[ovirt-devel] UI plugins - talking with Engine via JSESSIONID now requires separate request header
Alon Bar-Lev
alonbl at redhat.com
Thu Jul 24 06:13:07 UTC 2014
----- Original Message -----
> From: "Vojtech Szocs" <vszocs at redhat.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>, "Juan Antonio Hernandez Fernandez" <jhernand at redhat.com>
> Cc: devel at ovirt.org
> Sent: Tuesday, July 15, 2014 9:46:52 PM
> Subject: Re: [ovirt-devel] UI plugins - talking with Engine via JSESSIONID now requires separate request header
>
>
>
> ----- Original Message -----
> > From: "Alon Bar-Lev" <alonbl at redhat.com>
> > To: "Vojtech Szocs" <vszocs at redhat.com>
> > Cc: devel at ovirt.org, "Oved Ourfalli" <ovedo at redhat.com>
> > Sent: Tuesday, July 15, 2014 8:22:06 PM
> > Subject: Re: [ovirt-devel] UI plugins - talking with Engine via JSESSIONID
> > now requires separate request header
> >
> >
> >
> > ----- Original Message -----
> > > From: "Vojtech Szocs" <vszocs at redhat.com>
> > > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > > Cc: devel at ovirt.org, "Oved Ourfalli" <ovedo at redhat.com>
> > > Sent: Tuesday, July 15, 2014 9:18:44 PM
> > > Subject: Re: [ovirt-devel] UI plugins - talking with Engine via
> > > JSESSIONID
> > > now requires separate request header
> > >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Alon Bar-Lev" <alonbl at redhat.com>
> > > > To: "Vojtech Szocs" <vszocs at redhat.com>
> > > > Cc: devel at ovirt.org, "Oved Ourfalli" <ovedo at redhat.com>, "René Koch"
> > > > <r.koch at ovido.at>
> > > > Sent: Tuesday, July 15, 2014 7:47:35 PM
> > > > Subject: Re: [ovirt-devel] UI plugins - talking with Engine via
> > > > JSESSIONID
> > > > now requires separate request header
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > > From: "Vojtech Szocs" <vszocs at redhat.com>
> > > > > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > > > > Cc: devel at ovirt.org, "Oved Ourfalli" <ovedo at redhat.com>, "René Koch"
> > > > > <r.koch at ovido.at>
> > > > > Sent: Tuesday, July 15, 2014 8:40:30 PM
> > > > > Subject: Re: [ovirt-devel] UI plugins - talking with Engine via
> > > > > JSESSIONID
> > > > > now requires separate request header
> > > > >
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Alon Bar-Lev" <alonbl at redhat.com>
> > > > > > To: "Vojtech Szocs" <vszocs at redhat.com>
> > > > > > Cc: devel at ovirt.org, "Oved Ourfalli" <ovedo at redhat.com>, "René
> > > > > > Koch"
> > > > > > <r.koch at ovido.at>
> > > > > > Sent: Tuesday, July 15, 2014 7:17:40 PM
> > > > > > Subject: Re: [ovirt-devel] UI plugins - talking with Engine via
> > > > > > JSESSIONID
> > > > > > now requires separate request header
> > > > > >
> > > > > >
> > > > > > Can we have X-OVIRT-SESSIONID header name or any generic term and
> > > > > > per
> > > > > > ovirt
> > > > > > specific instead of generic java terms?
> > > > >
> > > > > Good question. In general I agree, JavaEE's default "JSESSIONID"
> > > > > naming
> > > > > convention for custom header (or cookie) is not very meaningful in
> > > > > multi
> > > > > app deployment.
> > > > >
> > > > > However, I'd rather avoid "X-" prefix [1].
> > > > >
> > > > > [1]
> > > > > http://stackoverflow.com/questions/3561381/custom-http-headers-naming-conventions
> > > > >
> > > > > Currently, it is the "JSESSIONID" cookie which maps to the session.
> > > > > Currently, "JSESSIONID" custom header is only for CSRF-protection,
> > > > > i.e. to be compared with cookie value (cookie is still required in
> > > > > order to reuse existing session).
> > > > >
> > > > > AFAIK, Juan plans to support passing session ID via custom HTTP
> > > > > header, as an alternative to passing session ID via cookie. When
> > > > > this gets done, the custom HTTP header should be named something
> > > > > like "OVIRT-SESSIONID".
> > > >
> > > > I do not see any reason why not to use this (or any other non
> > > > JSESSIONID)
> > > > name for header now.
