airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amila Jayasekara <thejaka.am...@gmail.com>
Subject Re: Accessing the REST service from JavaScript
Date Wed, 12 Jun 2013 16:22:45 GMT
Hi Suresh,

For all API operations we need a system user. As per now the only way to
send system user information is through a HTTP header. Even you disable the
security we need to send system user id in the "Authorisation" header
(without password). This had been working with Java clients and we didnt
have a requirement to handle new methodologies to handle user information.

The solution I see - Since we cannot set security headers in the header we
need to send security information in some other means (as parameters). So
to handle this we need new Authenticator which can process request
parameters and extract user information and set it in the appropriate
object.

Also basic access authentication is a widely used authentication mechanism.
So I wonder how others are tackling this issue.
Posts [1] and [2] have bit of information.

[1]
http://stackoverflow.com/questions/3258645/pass-request-headers-in-a-jquery-ajax-get-call/3258685#3258685
[2]  http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method

Thanks
Amila



On Wed, Jun 12, 2013 at 12:01 PM, Suresh Marru <smarru@apache.org> wrote:

> That makes sense now.
>
> So back to Viknes question, he needs to send a gateway admin user (or a
> end user with admin privileges) so he can get status of all experiments.
> For this he doesn't need to manipulate the user information in header
> right? Sorry these questions are naive but I am trying to understand the
> information needed to authenticate vs the actual query.
>
> Suresh
>
> On Jun 12, 2013, at 11:56 AM, Amila Jayasekara <thejaka.amila@gmail.com>
> wrote:
>
> > Hi Suresh,
> >
> > You are correct the user we refer is system user. (In other words the
> user
> > that interact with all internal operations such as registry etc ...). For
> > portal users, we get user attribute through the context header.
> >
> > Thanks
> > Amila
> >
> >
> > On Wed, Jun 12, 2013 at 11:40 AM, Suresh Marru <smarru@apache.org>
> wrote:
> >
> >> Thanks Amila.
> >>
> >> Just to clarify the user here is the system user (or the gateway admin)
> >> right? Can you please also elaborate on how this will look like for
> sending
> >> gateway end user id?
> >>
> >> Suresh
> >>
> >> On Jun 12, 2013, at 11:06 AM, Amila Jayasekara <thejaka.amila@gmail.com
> >
> >> wrote:
> >>
> >>> Hi Suresh,
> >>>
> >>> This is not due to any technical reason or security issue.
> >>> So the basic access authentication is the "default" authentication
> >>> mechanism we are using. For that we need to have user name and password
> >> in
> >>> request header and base64 encoded.
> >>> If user name and password needs to be part of the request parameter, we
> >>> need to implement a new Authenticator
> >>> (org.apache.airavata.security.Authenticator) implementation. Further
> >>> framework will pick the new authenticator based on the implementation
> of
> >>> "canProcess" method.
> >>>
> >>> Thanks
> >>> Amila
> >>>
> >>>
> >>> On Wed, Jun 12, 2013 at 10:48 AM, Suresh Marru <smarru@apache.org>
> >> wrote:
> >>>
> >>>> On Jun 12, 2013, at 10:35 AM, Amila Jayasekara <
> thejaka.amila@gmail.com
> >>>
> >>>> wrote:
> >>>>
> >>>>> Hi Viknes,
> >>>>>
> >>>>> You still need to set user name as a Authorisation header. I doubt
> you
> >>>> will
> >>>>> be able to do this even, cos browsers doesnt allow any kind of http
> >>>> header
> >>>>> manipulations.
> >>>>
> >>>> Amila, this is making me wonder again, is this a good idea to expect
a
> >>>> user if to be set in the request header? Why cannot we allow the user
> >> if to
> >>>> be set as a parameter? is this because of a security risk or any other
> >>>> technical reasons?
> >>>>
> >>>> Suresh
> >>>>
> >>>>>
> >>>>> Thanks
> >>>>> Amila
> >>>>>
> >>>>>
> >>>>> On Wed, Jun 12, 2013 at 10:29 AM, Viknes Balasubramanee <
> >> viknesb@msn.com
> >>>>> wrote:
> >>>>>
> >>>>>> I'd like to avoid a backend server of my own or a proxy server.
My
> aim
> >>>> is
> >>>>>> to
> >>>>>> develop a portable webapp of just HTML and JS pages that can
be
> >>>> included by
> >>>>>> any client. I am pretty sure I have successfully made cross
domain
> >>>> requests
> >>>>>> earlier. The only problem here is adding the authorization header
> and
> >>>> these
> >>>>>> 2 browsers don't allow it.
> >>>>>>
> >>>>>> Amila,
> >>>>>> When the security is disabled, should the username be still
set in
> the
> >>>>>> authorization header or can it be passed as a parameter or data
> >>>> attribute.
> >>>>>>
> >>>>>> Thanks
> >>>>>> Viknes
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Amila Jayasekara [mailto:thejaka.amila@gmail.com]
> >>>>>> Sent: Wednesday, June 12, 2013 9:28 AM
> >>>>>> To: dev@airavata.apache.org
> >>>>>> Cc: viknesb
> >>>>>> Subject: Re: Accessing the REST service from JavaScript
> >>>>>>
> >>>>>> I am not quite sure, issue is more subtle I guess. Cos browser
it
> self
> >>>>>> doesnt allow us to manipulate headers.
> >>>>>> But we can try and see.
> >>>>>>
> >>>>>> Thanks
> >>>>>> Amila
> >>>>>>
> >>>>>>
> >>>>>> On Wed, Jun 12, 2013 at 9:21 AM, Supun Kamburugamuva
> >>>>>> <supun06@gmail.com>wrote:
> >>>>>>
> >>>>>>> From the description my understand was this is a cross domain
> >>>>>>> scripting issue. If that is the case, using a proxy server
will
> make
> >>>>>>> all the requests to go through the same server (domain)
and avoid
> the
> >>>>>> issue.
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>> Supun..
> >>>>>>>
> >>>>>>>
> >>>>>>> On Wed, Jun 12, 2013 at 8:58 AM, Amila Jayasekara
> >>>>>>> <thejaka.amila@gmail.com>wrote:
> >>>>>>>
> >>>>>>>> Hi Supun,
> >>>>>>>>
> >>>>>>>> Didn't quite understand how HTTPD going to solve the
issue. You
> >>>>>>>> meant to (from browser) pass header in different format
to HTTPD
> and
> >>>>>>>> set headers
> >>>>>>> at
> >>>>>>>> HTTPD server level ? If this is possible could you also
point to a
> >>>>>>>> reference ?
> >>>>>>>>
> >>>>>>>> Thanks
> >>>>>>>> Amila
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Wed, Jun 12, 2013 at 8:28 AM, Supun Kamburugamuva
> >>>>>>>> <supun06@gmail.com
> >>>>>>>>> wrote:
> >>>>>>>>
> >>>>>>>>> You can try proxying all your requests through a
HTTPD server.
> May
> >>>>>>>>> be
> >>>>>>> it
> >>>>>>>>> will help.
> >>>>>>>>>
> >>>>>>>>> Thanks,
> >>>>>>>>> Supun..
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On Wed, Jun 12, 2013 at 12:48 AM, Amila Jayasekara
> >>>>>>>>> <thejaka.amila@gmail.com>wrote:
> >>>>>>>>>
> >>>>>>>>>> Hi Viknes,
> >>>>>>>>>>
> >>>>>>>>>> As discussed offline the reason for authentication
failure is
> >>>>>>>>>> not
> >>>>>>>> getting
> >>>>>>>>>> "Authorization" header to backend. We experienced
that Firefox
> >>>>>>>>>> and
> >>>>>>>> Chrome
> >>>>>>>>>> does
> >>>>>>>>>> not allow user to set headers while IE allow
user to set headers
> >>>>>>>> (Correct
> >>>>>>>>>> me if I am wrong). Further [1] describes this
restriction in
> >>>>>> detail.
> >>>>>>>>>>
> >>>>>>>>>> It seems like due to security reasons some browsers
does not
> >>>>>>>>>> allow
> >>>>>>> user
> >>>>>>>>> to
> >>>>>>>>>> manipulate headers. Maybe other Javascript experts
can give more
> >>>>>>>> feedback
> >>>>>>>>>> to
> >>>>>>>>>> solve this issue.
> >>>>>>>>>>
> >>>>>>>>>> Further even though you disable security Airavata
needs a user
> >>>>>>>>>> id to operate on. Therefore we still require
a user id in the
> >>>>>>>>>> request
> >>>>>>> header.
> >>>>>>>>>>
> >>>>>>>>>> [1]
> >>>>>>>>
> http://news.anarchy46.net/2012/06/refused-to-set-unsafe-header.html
> >>>>>>>>>>
> >>>>>>>>>> Thanks
> >>>>>>>>>> Amila
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> On Tue, Jun 11, 2013 at 11:42 PM, Viknes Balasubramanee
<
> >>>>>>>> viknesb@msn.com
> >>>>>>>>>>> wrote:
> >>>>>>>>>>
> >>>>>>>>>>> Hi All,
> >>>>>>>>>>>
> >>>>>>>>>>> I am trying to get the list of experiments
in Airavata by
> >>>>>>>>>>> accessing
> >>>>>>>> the
> >>>>>>>>>>> Registry API REST service from a webapp.
