I am unable to make cross-domain requests to Nuxeo's Automation REST service, using jQuery, because the server is requiring that the client authenticate before it will answer the OPTIONS CORS request. I don't think that is valid, the server should not require authentication for CORS preflight requests - this can be achieved in tomcat with something along those lines:

<LimitExcept OPTIONS HEAD>
  Require valid-user
</LimitExcept>

Below is a trace that demonstrates the problem, any workaround welcome, jQuery won't proceed upon receving a 401:

http://localhost:8083/nuxeo/site/automation/Document.GetChildren

OPTIONS /nuxeo/site/automation/Document.GetChildren HTTP/1.1
Host: localhost:8083
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Origin: http://localhost:8080
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Basic realm="Nuxeo Automation"
Content-Type: text/html;charset=utf-8
Content-Length: 954
Date: Mon, 22 Oct 2012 10:04:46 GMT