----- Original Message -----
From: "Sven Kieske" <svenkieske(a)gmail.com>
To: devel(a)ovirt.org
Sent: Tuesday, July 15, 2014 8:26:59 PM
Subject: Re: [ovirt-devel] UI plugins - talking with Engine via JSESSIONID now requires
separate request header
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Just a few questions from someone
who relies on the rest api:
Background:
I use rest not for UI plugins
but for general management stuff
(basically all ovirt operations which are possible via rest)
I don't use the cookie based session management
but pure rest (stateless).
Questions:
1. Will stateless rest sessions always be supported
or do you plan to change this in the future to just allow
cookie based access (so no real rest api, as
it's not stateless anymore)?
My understanding is that REST API's session management
feature is something on top of (stateless) REST / HTTP
concept, so I'd say that "stateless" approach (sending
user credentials with each request, without using any
session) should always be supported.
2. Does this change just affect UI plugins or also
other rest api usages?
It just affects UI plugins deployed on Engine 3.5 or
later, which are talking to Engine via session ID
provided by "RestApiSessionAcquired" hook.
If it does affect other usages, which one?
Just cookie based operations?
None of the above :)
In general, when you ask REST API to create session
("Prefer: persistent-auth" header), you can also tell
the preference whether you want to CSRF-protect it
("Prefer: csrf-protection") or not.
If a REST API session is marked as CSRF-protected,
in addition to sending JSESSIONID cookie, you must
also send JSESSIONID _header_ with same value.
(WebAdmin UI plugin infra acquires CSRF-protected
REST API session for all UI plugins.)
thanks in advance
Sven
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQGcBAEBAgAGBQJTxXJzAAoJEAq0kGAWDrqlEpUL/1DhRE0nqmu8LPF6/nIWn/cD
HXZ05gIFXWGJ/WDpo88xmX4mukYgl0+9tZutwo1LH18uqzeg8LSrgi0XPqwQ2Xvp
lLXLhJzBTrgypx558ub6nS6u0YD4DvHO/6yz5CHVgZC+nHQerd5BqxOyexP36JZl
JZCL0pygK35e5Tx0miG5Zrvd1Tpoq+UD1UCMOCy6FYVHk9Wio4ezKYTx7DwglTX/
wL2HxHfrLNVq3lFTcl/TMGxS+dfhv6DxqHn1CtOsV2OSouecvpSlSdgzmnjgElib
Ll/zKCXbxS8+P/9yj3EviZzqjLItqmKR+rIWW67Vm+Pky+g+wf9m1lA+leYkJj1r
B2CXOtgIUycc4D0SRJXGMjMnsGrrgNTIUFh9lqq77XZw+dxeWuV+zMnPQ1SU5kPB
FEadlVTwEWHEBrWtnin08F6NXzCgIQ1VBMgbR9BaV9UR2220BRBR2ocTycohiAbx
BOL3k6NhU83JzybFtILrR8MVK7uEPFD7M+sby0j1qw==
=QbPl
-----END PGP SIGNATURE-----
_______________________________________________
Devel mailing list
Devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel