Change in ovirt-engine[master]: restapi: Add CORS filter
juan.hernandez at redhat.com
juan.hernandez at redhat.com
Thu Jan 29 13:38:39 UTC 2015
Juan Hernandez has submitted this change and it was merged.
Change subject: restapi: Add CORS filter
......................................................................
restapi: Add CORS filter
This patch adds CORS (Cross Origin Resource Sharing) support to the
RESTAPI. This is based on the existing CORS filter developed by eBay and
available here:
https://github.com/ebay/cors-filter
On top of that filter this patch adds the possibility to configure it
with two configuration parameters stored in the engine database and
supported by the "engine-config" tool:
CORSSupport:
This is a boolean parameter that indicates if the CORS support should
be enabled. If its value is "false" then the support will be disabled
and the RESTAPI will behave exactly as before intoducing this patch.
If the value is "true" then the CORS support will be enabled, but by
default no origin will be allowed, so the second parameter has also
to be configured correctly. The default value is "false".
CORSAllowedOrigin:
This is a comma separated list of the allowed origins. If it is empty
CORS support will be effectively disabled, even if the value of the
"CORSSupport" parameter is "true". It can also have the special value
"*", and in that case all origins will be allowed.
In practice, to use the filter, both parameters need to be set. For
example, in order to allow requests from scripts downloaded from the
"my.app" the following configuration changes are required:
# engine-config -s CORSSupport=true
# engine-config -s CORSAllowedOrigins=http://my.app
# systemctl ovirt-engine restart
To test the filter you can use a simple JavaScript application like the
following deployed in the root of the web server of "my.app":
<html>
<head>
<script>
function onGet() {
var xhr = prepareRequest("GET");
xhr.send();
}
function prepareRequest(method) {
var url = document.getElementById("url");
var user = document.getElementById("user");
var password = document.getElementById("password");
var body = document.getElementById("body");
var xhr = new XMLHttpRequest();
xhr.open(method, url.value);
xhr.setRequestHeader("Authorization", "Basic " + window.btoa(user.value + ":" + password.value));
xhr.setRequestHeader("Accept", "application/xml");
xhr.setRequestHeader("Content-Type", "application/xml");
xhr.onload = function (e) {
var text = xhr.responseText;
body.value = text;
};
return xhr;
}
</script>
</head>
<body>
<form action="">
<table>
<tr>
<td>URL</td>
<td><input id="url" type="text" value="https://my.engine/ovirt-engine/api"/></td>
</tr>
<tr>
<td>User</td>
<td><input id="user" type="text" value="admin at internal"/></td>
</tr>
<tr>
<td>Password</td>
<td><input id="password" type="password" value=""/></td>
</tr>
<tr>
<td colspan="2">
<div>
Body
</div>
<div>
<textarea id="body" rows="10" cols="80">
</textarea>
</div>
</td>
</tr>
<tr>
<td colspan="2">
<input type="button" value="GET" onclick="onGet()"/>
</tr>
</table>
</form>
</body>
</html>
When running this application the browser should send an initial OPTIONS
request to the server, asking for permission to send the actual request:
OPTIONS /ovirt-engine/api HTTP/1.1
Host: my.engine
Origin: http://my.app
Access-Control-Request-Method: GET
Access-Control-Request-Headers: accept,authorization,content-type
...
The server should then respond with something like this:
HTTP/1.1 200 OK
Access-Control-Allow-Headers: accept,content-type,authorization
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: http://my.app
Access-Control-Max-Age: 1800
Access-Control-Allow-Credentials: true
...
Then the browser will send the actual GET request, as the server
approved it.
For more details about the CORS protocol see here:
W3C:
http://www.w3.org/TR/cors
Mozilla:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
Change-Id: I40f9a13105fe99bb6b4035e61b8945efd8315f57
Bug-Url: https://bugzilla.redhat.com/1181530
Signed-off-by: Juan Hernandez <juan.hernandez at redhat.com>
---
M backend/manager/dependencies/common/pom.xml
A backend/manager/dependencies/common/src/main/modules/org/ebaysf/web/cors-filter/main/module.xml
M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/Backend.java
M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java
M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/ConfigurationValues.java
M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/GetConfigurationValueParameters.java
M backend/manager/modules/restapi/interface/common/jaxrs/pom.xml
A backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/CORSSupportFilter.java
M backend/manager/modules/restapi/interface/common/jaxrs/src/main/modules/org/ovirt/engine/api/interface-common-jaxrs/main/module.xml
M backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml
M packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql
M packaging/etc/engine-config/engine-config.properties
12 files changed, 289 insertions(+), 20 deletions(-)
Approvals:
Juan Hernandez: Verified; Looks good to me, approved
Greg Sheremeta: Verified; Looks good to me, but someone else must approve
--
To view, visit http://gerrit.ovirt.org/36367
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I40f9a13105fe99bb6b4035e61b8945efd8315f57
Gerrit-PatchSet: 8
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez at redhat.com>
Gerrit-Reviewer: Alexander Wels <awels at redhat.com>
Gerrit-Reviewer: Einav Cohen <ecohen at redhat.com>
Gerrit-Reviewer: Greg Sheremeta <gshereme at redhat.com>
Gerrit-Reviewer: Jenny Kang <jennykang95 at gmail.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez at redhat.com>
Gerrit-Reviewer: Vojtech Szocs <vszocs at redhat.com>
Gerrit-Reviewer: automation at ovirt.org
Gerrit-Reviewer: oVirt Jenkins CI Server
More information about the Engine-commits
mailing list