Juan Hernandez has submitted this change and it was merged. Change subject: restapi: Add CORS filter ...................................................................... restapi: Add CORS filter This patch adds CORS (Cross Origin Resource Sharing) support to the RESTAPI. This is based on the existing CORS filter developed by eBay and available here: https://github.com/ebay/cors-filter On top of that filter this patch adds the possibility to configure it with two configuration parameters stored in the engine database and supported by the "engine-config" tool: CORSSupport: This is a boolean parameter that indicates if the CORS support should be enabled. If its value is "false" then the support will be disabled and the RESTAPI will behave exactly as before intoducing this patch. If the value is "true" then the CORS support will be enabled, but by default no origin will be allowed, so the second parameter has also to be configured correctly. The default value is "false". CORSAllowedOrigin: This is a comma separated list of the allowed origins. If it is empty CORS support will be effectively disabled, even if the value of the "CORSSupport" parameter is "true". It can also have the special value "*", and in that case all origins will be allowed. In practice, to use the filter, both parameters need to be set. For example, in order to allow requests from scripts downloaded from the "my.app" the following configuration changes are required: # engine-config -s CORSSupport=true # engine-config -s CORSAllowedOrigins=http://my.app # systemctl ovirt-engine restart To test the filter you can use a simple JavaScript application like the following deployed in the root of the web server of "my.app": <html> <head> <script> function onGet() { var xhr = prepareRequest("GET"); xhr.send(); } function prepareRequest(method) { var url = document.getElementById("url"); var user = document.getElementById("user"); var password = document.getElementById("password"); var body = document.getElementById("body"); var xhr = new XMLHttpRequest(); xhr.open(method, url.value); xhr.setRequestHeader("Authorization", "Basic " + window.btoa(user.value + ":" + password.value)); xhr.setRequestHeader("Accept", "application/xml"); xhr.setRequestHeader("Content-Type", "application/xml"); xhr.onload = function (e) { var text = xhr.responseText; body.value = text; }; return xhr; } </script> </head> <body> <form action=""> <table> <tr> <td>URL</td> <td><input id="url" type="text" value="https://my.engine/ovirt-engine/api"/></td> </tr> <tr> <td>User</td> <td><input id="user" type="text" value="admin@internal"/></td> </tr> <tr> <td>Password</td> <td><input id="password" type="password" value=""/></td> </tr> <tr> <td colspan="2"> <div> Body </div> <div> <textarea id="body" rows="10" cols="80"> </textarea> </div> </td> </tr> <tr> <td colspan="2"> <input type="button" value="GET" onclick="onGet()"/> </tr> </table> </form> </body> </html> When running this application the browser should send an initial OPTIONS request to the server, asking for permission to send the actual request: OPTIONS /ovirt-engine/api HTTP/1.1 Host: my.engine Origin: http://my.app Access-Control-Request-Method: GET Access-Control-Request-Headers: accept,authorization,content-type ... The server should then respond with something like this: HTTP/1.1 200 OK Access-Control-Allow-Headers: accept,content-type,authorization Access-Control-Allow-Methods: GET Access-Control-Allow-Origin: http://my.app Access-Control-Max-Age: 1800 Access-Control-Allow-Credentials: true ... Then the browser will send the actual GET request, as the server approved it. For more details about the CORS protocol see here: W3C: http://www.w3.org/TR/cors Mozilla: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS Change-Id: I40f9a13105fe99bb6b4035e61b8945efd8315f57 Bug-Url: https://bugzilla.redhat.com/1181530 Signed-off-by: Juan Hernandez <juan.hernandez(a)redhat.com&gt; --- M backend/manager/dependencies/common/pom.xml A backend/manager/dependencies/common/src/main/modules/org/ebaysf/web/cors-filter/main/module.xml M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/Backend.java M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/ConfigurationValues.java M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/GetConfigurationValueParameters.java M backend/manager/modules/restapi/interface/common/jaxrs/pom.xml A backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/CORSSupportFilter.java M backend/manager/modules/restapi/interface/common/jaxrs/src/main/modules/org/ovirt/engine/api/interface-common-jaxrs/main/module.xml M backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml M packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql M packaging/etc/engine-config/engine-config.properties 12 files changed, 289 insertions(+), 20 deletions(-) Approvals: Juan Hernandez: Verified; Looks good to me, approved Greg Sheremeta: Verified; Looks good to me, but someone else must approve -- To view, visit http://gerrit.ovirt.org/36367 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: I40f9a13105fe99bb6b4035e61b8945efd8315f57 Gerrit-PatchSet: 8 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com&gt; Gerrit-Reviewer: Alexander Wels <awels(a)redhat.com&gt; Gerrit-Reviewer: Einav Cohen <ecohen(a)redhat.com&gt; Gerrit-Reviewer: Greg Sheremeta <gshereme(a)redhat.com&gt; Gerrit-Reviewer: Jenny Kang <jennykang95(a)gmail.com&gt; Gerrit-Reviewer: Juan Hernandez <juan.hernandez(a)redhat.com&gt; Gerrit-Reviewer: Vojtech Szocs <vszocs(a)redhat.com&gt; Gerrit-Reviewer: automation(a)ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server