Juan Hernandez has posted comments on this change.
Change subject: webadmin: Use /api/ instead of /api
......................................................................
Patch Set 2:
(1 comment)
....................................................
File
frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/plugin/restapi/RestApiSessionManager.java
Line 69: this.eventBus = eventBus;
Line 70: this.clientStorage = clientStorage;
Line 71: // Note that the slash at the end of the URL is not just a
whim. With the trailing slash the browser will only
Line 72: // send authentication headers to URLs ending in api/,
otherwise it will send them to URLs ending in /, and
Line 73: // this causes problems in other applications, for example in
the reports application.
Currently we use basic authentication, so when the GWT application (the browser
on behalf of the GWT application) performs the first request for /api it
receives a response with the "WWW-Authenticate" header. Then the browser sends
the "Authorization" header containing the credentials (the user name and
password that the user typed in the login form of the GWT application. But it
won't send it only once, it will remember that it has to be sent for each
request for this "protected space", and for the browser the definition of
"protected space" is the set of URLs that start with a certain prefix. That
prefix is the result of removing everything from the end of the initial URL up
to the first slash. In this case this means that the browser will consider that
the "protected space" is everything starting with "/". So when later the GWT
application (the browser on behalf of the GWT application) requests the
"/rhevm-reports/whatever" URL it will also send the "Authorization" header!
. In this particular application that triggers its own internal
authentication, which fails because the credentials aren't valid.
The proposed solution is to modify the GWT application to request initially
/api/ instead of /api, thus the browser will consider that the "protected
space" is anything starting with "/api/" and won't send the "Authorization"
header to the "/rhevm-reports/whatever" URLs.
Line 74: this.restApiBaseUrl = FrontendUrlUtils.getRootURL() + "api/";
//$NON-NLS-1$
Line 75: }
Line 76:
Line 77: void sendRequest(RequestBuilder requestBuilder, RestApiCallback
callback) {
--
To view, visit http://gerrit.ovirt.org/21431
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I096a8769ff018f60366ab4ec8d2425c7f8d0f7e2
Gerrit-PatchSet: 2
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernan...@redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernan...@redhat.com>
Gerrit-Reviewer: Michael Pasternak <mpast...@redhat.com>
Gerrit-Reviewer: Oved Ourfali <oourf...@redhat.com>
Gerrit-Reviewer: Vojtech Szocs <vsz...@redhat.com>
Gerrit-Reviewer: Yaniv Dary <yd...@redhat.com>
Gerrit-Reviewer: oVirt Jenkins CI Server
Gerrit-HasComments: Yes
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