When I make an AJAX
> >>>>>>> request
> >>>>>>>>> from
> >>>>>>>>>>> JavaScript, I get an error in the browser
console(FireBug)
> >>>>>>>>>>> stating
> >>>>>>>>>> "Access
> >>>>>>>>>>> denied to restricted URI".  This is the
URL that I am trying
> >>>>>>>>>>> to hit
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >> http://localhost:8080/airavata-registry/api/experimentregistry/get/exp
> >>>>>>> erimen
> >>>>>>>>>>> ts/all . The URL works fine from the browser.
> >>>>>>>>>>>
> >>>>>>>>>>> 1. I have the basic authentication header
set with the encoded
> >>>>>>>> username
> >>>>>>>>>> and
> >>>>>>>>>>> password when I make the request. I have
CORS enabled in
> jQuery.
> >>>>>>> Yet,
> >>>>>>>>> the
> >>>>>>>>>>> request seems to fail.
> >>>>>>>>>>> 2. In order to skip the authentication and
try my request, I
> >>>>>>>>>>> set
> >>>>>>> the
> >>>>>>>>>>> enabled
> >>>>>>>>>>> parameter in authentication.xml to false.
<authenticators
> >>>>>>>>>> enabled="false">.
> >>>>>>>>>>> When I do so, I get the below exception
if I try to connect to
> >>>>>>>>>>> the
> >>>>>>>>>> registry
> >>>>>>>>>>> from XBaya.
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>
> >>>>>>>
> >>>>
> org.apache.airavata.client.api.exception.AiravataAPIInvocationException:
> >>>>>>>>>>> Error while initializing the Airavata API
> >>>>>>>>>>>      at
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >> org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFactor
> >>>>>>> y.java
> >>>>>>>>>>> :64)
> >>>>>>>>>>>      at
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >> org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFactor
> >>>>>>> y.java
> >>>>>>>>>>> :43)
> >>>>>>>>>>>      at
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >> org.apache.airavata.xbaya.ui.dialogs.registry.RegistryWindow.getAirava
> >>>>>>> taAPI(
> >>>>>>>>>>> RegistryWindow.java:260)
> >>>>>>>>>>> Caused by:
> >>>>>>>>>>>
> >>>>>>>>>
> >>>>>>>
> >>>>
> org.apache.airavata.client.api.exception.AiravataAPIInvocationException:
> >>>>>>>>>>> Error while initializing the Airavat a API
> >>>>>>>>>>>      at
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>
> org.apache.airavata.client.AiravataClient.initialize(AiravataClient.java:163
> >>>>>>>>>>> )
> >>>>>>>>>>>      at
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>
> org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFactory.java
> >>>>>>>>>>> :61)
> >>>>>>>>>>>      ... 99 more
> >>>>>>>>>>> Caused by: java.lang.RuntimeException: Failed
: HTTP error
> code :
> >>>>>>> 500
> >>>>>>>>>>>      at
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>
> org.apache.airavata.rest.client.ConfigurationResourceClient.getEventingURI(C
> >>>>>>>>>>> onfigurationResourceClient.java:5
> >>>>>>>>>>> 19)
> >>>>>>>>>>>      at
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>
> org.apache.airavata.rest.client.RegistryClient.getEventingServiceURI(Registr
> >>>>>>>>>>> yClient.java:164)
> >>>>>>>>>>>      at
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>
> org.apache.airavata.client.AiravataClient.createConfig(AiravataClient.java:1
> >>>>>>>>>>> 15)
> >>>>>>>>>>>
> >>>>>>>>>>> Please let me know if I am missing something
here. For most of
> >>>>>> the
> >>>>>>>> GSOC
> >>>>>>>>>>> projects, we are developing webapp and I
believe this would
> play
> >>>>>> an
> >>>>>>>>>>> important role.
> >>>>>>>>>>>
> >>>>>>>>>>> Thanks
> >>>>>>>>>>> Viknes
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> Supun Kamburugamuva
> >>>>>>>>> Member, Apache Software Foundation; http://www.apache.org
> >>>>>>>>> E-mail: supun06@gmail.com;  Mobile: +1 812 369 6762
> >>>>>>>>> Blog: http://supunk.blogspot.com
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> Supun Kamburugamuva
> >>>>>>> Member, Apache Software Foundation; http://www.apache.org
> >>>>>>> E-mail: supun06@gmail.com;  Mobile: +1 812 369 6762
> >>>>>>> Blog: http://supunk.blogspot.com
> >>>>>>>
> >>>>>>
> >>>>
> >>>>
> >>
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message