airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lahiru Gunathilake <glah...@gmail.com>
Subject Re: Accessing the REST service from JavaScript
Date Tue, 18 Jun 2013 17:12:03 GMT
Looks like a good how to section for Airavata and Viknesh you can add this
to your blog as a more generic solution and will be useful for someone who
encounter same issue.


Regards
Lahiru


On Tue, Jun 18, 2013 at 12:09 PM, Viknes Balasubramanee <viknesb@msn.com>wrote:

> Some more poking around, configuration changes and I was able to solve the
> issue. The REST calls will now be intercepted by the CORS filter first and
> then by the authentication filter(basic authentication) in the
> airavata-server
> side. Now, with the CORS filter, we can restrict the domains, type of
> operations that can access the REST API. This adds to the security of the
> API
> as well. I will create a JIRA issue and attach my work as a patch to it.
>
> Thanks
> Viknes
>
> -----Original Message-----
> From: Viknes Balasubramanee [mailto:viknesb@msn.com]
> Sent: Thursday, June 13, 2013 11:46 AM
> To: dev@airavata.apache.org
> Subject: RE: Accessing the REST service from JavaScript
>
> So the problem is Cross Domain Authorization. I spent some more time on
> this
> and added a CORS filter(CORS filter by ebay) on the airavata server side
> and
> tried the requests. This time, requests from both firefox and chrome were
> intercepted by the HttpAuthenticationFilter but still the authorization
> headers were not found and it returned a 401. This post [1] contains a
> similar
> problem in Spring Security. Im guessing some configuration changes in
> Jersey
> could actually resolve it.
>
> [1] -
>
> http://stackoverflow.com/questions/10063597/jquery-cross-domain-basic-auth-call
>
> Thanks
> Viknes
>
> -----Original Message-----
> From: Amila Jayasekara [mailto:thejaka.amila@gmail.com]
> Sent: Wednesday, June 12, 2013 10:35 AM
> To: dev@airavata.apache.org; viknesb
> Subject: Re: Accessing the REST service from JavaScript
>
> Hi Viknes,
>
> You still need to set user name as a Authorisation header. I doubt you
> will be
> able to do this even, cos browsers doesnt allow any kind of http header
> manipulations.
>
> Thanks
> Amila
>
>
> On Wed, Jun 12, 2013 at 10:29 AM, Viknes Balasubramanee
> <viknesb@msn.com>wrote:
>
> > I'd like to avoid a backend server of my own or a proxy server. My aim
> > is to develop a portable webapp of just HTML and JS pages that can be
> > included by any client. I am pretty sure I have successfully made
> > cross domain requests earlier. The only problem here is adding the
> > authorization header and these
> > 2 browsers don't allow it.
> >
> > Amila,
> > When the security is disabled, should the username be still set in the
> > authorization header or can it be passed as a parameter or data
> attribute.
> >
> > Thanks
> > Viknes
> >
> > -----Original Message-----
> > From: Amila Jayasekara [mailto:thejaka.amila@gmail.com]
> > Sent: Wednesday, June 12, 2013 9:28 AM
> > To: dev@airavata.apache.org
> > Cc: viknesb
> > Subject: Re: Accessing the REST service from JavaScript
> >
> > I am not quite sure, issue is more subtle I guess. Cos browser it self
> > doesnt allow us to manipulate headers.
> > But we can try and see.
> >
> > Thanks
> > Amila
> >
> >
> > On Wed, Jun 12, 2013 at 9:21 AM, Supun Kamburugamuva
> > <supun06@gmail.com>wrote:
> >
> > > From the description my understand was this is a cross domain
> > > scripting issue. If that is the case, using a proxy server will make
> > > all the requests to go through the same server (domain) and avoid
> > > the
> > issue.
> > >
> > > Thanks,
> > > Supun..
> > >
> > >
> > > On Wed, Jun 12, 2013 at 8:58 AM, Amila Jayasekara
> > > <thejaka.amila@gmail.com>wrote:
> > >
> > > > Hi Supun,
> > > >
> > > > Didn't quite understand how HTTPD going to solve the issue. You
> > > > meant to (from browser) pass header in different format to HTTPD
> > > > and set headers
> > > at
> > > > HTTPD server level ? If this is possible could you also point to a
> > > > reference ?
> > > >
> > > > Thanks
> > > > Amila
> > > >
> > > >
> > > > On Wed, Jun 12, 2013 at 8:28 AM, Supun Kamburugamuva
> > > > <supun06@gmail.com
> > > > >wrote:
> > > >
> > > > > You can try proxying all your requests through a HTTPD server.
> > > > > May be
> > > it
> > > > > will help.
