. I ran into the infamous:
The security validation for this page is invalid. Click Back in your Web browser
Well i tried the usual tricks:
1) Setting web.AllowUnsafeUpdates = true. Didnt work
2) Tried the SPUtility.ValidateFormDigest method on the POST. Didnt work.
3) Tried the SPWebApplication.FormDigestSettings approach and set it to false, initiate the call and reset it. I frown on this approach as it does require to essentially make a change to what we would be doing in central admin in turning off the Form Digest Settings and then resetting it. Nonetheless, this did not work. I later found that updating anything “central admin” related gave me an access denied. This was due to us running our web app with claims. (SAML)
So i was stumped. I went back to basics.
I created a normal button which did a postback and called the self site create method. No problems with that POST. But a problem with my client side jQuery post.
So I then turned to Fiddler to see what the difference was between the two POST calls. Through spoofing POST calls i finally found an interesting POST variable which is passed with a normal postback generated by a button sitting within a Sharepoint context.
__REQUESTDIGEST
I did a quick google and found this post which was more than helpful. According to this post the variable is:
nothing more than a hidden field set by the server and verified back by the server when the page is submitted. As documented by Microsoft: The purpose of form digest validation is to help prevent security attacks where a user is tricked into posting data unknowingly to a server
Read this post if you come across the problem i explain above. It really does explain this issue really well.
After reading it thoroughly i realised i just need to pass in the variable with the POST’s data when doing the AJAX call: Here’s what my jQuery ajax POST looked like in the end:
| XML | | copy code | | ? |
| 01 | |
| 02 | $.ajax({ |
| 03 | type: "POST", |
| 04 | url: "CreatePersonalWorkspace.aspx", |
| 05 | beforeSend: function (xhr) { |
| 06 | xhr.setRequestHeader("Content-Type", |
| 07 | "application/x-www-form-urlencoded"); |
| 08 | |
| 09 | |
| 10 | }, |
| 11 | data: "method=CreatePersonalWorkspace&__REQUESTDIGEST=" + $("#__REQUESTDIGEST").val(), //Pass through the requestdigest on the post - necessary to execute provisionworkspace method - this is passed through on all posts |
| 12 | success: function (msg) { |
| 13 | var result = JSON.parse(msg); |
| 14 | if (result[0].Status == "created") { |
| 15 | $("div[id$='provisioningDiv']").hide(); |
| 16 | $("#personal_workspace_url").attr("href", result[0].Value); |
| 17 | $("#personal_workspace_url").show(); |
| 18 | } else if (result[0].Status == "redirect") { |
| 19 | document.location = result[0].Value; |
| 20 | } |
| 21 | else { |
| 22 | $("#errorResponse").html(result[0].Value); |
| 23 | } |
| 24 | } |
| 25 | }); |
| 26 |
A friend of mine pointed me to this link which explains a little more: http://msdn.microsoft.com/en-us/library/ms472879.aspx. Essentially what we pass as the __REQUESTDIGEST has been created by the SharePoint:FormDigest control