[Engine-patches] Change in ovirt-engine[master]: webadmin: UI Plugins PoC, revision 7

Wed, 05 Dec 2012 09:28:10 -0800 

Vojtech Szocs has posted comments on this change.

Change subject: webadmin: UI Plugins PoC, revision 7
......................................................................


Patch Set 2:

Juan, thank you for your comments, in general I agree with your points. Using 
RequestBuilder.setUser/setPassword is definitely better than constructing HTTP 
basic auth header by hand.

In case of auto-login (user session already exists on server), instead of 
creating/caching HTTP basic auth info on server and passing this info to 
client, it's better to use local storage API for this purpose instead. Since 
auto-login essentially depends on JSESSIONID cookie set for WebAdmin, we can 
use local storage API on the client to remember user password when user logs 
into WebAdmin for the first time (I'm not sure there is a query to retrieve 
password for the given user). Next time when the user opens WebAdmin and 
auto-login process takes place, we can use RequestBuilder.setUser/setPassword 
API in the same way as for regular login process. This way, we can eliminate 
'Base64Coder' class as well.

In other words, in case of auto-login, we need a way to determine user password 
for the currently logged in user, in order to acquire REST API session. We can 
simply remember the password via local storage API (HTML5/cookie) for the first 
time, and retrieve it for auto-login. From security point of view, only 
applications served from domain X (e.g. /webadmin) can read cookies set for 
domain X, with similar restriction for HTML5 local storage.

--
To view, visit http://gerrit.ovirt.org/9250
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I6dd6e5b082264e8f8eee305e599f8ff3899e2fa4
Gerrit-PatchSet: 2
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Vojtech Szocs <vsz...@redhat.com>
Gerrit-Reviewer: Daniel Erez <de...@redhat.com>
Gerrit-Reviewer: Einav Cohen <eco...@redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernan...@redhat.com>
Gerrit-Reviewer: Laszlo Hornyak <lhorn...@redhat.com>
Gerrit-Reviewer: Vojtech Szocs <vsz...@redhat.com>
Gerrit-Reviewer: Yair Zaslavsky <yzasl...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to