[ovirt-devel] UI plugins - talking with Engine via JSESSIONID now requires separate request header

Vojtech Szocs vszocs at redhat.com
Tue Jul 15 18:58:42 UTC 2014



----- Original Message -----
> From: "Sven Kieske" <svenkieske at gmail.com>
> To: devel at ovirt.org
> Sent: Tuesday, July 15, 2014 8:26:59 PM
> Subject: Re: [ovirt-devel] UI plugins - talking with Engine via JSESSIONID now requires separate request header
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Just a few questions from someone
> who relies on the rest api:
> 
> Background:
> I use rest not for UI plugins
> but for general management stuff
> (basically all ovirt operations which are possible via rest)
> I don't use the cookie based session management
> but pure rest (stateless).
> 
> Questions:
> 1. Will stateless rest sessions always be supported
> or do you plan to change this in the future to just allow
> cookie based access (so no real rest api, as
> it's not stateless anymore)?

My understanding is that REST API's session management
feature is something on top of (stateless) REST / HTTP
concept, so I'd say that "stateless" approach (sending
user credentials with each request, without using any
session) should always be supported.

> 
> 2. Does this change just affect UI plugins or also
> other rest api usages?

It just affects UI plugins deployed on Engine 3.5 or
later, which are talking to Engine via session ID
provided by "RestApiSessionAcquired" hook.

> If it does affect other usages, which one?
> Just cookie based operations?

None of the above :)

In general, when you ask REST API to create session
("Prefer: persistent-auth" header), you can also tell
the preference whether you want to CSRF-protect it
("Prefer: csrf-protection") or not.

If a REST API session is marked as CSRF-protected,
in addition to sending JSESSIONID cookie, you must
also send JSESSIONID _header_ with same value.

(WebAdmin UI plugin infra acquires CSRF-protected
REST API session for all UI plugins.)

> 
> thanks in advance
> 
> Sven
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
> 
> iQGcBAEBAgAGBQJTxXJzAAoJEAq0kGAWDrqlEpUL/1DhRE0nqmu8LPF6/nIWn/cD
> HXZ05gIFXWGJ/WDpo88xmX4mukYgl0+9tZutwo1LH18uqzeg8LSrgi0XPqwQ2Xvp
> lLXLhJzBTrgypx558ub6nS6u0YD4DvHO/6yz5CHVgZC+nHQerd5BqxOyexP36JZl
> JZCL0pygK35e5Tx0miG5Zrvd1Tpoq+UD1UCMOCy6FYVHk9Wio4ezKYTx7DwglTX/
> wL2HxHfrLNVq3lFTcl/TMGxS+dfhv6DxqHn1CtOsV2OSouecvpSlSdgzmnjgElib
> Ll/zKCXbxS8+P/9yj3EviZzqjLItqmKR+rIWW67Vm+Pky+g+wf9m1lA+leYkJj1r
> B2CXOtgIUycc4D0SRJXGMjMnsGrrgNTIUFh9lqq77XZw+dxeWuV+zMnPQ1SU5kPB
> FEadlVTwEWHEBrWtnin08F6NXzCgIQ1VBMgbR9BaV9UR2220BRBR2ocTycohiAbx
> BOL3k6NhU83JzybFtILrR8MVK7uEPFD7M+sby0j1qw==
> =QbPl
> -----END PGP SIGNATURE-----
> _______________________________________________
> Devel mailing list
> Devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/devel
> 



More information about the Devel mailing list