[ovirt-devel] UI plugins - talking with Engine via JSESSIONID now requires separate request header

Thu Jul 24 07:31:12 UTC 2014

On 07/24/2014 08:13 AM, Alon Bar-Lev wrote:
> 
> 
> ----- Original Message -----
>> From: "Vojtech Szocs" <vszocs at redhat.com>
>> To: "Alon Bar-Lev" <alonbl at redhat.com>, "Juan Antonio Hernandez Fernandez" <jhernand at redhat.com>
>> Cc: devel at ovirt.org
>> Sent: Tuesday, July 15, 2014 9:46:52 PM
>> Subject: Re: [ovirt-devel] UI plugins - talking with Engine via JSESSIONID now requires separate request header
>>
>>
>>
>> ----- Original Message -----
>>> From: "Alon Bar-Lev" <alonbl at redhat.com>
>>> To: "Vojtech Szocs" <vszocs at redhat.com>
>>> Cc: devel at ovirt.org, "Oved Ourfalli" <ovedo at redhat.com>
>>> Sent: Tuesday, July 15, 2014 8:22:06 PM
>>> Subject: Re: [ovirt-devel] UI plugins - talking with Engine via JSESSIONID
>>> now requires separate request header
>>>
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Vojtech Szocs" <vszocs at redhat.com>
>>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>>>> Cc: devel at ovirt.org, "Oved Ourfalli" <ovedo at redhat.com>
>>>> Sent: Tuesday, July 15, 2014 9:18:44 PM
>>>> Subject: Re: [ovirt-devel] UI plugins - talking with Engine via
>>>> JSESSIONID
>>>> now requires separate request header
>>>>
>>>>
>>>>
>>>> ----- Original Message -----
>>>>> From: "Alon Bar-Lev" <alonbl at redhat.com>
>>>>> To: "Vojtech Szocs" <vszocs at redhat.com>
>>>>> Cc: devel at ovirt.org, "Oved Ourfalli" <ovedo at redhat.com>, "René Koch"
>>>>> <r.koch at ovido.at>
>>>>> Sent: Tuesday, July 15, 2014 7:47:35 PM
>>>>> Subject: Re: [ovirt-devel] UI plugins - talking with Engine via
>>>>> JSESSIONID
>>>>> now requires separate request header
>>>>>
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Vojtech Szocs" <vszocs at redhat.com>
>>>>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>>>>>> Cc: devel at ovirt.org, "Oved Ourfalli" <ovedo at redhat.com>, "René Koch"
>>>>>> <r.koch at ovido.at>
>>>>>> Sent: Tuesday, July 15, 2014 8:40:30 PM
>>>>>> Subject: Re: [ovirt-devel] UI plugins - talking with Engine via
>>>>>> JSESSIONID
>>>>>> now requires separate request header
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Alon Bar-Lev" <alonbl at redhat.com>
>>>>>>> To: "Vojtech Szocs" <vszocs at redhat.com>
>>>>>>> Cc: devel at ovirt.org, "Oved Ourfalli" <ovedo at redhat.com>, "René
>>>>>>> Koch"
>>>>>>> <r.koch at ovido.at>
>>>>>>> Sent: Tuesday, July 15, 2014 7:17:40 PM
>>>>>>> Subject: Re: [ovirt-devel] UI plugins - talking with Engine via
>>>>>>> JSESSIONID
>>>>>>> now requires separate request header
>>>>>>>
>>>>>>>
>>>>>>> Can we have X-OVIRT-SESSIONID header name or any generic term and
>>>>>>> per
>>>>>>> ovirt
>>>>>>> specific instead of generic java terms?
>>>>>>
>>>>>> Good question. In general I agree, JavaEE's default "JSESSIONID"
>>>>>> naming
>>>>>> convention for custom header (or cookie) is not very meaningful in
>>>>>> multi
>>>>>> app deployment.
>>>>>>
>>>>>> However, I'd rather avoid "X-" prefix [1].
>>>>>>
>>>>>> [1]
>>>>>> http://stackoverflow.com/questions/3561381/custom-http-headers-naming-conventions
>>>>>>
>>>>>> Currently, it is the "JSESSIONID" cookie which maps to the session.
>>>>>> Currently, "JSESSIONID" custom header is only for CSRF-protection,
>>>>>> i.e. to be compared with cookie value (cookie is still required in
>>>>>> order to reuse existing session).
>>>>>>
>>>>>> AFAIK, Juan plans to support passing session ID via custom HTTP
>>>>>> header, as an alternative to passing session ID via cookie. When
>>>>>> this gets done, the custom HTTP header should be named something
>>>>>> like "OVIRT-SESSIONID".
>>>>>
>>>>> I do not see any reason why not to use this (or any other non
>>>>> JSESSIONID)
>>>>> name for header now.
>>>>
>>>> Yes, we could also change it now, because JSESSIONID header was
>>>> introduced only recently by http://gerrit.ovirt.org/#/c/29681/
>>>>
>>>> However I think this is not really "Engine session ID", but rather
>>>> "Java webapp session ID" - AFAIK, real Engine session ID is stored
>>>> inside Java webapp session attribute - see SessionConstants
>>>> HTTP_SESSION_ENGINE_SESSION_ID_KEY ("ovirt_aaa_engineSessionId").
>>>>
>>>> But we can consider real Engine session ID as impl. detail, so we
>>>> can rename JSESSIONID to OVIRT-SESSIONID or similar.
>>>>
>>>> As for the cookie name, I'm not aware of any way to change it in
>>>> JBoss. I think that even Java servlet spec says it must be called
>>>> JSESSIONID. (But then again, in future I'd like to avoid using that
>>>> cookie altogether, in favor of using custom OVIRT-SESSIONID header.)
>>>>
>>>
>>> it is not important what session id it is... it can be the jboss now and
>>> other later, what important is that we do not change the interface in
>>> future, so that the session id whatever it may be is set within header that
>>> is forward compatible.
>>
>> I agree.
>>
>> @Juan, can we change JSESSIONID header to OVIRT-SESSIONID or similar,
>> in scope of REST API webapp?
>>
>> (Also to be used in future instead of JSESSIONID cookie, to associate
>> client request with REST API / Engine session.)
>>
> 
> ?????
> 

