----- Original Message -----
From: "Sven Kieske" <svenkieske@gmail.com> To: devel@ovirt.org Sent: Tuesday, July 15, 2014 8:26:59 PM Subject: Re: [ovirt-devel] UI plugins - talking with Engine via JSESSIONID now requires separate request header
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Just a few questions from someone who relies on the rest api:
Background: I use rest not for UI plugins but for general management stuff (basically all ovirt operations which are possible via rest) I don't use the cookie based session management but pure rest (stateless).
Questions: 1. Will stateless rest sessions always be supported or do you plan to change this in the future to just allow cookie based access (so no real rest api, as it's not stateless anymore)?
My understanding is that REST API's session management feature is something on top of (stateless) REST / HTTP concept, so I'd say that "stateless" approach (sending user credentials with each request, without using any session) should always be supported.
2. Does this change just affect UI plugins or also other rest api usages?
It just affects UI plugins deployed on Engine 3.5 or later, which are talking to Engine via session ID provided by "RestApiSessionAcquired" hook.
If it does affect other usages, which one? Just cookie based operations?
None of the above :) In general, when you ask REST API to create session ("Prefer: persistent-auth" header), you can also tell the preference whether you want to CSRF-protect it ("Prefer: csrf-protection") or not. If a REST API session is marked as CSRF-protected, in addition to sending JSESSIONID cookie, you must also send JSESSIONID _header_ with same value. (WebAdmin UI plugin infra acquires CSRF-protected REST API session for all UI plugins.)
thanks in advance
Sven -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32)
iQGcBAEBAgAGBQJTxXJzAAoJEAq0kGAWDrqlEpUL/1DhRE0nqmu8LPF6/nIWn/cD HXZ05gIFXWGJ/WDpo88xmX4mukYgl0+9tZutwo1LH18uqzeg8LSrgi0XPqwQ2Xvp lLXLhJzBTrgypx558ub6nS6u0YD4DvHO/6yz5CHVgZC+nHQerd5BqxOyexP36JZl JZCL0pygK35e5Tx0miG5Zrvd1Tpoq+UD1UCMOCy6FYVHk9Wio4ezKYTx7DwglTX/ wL2HxHfrLNVq3lFTcl/TMGxS+dfhv6DxqHn1CtOsV2OSouecvpSlSdgzmnjgElib Ll/zKCXbxS8+P/9yj3EviZzqjLItqmKR+rIWW67Vm+Pky+g+wf9m1lA+leYkJj1r B2CXOtgIUycc4D0SRJXGMjMnsGrrgNTIUFh9lqq77XZw+dxeWuV+zMnPQ1SU5kPB FEadlVTwEWHEBrWtnin08F6NXzCgIQ1VBMgbR9BaV9UR2220BRBR2ocTycohiAbx BOL3k6NhU83JzybFtILrR8MVK7uEPFD7M+sby0j1qw== =QbPl -----END PGP SIGNATURE----- _______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel