I think the main issue is the application using the API - i.e your browser, has to pass it's logged in session cookie to the server for authentication.
In the case of an external app, it won't be logged in. Not sure you can pass credentials with the connection?
I would think that you should be able to do ‘1' as long as you run the code through your browser and are logged into both systems..?
I've told jquery the type is ‘text' and then used eval() to get the response back into json if that helps.
If you are writing some sort of "app" inside an HTML widget, you do need to send the correct cookies, or (better) use the Jive Apps APIs that take care of authentication for you. But that is not the best way to write an external client app. Before Jive 7, you should really be using Basic Authentication with the Jive username and password of the user to perform this transaction on every request. With 7.0, you'll also have the option to authenticate with OAuth 2, and pass the appropriate access token on each request.
1. I think the way to go would be to build this as a Jive App on one side, and then use a Jive connects service to connect to the REST API on your second Jive server.
2. You would need to build this either as a separate application, or as an extension to your product management system. Are you looking to import documents on a regular basis, or is this something a user will do interactively.
Would CORS help you to get around the cross-domain issue? If I remember right, it would involve a little bit of configuration on the web server and setting appropriate headers in the client code. It should be transparent to your service calls. For identity, I think you should be able to send a BasicAuth header to authenticate to the service.
As Gregory Dinning stated for browser (AJAX) to server calls to support cross-domain requests you'll need to add CORS support to the Apache web server(s) sitting in front of the Jive application server. See Using CORS - HTML5 Rocks
Apache config entries to support AJAX calls with a custom header and cookie support:
Header set Access-Control-Allow-Origin "http://<fqdn>"
Header set Access-Control-Allow-Methods "POST, GET, OPTIONS"
Header set Access-Control-Allow-Headers: "X-Requested-With"
Header set Access_Control-Allow-Credentials: "true"
One thing I've noticed is that the default Jive Apache configuration denys OPTIONS requests - so doesn't support AJAX preflight requests.
I've also noticed in the past that Spring MVC ignores OPTIONS request. If you're using it, that will probably be a showstopper as well.. You have to set a param in web.xml to enable OPTIONS requestst. I can't remember what the exact value is but I'll look it up later and repost.