Change in ovirt-engine[master]: webadmin, userportal: Adapt UI code to SSO changes

12 May 2016

      Vojtech Szocs has submitted this change and it was merged.

Change subject: webadmin,userportal: Adapt UI code to SSO changes
......................................................................

webadmin,userportal: Adapt UI code to SSO changes

This patch aligns UI code with recent SSO changes.

In a nutshell, it completely removes code that creates and maintains
REST webapp's HTTP session in favor of using SSO token. Dealing with
REST HTTP session led us to many problems in the past, typically
observed as "Auth Required" browser popups due to REST HTTP session
vs. Engine user session [1] inconsistencies.

[1] see CreateUserSessionCommand and SessionDataContainer classes

This patch potentially breaks existing UI plugins by removing the
"RestApiSessionAcquired" callback in favor of new API function that
returns the SSO token:

  var xhr = new XMLHttpRequest();
  xhr.open('GET', 'http://example.com/ovirt-engine/api');
  xhr.setRequestHeader('Authorization', 'Bearer ' + api.ssoToken());
  xhr.setRequestHeader('Accept', 'application/json');
  xhr.addEventListener('load', function () {
    // response loaded OK, parse JSON data
    var data = JSON.parse(this.responseText);
  });
  xhr.send();

In practice, UI plugins no longer need to rely on asynchronous API
callback ("RestApiSessionAcquired") to be able to talk with Engine.
UI plugins also no longer need to use session-specific request headers
like "Prefer:persistent-auth" and "JSESSIONID:xxx", which simplifies
their code.

Since REST HTTP session mechanism relies on cookie ("JSESSIONID"),
individual UI plugins should _not_ try to create a REST session
on their own to avoid any clashes. (This might change once REST
supports non-cookie session ID transport, e.g. use custom header).
...
From virt-viewer (VM console) integration perspective, this patch
replaces "jsessionid" with "sso-token" within the vv file. Recent
build of virt-viewer _should_ support "sso-token" (in addition to
supporting "jsessionid" for backwards compatibility).
Integration with the Reports portal is not affected; we're still
using Engine user session ID for this purpose. In future, Reports
portal should be adapted to accept the SSO token.

As for backend changes:
* removed 'OVIRT-SSO-TOKEN' HTTP response header [SSOLoginFilter]
* removed 'JSESSIONID' HTTP response header [RestApiSessionMgmtFilter]

Above headers are not needed since both SSO token and Engine user
session ID are available the moment user requests GWT HTML page.

Change-Id: I62f943ae5798f0f148d84019f1ef6bec4d5ebf6a
Bug-Url: https://bugzilla.redhat.com/1236976
Signed-off-by: Vojtech Szocs <vszocs@redhat.com>
---
M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java
M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/RestApiSessionMgmtFilter.java
M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SsoLoginFilter.java
M frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/Frontend.java
D frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/FrontendLoginHandler.java
D frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/communication/SsoTokenChange.java
M frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/GwtDynamicHostPageServlet.java
M frontend/webadmin/modules/frontend/src/main/resources/META-INF/resources/GwtHostPage.jsp
M frontend/webadmin/modules/frontend/src/test/java/org/ovirt/engine/ui/frontend/FrontendActionTest.java
M frontend/webadmin/modules/frontend/src/test/java/org/ovirt/engine/ui/frontend/server/gwt/AbstractGwtDynamicHostPageServletTest.java
M frontend/webadmin/modules/frontend/src/test/java/org/ovirt/engine/ui/frontend/server/gwt/WebAdminHostPageServletTest.java
M frontend/webadmin/modules/gwt-common/exclude-filters.xml
M frontend/webadmin/modules/gwt-common/src/main/java/org/ovirt/engine/ui/common/auth/AutoLoginData.java
M frontend/webadmin/modules/gwt-common/src/main/java/org/ovirt/engine/ui/common/auth/CurrentUser.java
D frontend/webadmin/modules/gwt-common/src/main/java/org/ovirt/engine/ui/common/auth/SsoTokenData.java
M frontend/webadmin/modules/gwt-common/src/main/java/org/ovirt/engine/ui/common/gin/BaseSystemModule.java
D frontend/webadmin/modules/gwt-common/src/main/java/org/ovirt/engine/ui/common/restapi/EngineSessionTimeoutData.java
D frontend/webadmin/modules/gwt-common/src/main/java/org/ovirt/engine/ui/common/restapi/RestApiSessionAcquired.java
D frontend/webadmin/modules/gwt-common/src/main/java/org/ovirt/engine/ui/common/restapi/RestApiSessionManager.java
M frontend/webadmin/modules/gwt-common/src/main/java/org/ovirt/engine/ui/common/system/BaseApplicationInit.java
M frontend/webadmin/modules/gwt-common/src/main/java/org/ovirt/engine/ui/common/uicommon/UiCommonDefaultTypeResolver.java
M frontend/webadmin/modules/gwt-common/src/main/java/org/ovirt/engine/ui/common/uicommon/model/AbstractConsoleWithForeignMenu.java
M frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/ReportInit.java
M frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/restapi/HasForeignMenuData.java
M frontend/webadmin/modules/userportal-gwtp/pom.xml
M frontend/webadmin/modules/userportal-gwtp/src/main/java/org/ovirt/engine/ui/userportal/system/ApplicationInit.java
M frontend/webadmin/modules/webadmin/pom.xml
M frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/plugin/PluginEventHandler.java
M frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/plugin/PluginManager.java
M frontend/webadmin/modules/webadmin/src/main/java/org/ovirt/engine/ui/webadmin/system/ApplicationInit.java
30 files changed, 99 insertions(+), 704 deletions(-)

Approvals:
  Martin Peřina: Looks good to me, but someone else must approve
  Alexander Wels: Looks good to me, approved
  Jenkins CI: Passed CI tests
  Vojtech Szocs: Verified

-- 
To view, visit https://gerrit.ovirt.org/49278
To unsubscribe, visit https://gerrit.ovirt.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I62f943ae5798f0f148d84019f1ef6bec4d5ebf6a
Gerrit-PatchSet: 8
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Vojtech Szocs <vszocs@redhat.com>
Gerrit-Reviewer: Alexander Wels <awels@redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alonbl@redhat.com>
Gerrit-Reviewer: Alona Kaplan <alkaplan@redhat.com>
Gerrit-Reviewer: Jenkins CI
Gerrit-Reviewer: Juan Hernandez <juan.hernandez@redhat.com>
Gerrit-Reviewer: Martin Betak <mbetak@redhat.com>
Gerrit-Reviewer: Martin Peřina <mperina@redhat.com>
Gerrit-Reviewer: Michal Skrivanek <mskrivan@redhat.com>
Gerrit-Reviewer: Ori Liel <oliel@redhat.com>
Gerrit-Reviewer: Oved Ourfali <oourfali@redhat.com>
Gerrit-Reviewer: Ravi Nori <rnori@redhat.com>
Gerrit-Reviewer: Tomas Jelinek <tjelinek@redhat.com>
Gerrit-Reviewer: Vojtech Szocs <vszocs@redhat.com>
Gerrit-Reviewer: gerrit-hooks <automation@ovirt.org>

vszocs＠redhat.com

tags

participants (1)