airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Viknes Balasubramanee <vikn...@msn.com>
Subject RE: Accessing the REST service from JavaScript
Date Tue, 18 Jun 2013 16:09:02 GMT
Some more poking around, configuration changes and I was able to solve the 
issue. The REST calls will now be intercepted by the CORS filter first and 
then by the authentication filter(basic authentication) in the airavata-server 
side. Now, with the CORS filter, we can restrict the domains, type of 
operations that can access the REST API. This adds to the security of the API 
as well. I will create a JIRA issue and attach my work as a patch to it.

Thanks
Viknes

-----Original Message-----
From: Viknes Balasubramanee [mailto:viknesb@msn.com]
Sent: Thursday, June 13, 2013 11:46 AM
To: dev@airavata.apache.org
Subject: RE: Accessing the REST service from JavaScript

So the problem is Cross Domain Authorization. I spent some more time on this
and added a CORS filter(CORS filter by ebay) on the airavata server side and
tried the requests. This time, requests from both firefox and chrome were
intercepted by the HttpAuthenticationFilter but still the authorization
headers were not found and it returned a 401. This post [1] contains a similar
problem in Spring Security. Im guessing some configuration changes in Jersey
could actually resolve it.

[1] -
http://stackoverflow.com/questions/10063597/jquery-cross-domain-basic-auth-call

Thanks
Viknes

-----Original Message-----
From: Amila Jayasekara [mailto:thejaka.amila@gmail.com]
Sent: Wednesday, June 12, 2013 10:35 AM
To: dev@airavata.apache.org; viknesb
Subject: Re: Accessing the REST service from JavaScript

Hi Viknes,

You still need to set user name as a Authorisation header. I doubt you will be
able to do this even, cos browsers doesnt allow any kind of http header
manipulations.

Thanks
Amila


On Wed, Jun 12, 2013 at 10:29 AM, Viknes Balasubramanee
<viknesb@msn.com>wrote:

