[ovirt-devel] UI plugins - talking with Engine via JSESSIONID now requires separate request header

Alon Bar-Lev alonbl at redhat.com
Tue Jul 15 18:22:06 UTC 2014 


----- Original Message -----
> From: "Vojtech Szocs" <vszocs at redhat.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: devel at ovirt.org, "Oved Ourfalli" <ovedo at redhat.com>
> Sent: Tuesday, July 15, 2014 9:18:44 PM
> Subject: Re: [ovirt-devel] UI plugins - talking with Engine via JSESSIONID now requires separate request header
> 
> 
> 
> ----- Original Message -----
> > From: "Alon Bar-Lev" <alonbl at redhat.com>
> > To: "Vojtech Szocs" <vszocs at redhat.com>
> > Cc: devel at ovirt.org, "Oved Ourfalli" <ovedo at redhat.com>, "René Koch"
> > <r.koch at ovido.at>
> > Sent: Tuesday, July 15, 2014 7:47:35 PM
> > Subject: Re: [ovirt-devel] UI plugins - talking with Engine via JSESSIONID
> > now requires separate request header
> > 
> > 
> > 
> > ----- Original Message -----
> > > From: "Vojtech Szocs" <vszocs at redhat.com>
> > > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > > Cc: devel at ovirt.org, "Oved Ourfalli" <ovedo at redhat.com>, "René Koch"
> > > <r.koch at ovido.at>
> > > Sent: Tuesday, July 15, 2014 8:40:30 PM
> > > Subject: Re: [ovirt-devel] UI plugins - talking with Engine via
> > > JSESSIONID
> > > now requires separate request header
> > > 
> > > 
> > > 
> > > ----- Original Message -----
> > > > From: "Alon Bar-Lev" <alonbl at redhat.com>
> > > > To: "Vojtech Szocs" <vszocs at redhat.com>
> > > > Cc: devel at ovirt.org, "Oved Ourfalli" <ovedo at redhat.com>, "René Koch"
> > > > <r.koch at ovido.at>
> > > > Sent: Tuesday, July 15, 2014 7:17:40 PM
> > > > Subject: Re: [ovirt-devel] UI plugins - talking with Engine via
> > > > JSESSIONID
> > > > now requires separate request header
> > > > 
> > > > 
> > > > Can we have X-OVIRT-SESSIONID header name or any generic term and per
> > > > ovirt
> > > > specific instead of generic java terms?
> > > 
> > > Good question. In general I agree, JavaEE's default "JSESSIONID" naming
> > > convention for custom header (or cookie) is not very meaningful in multi
> > > app deployment.
> > > 
> > > However, I'd rather avoid "X-" prefix [1].
> > > 
> > > [1]
> > > http://stackoverflow.com/questions/3561381/custom-http-headers-naming-conventions
> > > 
> > > Currently, it is the "JSESSIONID" cookie which maps to the session.
> > > Currently, "JSESSIONID" custom header is only for CSRF-protection,
> > > i.e. to be compared with cookie value (cookie is still required in
> > > order to reuse existing session).
> > > 
> > > AFAIK, Juan plans to support passing session ID via custom HTTP
> > > header, as an alternative to passing session ID via cookie. When
> > > this gets done, the custom HTTP header should be named something
> > > like "OVIRT-SESSIONID".
> > 
> > I do not see any reason why not to use this (or any other non JSESSIONID)
> > name for header now.
> 
> Yes, we could also change it now, because JSESSIONID header was
> introduced only recently by http://gerrit.ovirt.org/#/c/29681/
> 
> However I think this is not really "Engine session ID", but rather
> "Java webapp session ID" - AFAIK, real Engine session ID is stored
> inside Java webapp session attribute - see SessionConstants
> HTTP_SESSION_ENGINE_SESSION_ID_KEY ("ovirt_aaa_engineSessionId").
> 
> But we can consider real Engine session ID as impl. detail, so we
> can rename JSESSIONID to OVIRT-SESSIONID or similar.
> 
> As for the cookie name, I'm not aware of any way to change it in
> JBoss. I think that even Java servlet spec says it must be called
> JSESSIONID. (But then again, in future I'd like to avoid using that
> cookie altogether, in favor of using custom OVIRT-SESSIONID header.)
> 

it is not important what session id it is... it can be the jboss now and other later, what important is that we do not change the interface in future, so that the session id whatever it may be is set within header that is forward compatible.

the fact that we have a cookie is nice, may have some value (or not...), but cookie is set by server and sent by client automatically, so naming is not important.

> > 
> > > 
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Vojtech Szocs" <vszocs at redhat.com>
> > > > > To: devel at ovirt.org
> > > > > Cc: "Oved Ourfalli" <ovedo at redhat.com>, "René Koch" <r.koch at ovido.at>
> > > > > Sent: Tuesday, July 15, 2014 8:06:19 PM
> > > > > Subject: [ovirt-devel] UI plugins - talking with Engine via
> > > > > JSESSIONID
> > > > > now
> > > > > requires separate request header
> > > > > 
> > > > > Hi guys,
> > > > > 
> > > > > please be advised, patch for master [1] as well as ovirt-engine-3.5
> > > > > [2]
> > > > > branch was merged recently. This patch enables CSRF (Cross-Site
> > > > > Request
> > > > > Forgery) protection for REST API session acquired by WebAdmin UI
> > > > > plugin
> > > > > infrastructure.
> > > > > 
> > > > > If you maintain UI plugin(s) and utilize "RestApiSessionAcquired"
> > > > > event
> > > > > handler function, i.e. your UI plugin (JavaScript) calls Engine
> > > > > directly
> > > > > or you pass the session ID to some other system which calls Engine,
> > > > > make
> > > > > sure that any request to Engine contains both:
> > > > > 
> > > > >   * JSESSIONID cookie (as today)
> > > > >   * JSESSIONID request header (this is new)
> > > > > 
> > > > > For CSRF-protected session [3], REST API backend compares these
> > > > > values
> > > > > and if not successful, it responds with HTTP 403 (Forbidden) which
> > > > > will
> > > > > break the communication with Engine.
> > > > > 
> > > > > As mentioned above, this applies to all UI plugins deployed on Engine
> > > > > WebAdmin version 3.5 and later.
> > > > > 
> > > > > In order to stay compatible with older (unpatched) UI plugins, we
> > > > > could
> > > > > introduce some Engine config parameter to control whether the REST
> > > > > API
> > > > > session for UI plugins should use CSRF protection or not.
> > > > > 
> > > > > [1] http://gerrit.ovirt.org/#/c/29682/
> > > > > [2] http://gerrit.ovirt.org/#/c/29850/
> > > > > [3] details in commit message of http://gerrit.ovirt.org/#/c/29849/
> > > > > 
> > > > > Regards,
> > > > > Vojtech
> > > > > _______________________________________________
> > > > > Devel mailing list
> > > > > Devel at ovirt.org
> > > > > http://lists.ovirt.org/mailman/listinfo/devel
> > > > > 
> > > > 
> > > 
> > 
>

More information about the Devel mailing list