airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Supun Kamburugamuva <supu...@gmail.com>
Subject Re: Accessing the REST service from JavaScript
Date Wed, 12 Jun 2013 15:37:26 GMT
Hi Amila,

If the user name and password has to be set in the javascript, isn't that
bit odd? I'm not an expert in this area. But it seems not right.

Thans,
Supun..


On Wed, Jun 12, 2013 at 11:06 AM, Amila Jayasekara
<thejaka.amila@gmail.com>wrote:

> Hi Suresh,
>
> This is not due to any technical reason or security issue.
> So the basic access authentication is the "default" authentication
> mechanism we are using. For that we need to have user name and password in
> request header and base64 encoded.
> If user name and password needs to be part of the request parameter, we
> need to implement a new Authenticator
> (org.apache.airavata.security.Authenticator) implementation. Further
>  framework will pick the new authenticator based on the implementation of
> "canProcess" method.
>
> Thanks
> Amila
>
>
> On Wed, Jun 12, 2013 at 10:48 AM, Suresh Marru <smarru@apache.org> wrote:
>
> > On Jun 12, 2013, at 10:35 AM, Amila Jayasekara <thejaka.amila@gmail.com>
> > wrote:
> >
> > > Hi Viknes,
> > >
> > > You still need to set user name as a Authorisation header. I doubt you
> > will
> > > be able to do this even, cos browsers doesnt allow any kind of http
> > header
> > > manipulations.
> >
> > Amila, this is making me wonder again, is this a good idea to expect a
> > user if to be set in the request header? Why cannot we allow the user if
> to
> > be set as a parameter? is this because of a security risk or any other
> > technical reasons?
> >
> > Suresh
> >
> > >
> > > Thanks
> > > Amila
> > >
> > >
> > > On Wed, Jun 12, 2013 at 10:29 AM, Viknes Balasubramanee <
> viknesb@msn.com
> > >wrote:
> > >
> > >> I'd like to avoid a backend server of my own or a proxy server. My aim
> > is
> > >> to
> > >> develop a portable webapp of just HTML and JS pages that can be
> > included by
> > >> any client. I am pretty sure I have successfully made cross domain
> > requests
> > >> earlier. The only problem here is adding the authorization header and
> > these
> > >> 2 browsers don't allow it.
> > >>
> > >> Amila,
> > >> When the security is disabled, should the username be still set in the
> > >> authorization header or can it be passed as a parameter or data
> > attribute.
> > >>
> > >> Thanks
> > >> Viknes
> > >>
> > >> -----Original Message-----
> > >> From: Amila Jayasekara [mailto:thejaka.amila@gmail.com]
> > >> Sent: Wednesday, June 12, 2013 9:28 AM
> > >> To: dev@airavata.apache.org
> > >> Cc: viknesb
> > >> Subject: Re: Accessing the REST service from JavaScript
> > >>
> > >> I am not quite sure, issue is more subtle I guess. Cos browser it self
> > >> doesnt allow us to manipulate headers.
> > >> But we can try and see.
> > >>
> > >> Thanks
> > >> Amila
> > >>
> > >>
> > >> On Wed, Jun 12, 2013 at 9:21 AM, Supun Kamburugamuva
> > >> <supun06@gmail.com>wrote:
> > >>
> > >>> From the description my understand was this is a cross domain
> > >>> scripting issue. If that is the case, using a proxy server will make
> > >>> all the requests to go through the same server (domain) and avoid the
> > >> issue.
> > >>>
> > >>> Thanks,
> > >>> Supun..
> > >>>
> > >>>
> > >>> On Wed, Jun 12, 2013 at 8:58 AM, Amila Jayasekara
> > >>> <thejaka.amila@gmail.com>wrote:
> > >>>
> > >>>> Hi Supun,
> > >>>>
> > >>>> Didn't quite understand how HTTPD going to solve the issue. You
> > >>>> meant to (from browser) pass header in different format to HTTPD
and
> > >>>> set headers
> > >>> at
> > >>>> HTTPD server level ? If this is possible could you also point to
a
> > >>>> reference ?
> > >>>>
> > >>>> Thanks
> > >>>> Amila
> > >>>>
> > >>>>
> > >>>> On Wed, Jun 12, 2013 at 8:28 AM, Supun Kamburugamuva
> > >>>> <supun06@gmail.com
> > >>>>> wrote:
> > >>>>
> > >>>>> You can try proxying all your requests through a HTTPD server.
May
> > >>>>> be
> > >>> it
> > >>>>> will help.
> > >>>>>
> > >>>>> Thanks,
> > >>>>> Supun..
> > >>>>>
> > >>>>>
> > >>>>> On Wed, Jun 12, 2013 at 12:48 AM, Amila Jayasekara
> > >>>>> <thejaka.amila@gmail.com>wrote:
> > >>>>>
> > >>>>>> Hi Viknes,
> > >>>>>>
> > >>>>>> As discussed offline the reason for authentication failure
is
> > >>>>>> not
> > >>>> getting
> > >>>>>> "Authorization" header to backend. We experienced that
Firefox
> > >>>>>> and
> > >>>> Chrome
> > >>>>>> does
> > >>>>>> not allow user to set headers while IE allow user to set
headers
> > >>>> (Correct
> > >>>>>> me if I am wrong). Further [1] describes this restriction
in
> > >> detail.
> > >>>>>>
> > >>>>>> It seems like due to security reasons some browsers does
not
> > >>>>>> allow
> > >>> user
> > >>>>> to
> > >>>>>> manipulate headers. Maybe other Javascript experts can
give more
> > >>>> feedback
> > >>>>>> to
> > >>>>>> solve this issue.
> > >>>>>>
> > >>>>>> Further even though you disable security Airavata needs