Yes, we can change it. But we won't because doing so doesn't have any
benefit.

>>>
>>> the fact that we have a cookie is nice, may have some value (or not...),
>>> but
>>> cookie is set by server and sent by client automatically, so naming is not
>>> important.
>>
>> Right, web browsers take care of cookies automatically and other
>> clients can prefer to use custom header like OVIRT-SESSIONID,
>> if they want.
>>
>>>
>>>>>
>>>>>>
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Vojtech Szocs" <vszocs at redhat.com>
>>>>>>>> To: devel at ovirt.org
>>>>>>>> Cc: "Oved Ourfalli" <ovedo at redhat.com>, "René Koch"
>>>>>>>> <r.koch at ovido.at>
>>>>>>>> Sent: Tuesday, July 15, 2014 8:06:19 PM
>>>>>>>> Subject: [ovirt-devel] UI plugins - talking with Engine via
>>>>>>>> JSESSIONID
>>>>>>>> now
>>>>>>>> requires separate request header
>>>>>>>>
>>>>>>>> Hi guys,
>>>>>>>>
>>>>>>>> please be advised, patch for master [1] as well as
>>>>>>>> ovirt-engine-3.5
>>>>>>>> [2]
>>>>>>>> branch was merged recently. This patch enables CSRF (Cross-Site
>>>>>>>> Request
>>>>>>>> Forgery) protection for REST API session acquired by WebAdmin UI
>>>>>>>> plugin
>>>>>>>> infrastructure.
>>>>>>>>
>>>>>>>> If you maintain UI plugin(s) and utilize "RestApiSessionAcquired"
>>>>>>>> event
>>>>>>>> handler function, i.e. your UI plugin (JavaScript) calls Engine
>>>>>>>> directly
>>>>>>>> or you pass the session ID to some other system which calls
>>>>>>>> Engine,
>>>>>>>> make
>>>>>>>> sure that any request to Engine contains both:
>>>>>>>>
>>>>>>>>   * JSESSIONID cookie (as today)
>>>>>>>>   * JSESSIONID request header (this is new)
>>>>>>>>
>>>>>>>> For CSRF-protected session [3], REST API backend compares these
>>>>>>>> values
>>>>>>>> and if not successful, it responds with HTTP 403 (Forbidden)
>>>>>>>> which
>>>>>>>> will
>>>>>>>> break the communication with Engine.
>>>>>>>>
>>>>>>>> As mentioned above, this applies to all UI plugins deployed on
>>>>>>>> Engine
>>>>>>>> WebAdmin version 3.5 and later.
>>>>>>>>
>>>>>>>> In order to stay compatible with older (unpatched) UI plugins, we
>>>>>>>> could
>>>>>>>> introduce some Engine config parameter to control whether the
>>>>>>>> REST
>>>>>>>> API
>>>>>>>> session for UI plugins should use CSRF protection or not.
>>>>>>>>
>>>>>>>> [1] http://gerrit.ovirt.org/#/c/29682/
>>>>>>>> [2] http://gerrit.ovirt.org/#/c/29850/
>>>>>>>> [3] details in commit message of
>>>>>>>> http://gerrit.ovirt.org/#/c/29849/
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Vojtech
>>>>>>>> _______________________________________________
>>>>>>>> Devel mailing list
>>>>>>>> Devel at ovirt.org
>>>>>>>> http://lists.ovirt.org/mailman/listinfo/devel
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>

-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.