> > >
> > > Yes, we could also change it now, because JSESSIONID header was
> > > introduced only recently by http://gerrit.ovirt.org/#/c/29681/
> > >
> > > However I think this is not really "Engine session ID", but rather
> > > "Java webapp session ID" - AFAIK, real Engine session ID is stored
> > > inside Java webapp session attribute - see SessionConstants
> > > HTTP_SESSION_ENGINE_SESSION_ID_KEY ("ovirt_aaa_engineSessionId").
> > >
> > > But we can consider real Engine session ID as impl. detail, so we
> > > can rename JSESSIONID to OVIRT-SESSIONID or similar.
> > >
> > > As for the cookie name, I'm not aware of any way to change it in
> > > JBoss. I think that even Java servlet spec says it must be called
> > > JSESSIONID. (But then again, in future I'd like to avoid using that
> > > cookie altogether, in favor of using custom OVIRT-SESSIONID header.)
> > >
> >
> > it is not important what session id it is... it can be the jboss now and
> > other later, what important is that we do not change the interface in
> > future, so that the session id whatever it may be is set within header that
> > is forward compatible.
>
> I agree.
>
> @Juan, can we change JSESSIONID header to OVIRT-SESSIONID or similar,
> in scope of REST API webapp?
>
> (Also to be used in future instead of JSESSIONID cookie, to associate
> client request with REST API / Engine session.)
>
?????
> >
> > the fact that we have a cookie is nice, may have some value (or not...),
> > but
> > cookie is set by server and sent by client automatically, so naming is not
> > important.
>
> Right, web browsers take care of cookies automatically and other
> clients can prefer to use custom header like OVIRT-SESSIONID,
> if they want.
>
> >
> > > >
> > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > > From: "Vojtech Szocs" <vszocs at redhat.com>
> > > > > > > To: devel at ovirt.org
> > > > > > > Cc: "Oved Ourfalli" <ovedo at redhat.com>, "René Koch"
> > > > > > > <r.koch at ovido.at>
> > > > > > > Sent: Tuesday, July 15, 2014 8:06:19 PM
> > > > > > > Subject: [ovirt-devel] UI plugins - talking with Engine via
> > > > > > > JSESSIONID
> > > > > > > now
> > > > > > > requires separate request header
> > > > > > >
> > > > > > > Hi guys,
> > > > > > >
> > > > > > > please be advised, patch for master [1] as well as
> > > > > > > ovirt-engine-3.5
> > > > > > > [2]
> > > > > > > branch was merged recently. This patch enables CSRF (Cross-Site
> > > > > > > Request
> > > > > > > Forgery) protection for REST API session acquired by WebAdmin UI
> > > > > > > plugin
> > > > > > > infrastructure.
> > > > > > >
> > > > > > > If you maintain UI plugin(s) and utilize "RestApiSessionAcquired"
> > > > > > > event
> > > > > > > handler function, i.e. your UI plugin (JavaScript) calls Engine
> > > > > > > directly
> > > > > > > or you pass the session ID to some other system which calls
> > > > > > > Engine,
> > > > > > > make
> > > > > > > sure that any request to Engine contains both:
> > > > > > >
> > > > > > > * JSESSIONID cookie (as today)
> > > > > > > * JSESSIONID request header (this is new)
> > > > > > >
> > > > > > > For CSRF-protected session [3], REST API backend compares these
> > > > > > > values
> > > > > > > and if not successful, it responds with HTTP 403 (Forbidden)
> > > > > > > which
> > > > > > > will
> > > > > > > break the communication with Engine.
> > > > > > >
> > > > > > > As mentioned above, this applies to all UI plugins deployed on
> > > > > > > Engine
> > > > > > > WebAdmin version 3.5 and later.
> > > > > > >
> > > > > > > In order to stay compatible with older (unpatched) UI plugins, we
> > > > > > > could
> > > > > > > introduce some Engine config parameter to control whether the
> > > > > > > REST
> > > > > > > API
> > > > > > > session for UI plugins should use CSRF protection or not.
> > > > > > >
> > > > > > > [1] http://gerrit.ovirt.org/#/c/29682/
> > > > > > > [2] http://gerrit.ovirt.org/#/c/29850/
> > > > > > > [3] details in commit message of
> > > > > > > http://gerrit.ovirt.org/#/c/29849/
> > > > > > >
> > > > > > > Regards,
> > > > > > > Vojtech
> > > > > > > _______________________________________________
> > > > > > > Devel mailing list
> > > > > > > Devel at ovirt.org
> > > > > > > http://lists.ovirt.org/mailman/listinfo/devel
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
More information about the Devel
mailing list