> I'd like to avoid a backend server of my own or a proxy server. My aim
> is to develop a portable webapp of just HTML and JS pages that can be
> included by any client. I am pretty sure I have successfully made
> cross domain requests earlier. The only problem here is adding the
> authorization header and these
> 2 browsers don't allow it.
>
> Amila,
> When the security is disabled, should the username be still set in the
> authorization header or can it be passed as a parameter or data attribute.
>
> Thanks
> Viknes
>
> -----Original Message-----
> From: Amila Jayasekara [mailto:thejaka.amila@gmail.com]
> Sent: Wednesday, June 12, 2013 9:28 AM
> To: dev@airavata.apache.org
> Cc: viknesb
> Subject: Re: Accessing the REST service from JavaScript
>
> I am not quite sure, issue is more subtle I guess. Cos browser it self
> doesnt allow us to manipulate headers.
> But we can try and see.
>
> Thanks
> Amila
>
>
> On Wed, Jun 12, 2013 at 9:21 AM, Supun Kamburugamuva
> <supun06@gmail.com>wrote:
>
> > From the description my understand was this is a cross domain
> > scripting issue. If that is the case, using a proxy server will make
> > all the requests to go through the same server (domain) and avoid
> > the
> issue.
> >
> > Thanks,
> > Supun..
> >
> >
> > On Wed, Jun 12, 2013 at 8:58 AM, Amila Jayasekara
> > <thejaka.amila@gmail.com>wrote:
> >
> > > Hi Supun,
> > >
> > > Didn't quite understand how HTTPD going to solve the issue. You
> > > meant to (from browser) pass header in different format to HTTPD
> > > and set headers
> > at
> > > HTTPD server level ? If this is possible could you also point to a
> > > reference ?
> > >
> > > Thanks
> > > Amila
> > >
> > >
> > > On Wed, Jun 12, 2013 at 8:28 AM, Supun Kamburugamuva
> > > <supun06@gmail.com
> > > >wrote:
> > >
> > > > You can try proxying all your requests through a HTTPD server.
> > > > May be
> > it
> > > > will help.
> > > >
> > > > Thanks,
> > > > Supun..
> > > >
> > > >
> > > > On Wed, Jun 12, 2013 at 12:48 AM, Amila Jayasekara
> > > > <thejaka.amila@gmail.com>wrote:
> > > >
> > > > > Hi Viknes,
> > > > >
> > > > > As discussed offline the reason for authentication failure is
> > > > > not
> > > getting
> > > > > "Authorization" header to backend. We experienced that Firefox
> > > > > and
> > > Chrome
> > > > > does
> > > > > not allow user to set headers while IE allow user to set
> > > > > headers
> > > (Correct
> > > > > me if I am wrong). Further [1] describes this restriction in
> detail.
> > > > >
> > > > > It seems like due to security reasons some browsers does not
> > > > > allow
> > user
> > > > to
> > > > > manipulate headers. Maybe other Javascript experts can give
> > > > > more
> > > feedback
> > > > > to
> > > > > solve this issue.
> > > > >
> > > > > Further even though you disable security Airavata needs a user
> > > > > id to operate on. Therefore we still require a user id in the
> > > > > request
> > header.
> > > > >
> > > > > [1]
> > > http://news.anarchy46.net/2012/06/refused-to-set-unsafe-header.htm
> > > l
> > > > >
> > > > > Thanks
> > > > > Amila
> > > > >
> > > > >
> > > > > On Tue, Jun 11, 2013 at 11:42 PM, Viknes Balasubramanee <
> > > viknesb@msn.com
> > > > > >wrote:
> > > > >
> > > > > > Hi All,
> > > > > >
> > > > > > I am trying to get the list of experiments in Airavata by
> > > > > > accessing
> > > the
> > > > > > Registry API REST service from a webapp. When I make an AJAX
> > request
> > > > from
> > > > > > JavaScript, I get an error in the browser console(FireBug)
> > > > > > stating
> > > > > "Access
> > > > > > denied to restricted URI".  This is the URL that I am trying
> > > > > > to hit
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > http://localhost:8080/airavata-registry/api/experimentregistry/get/e
> > xp
> > erimen
> > > > > > ts/all . The URL works fine from the browser.
> > > > > >
> > > > > > 1. I have the basic authentication header set with the
> > > > > > encoded
> > > username
> > > > > and
> > > > > > password when I make the request. I have CORS enabled in jQuery.
> > Yet,
> > > > the
> > > > > > request seems to fail.
> > > > > > 2. In order to skip the authentication and try my request, I
> > > > > > set
> > the
> > > > > > enabled
> > > > > > parameter in authentication.xml to false. <authenticators
> > > > > enabled="false">.
> > > > > > When I do so, I get the below exception if I try to connect
> > > > > > to the
> > > > > registry
> > > > > > from XBaya.
> > > > > >
> > > > > >
> > > >
> > org.apache.airavata.client.api.exception.AiravataAPIInvocationException:
> > > > > > Error while initializing the Airavata API
> > > > > >         at
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFact
> > or
> > y.java
> > > > > > :64)
> > > > > >         at
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFact
> > or
> > y.java
> > > > > > :43)
> > > > > >         at
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.airavata.xbaya.ui.dialogs.registry.RegistryWindow.getAira
> > va
> > taAPI(
> > > > > > RegistryWindow.java:260)
> > > > > > Caused by:
> > > > > >
> > > >
> > org.apache.airavata.client.api.exception.AiravataAPIInvocationException:
> > > > > > Error while initializing the Airavat a API
> > > > > >         at
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> org.apache.airavata.client.AiravataClient.initialize(AiravataClient.ja
> va:163
> > > > > > )
> > > > > >         at
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFactor
> y.java
> > > > > > :61)
> > > > > >         ... 99 more
> > > > > > Caused by: java.lang.RuntimeException: Failed : HTTP error code
:
> > 500
> > > > > >         at
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> org.apache.airavata.rest.client.ConfigurationResourceClient.getEventin
> gURI(C
> > > > > > onfigurationResourceClient.java:5
> > > > > > 19)
> > > > > >         at
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> org.apache.airavata.rest.client.RegistryClient.getEventingServiceURI(R
> egistr
> > > > > > yClient.java:164)
> > > > > >         at
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> org.apache.airavata.client.AiravataClient.createConfig(AiravataClient.
> java:1
> > > > > > 15)
> > > > > >
> > > > > > Please let me know if I am missing something here. For most
> > > > > > of
> the
> > > GSOC
> > > > > > projects, we are developing webapp and I believe this would
> > > > > > play
> an
> > > > > > important role.
> > > > > >
> > > > > > Thanks
> > > > > > Viknes
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Supun Kamburugamuva
> > > > Member, Apache Software Foundation; http://www.apache.org
> > > > E-mail: supun06@gmail.com;  Mobile: +1 812 369 6762
> > > > Blog: http://supunk.blogspot.com
> > > >
> > >
> >
> >
> >
> > --
> > Supun Kamburugamuva
> > Member, Apache Software Foundation; http://www.apache.org
> > E-mail: supun06@gmail.com;  Mobile: +1 812 369 6762
> > Blog: http://supunk.blogspot.com
> >
>

Mime
View raw message