a user
> > >>>>>> id to operate on. Therefore we still require a user id
in the
> > >>>>>> request
> > >>> header.
> > >>>>>>
> > >>>>>> [1]
> > >>>> http://news.anarchy46.net/2012/06/refused-to-set-unsafe-header.html
> > >>>>>>
> > >>>>>> Thanks
> > >>>>>> Amila
> > >>>>>>
> > >>>>>>
> > >>>>>> On Tue, Jun 11, 2013 at 11:42 PM, Viknes Balasubramanee
<
> > >>>> viknesb@msn.com
> > >>>>>>> wrote:
> > >>>>>>
> > >>>>>>> Hi All,
> > >>>>>>>
> > >>>>>>> I am trying to get the list of experiments in Airavata
by
> > >>>>>>> accessing
> > >>>> the
> > >>>>>>> Registry API REST service from a webapp. When I make
an AJAX
> > >>> request
> > >>>>> from
> > >>>>>>> JavaScript, I get an error in the browser console(FireBug)
> > >>>>>>> stating
> > >>>>>> "Access
> > >>>>>>> denied to restricted URI".  This is the URL that I
am trying
> > >>>>>>> to hit
> > >>>>>>>
> > >>>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>
> http://localhost:8080/airavata-registry/api/experimentregistry/get/exp
> > >>> erimen
> > >>>>>>> ts/all . The URL works fine from the browser.
> > >>>>>>>
> > >>>>>>> 1. I have the basic authentication header set with
the encoded
> > >>>> username
> > >>>>>> and
> > >>>>>>> password when I make the request. I have CORS enabled
in jQuery.
> > >>> Yet,
> > >>>>> the
> > >>>>>>> request seems to fail.
> > >>>>>>> 2. In order to skip the authentication and try my request,
I
> > >>>>>>> set
> > >>> the
> > >>>>>>> enabled
> > >>>>>>> parameter in authentication.xml to false. <authenticators
> > >>>>>> enabled="false">.
> > >>>>>>> When I do so, I get the below exception if I try to
connect to
> > >>>>>>> the
> > >>>>>> registry
> > >>>>>>> from XBaya.
> > >>>>>>>
> > >>>>>>>
> > >>>>>
> > >>>
> > org.apache.airavata.client.api.exception.AiravataAPIInvocationException:
> > >>>>>>> Error while initializing the Airavata API
> > >>>>>>>        at
> > >>>>>>>
> > >>>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>
> org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFactor
> > >>> y.java
> > >>>>>>> :64)
> > >>>>>>>        at
> > >>>>>>>
> > >>>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>
> org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFactor
> > >>> y.java
> > >>>>>>> :43)
> > >>>>>>>        at
> > >>>>>>>
> > >>>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>
> org.apache.airavata.xbaya.ui.dialogs.registry.RegistryWindow.getAirava
> > >>> taAPI(
> > >>>>>>> RegistryWindow.java:260)
> > >>>>>>> Caused by:
> > >>>>>>>
> > >>>>>
> > >>>
> > org.apache.airavata.client.api.exception.AiravataAPIInvocationException:
> > >>>>>>> Error while initializing the Airavat a API
> > >>>>>>>        at
> > >>>>>>>
> > >>>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>
> > >>
> > >>
> >
> org.apache.airavata.client.AiravataClient.initialize(AiravataClient.java:163
> > >>>>>>> )
> > >>>>>>>        at
> > >>>>>>>
> > >>>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>
> > >>
> > >>
> >
> org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFactory.java
> > >>>>>>> :61)
> > >>>>>>>        ... 99 more
> > >>>>>>> Caused by: java.lang.RuntimeException: Failed : HTTP
error code :
> > >>> 500
> > >>>>>>>        at
> > >>>>>>>
> > >>>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>
> > >>
> > >>
> >
> org.apache.airavata.rest.client.ConfigurationResourceClient.getEventingURI(C
> > >>>>>>> onfigurationResourceClient.java:5
> > >>>>>>> 19)
> > >>>>>>>        at
> > >>>>>>>
> > >>>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>
> > >>
> > >>
> >
> org.apache.airavata.rest.client.RegistryClient.getEventingServiceURI(Registr
> > >>>>>>> yClient.java:164)
> > >>>>>>>        at
> > >>>>>>>
> > >>>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>
> > >>
> > >>
> >
> org.apache.airavata.client.AiravataClient.createConfig(AiravataClient.java:1
> > >>>>>>> 15)
> > >>>>>>>
> > >>>>>>> Please let me know if I am missing something here.
For most of
> > >> the
> > >>>> GSOC
> > >>>>>>> projects, we are developing webapp and I believe this
would play
> > >> an
> > >>>>>>> important role.
> > >>>>>>>
> > >>>>>>> Thanks
> > >>>>>>> Viknes
> > >>>>>>>
> > >>>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> --
> > >>>>> Supun Kamburugamuva
> > >>>>> Member, Apache Software Foundation; http://www.apache.org
> > >>>>> E-mail: supun06@gmail.com;  Mobile: +1 812 369 6762
> > >>>>> Blog: http://supunk.blogspot.com
> > >>>>>
> > >>>>
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>> Supun Kamburugamuva
> > >>> Member, Apache Software Foundation; http://www.apache.org
> > >>> E-mail: supun06@gmail.com;  Mobile: +1 812 369 6762
> > >>> Blog: http://supunk.blogspot.com
> > >>>
> > >>
> >
> >
>



-- 
Supun Kamburugamuva
Member, Apache Software Foundation; http://www.apache.org
E-mail: supun06@gmail.com;  Mobile: +1 812 369 6762
Blog: http://supunk.blogspot.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message