> > > > >
> > > > > Thanks,
> > > > > Supun..
> > > > >
> > > > >
> > > > > On Wed, Jun 12, 2013 at 12:48 AM, Amila Jayasekara
> > > > > <thejaka.amila@gmail.com>wrote:
> > > > >
> > > > > > Hi Viknes,
> > > > > >
> > > > > > As discussed offline the reason for authentication failure is
> > > > > > not
> > > > getting
> > > > > > "Authorization" header to backend. We experienced that Firefox
> > > > > > and
> > > > Chrome
> > > > > > does
> > > > > > not allow user to set headers while IE allow user to set
> > > > > > headers
> > > > (Correct
> > > > > > me if I am wrong). Further [1] describes this restriction in
> > detail.
> > > > > >
> > > > > > It seems like due to security reasons some browsers does not
> > > > > > allow
> > > user
> > > > > to
> > > > > > manipulate headers. Maybe other Javascript experts can give
> > > > > > more
> > > > feedback
> > > > > > to
> > > > > > solve this issue.
> > > > > >
> > > > > > Further even though you disable security Airavata needs a user
> > > > > > id to operate on. Therefore we still require a user id in the
> > > > > > request
> > > header.
> > > > > >
> > > > > > [1]
> > > > http://news.anarchy46.net/2012/06/refused-to-set-unsafe-header.htm
> > > > l
> > > > > >
> > > > > > Thanks
> > > > > > Amila
> > > > > >
> > > > > >
> > > > > > On Tue, Jun 11, 2013 at 11:42 PM, Viknes Balasubramanee <
> > > > viknesb@msn.com
> > > > > > >wrote:
> > > > > >
> > > > > > > Hi All,
> > > > > > >
> > > > > > > I am trying to get the list of experiments in Airavata
by
> > > > > > > accessing
> > > > the
> > > > > > > Registry API REST service from a webapp. When I make an
AJAX
> > > request
> > > > > from
> > > > > > > JavaScript, I get an error in the browser console(FireBug)
> > > > > > > stating
> > > > > > "Access
> > > > > > > denied to restricted URI".  This is the URL that I am trying
> > > > > > > to hit
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > http://localhost:8080/airavata-registry/api/experimentregistry/get/e
> > > xp
> > > erimen
> > > > > > > ts/all . The URL works fine from the browser.
> > > > > > >
> > > > > > > 1. I have the basic authentication header set with the
> > > > > > > encoded
> > > > username
> > > > > > and
> > > > > > > password when I make the request. I have CORS enabled in
> jQuery.
> > > Yet,
> > > > > the
> > > > > > > request seems to fail.
> > > > > > > 2. In order to skip the authentication and try my request,
I
> > > > > > > set
> > > the
> > > > > > > enabled
> > > > > > > parameter in authentication.xml to false. <authenticators
> > > > > > enabled="false">.
> > > > > > > When I do so, I get the below exception if I try to connect
> > > > > > > to the
> > > > > > registry
> > > > > > > from XBaya.
> > > > > > >
> > > > > > >
> > > > >
> > >
> org.apache.airavata.client.api.exception.AiravataAPIInvocationException:
> > > > > > > Error while initializing the Airavata API
> > > > > > >         at
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFact
> > > or
> > > y.java
> > > > > > > :64)
> > > > > > >         at
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFact
> > > or
> > > y.java
> > > > > > > :43)
> > > > > > >         at
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > org.apache.airavata.xbaya.ui.dialogs.registry.RegistryWindow.getAira
> > > va
> > > taAPI(
> > > > > > > RegistryWindow.java:260)
> > > > > > > Caused by:
> > > > > > >
> > > > >
> > >
> org.apache.airavata.client.api.exception.AiravataAPIInvocationException:
> > > > > > > Error while initializing the Airavat a API
> > > > > > >         at
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> > org.apache.airavata.client.AiravataClient.initialize(AiravataClient.ja
> > va:163
> > > > > > > )
> > > > > > >         at
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> > org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFactor
> > y.java
> > > > > > > :61)
> > > > > > >         ... 99 more
> > > > > > > Caused by: java.lang.RuntimeException: Failed : HTTP error
> code :
> > > 500
> > > > > > >         at
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> > org.apache.airavata.rest.client.ConfigurationResourceClient.getEventin
> > gURI(C
> > > > > > > onfigurationResourceClient.java:5
> > > > > > > 19)
> > > > > > >         at
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> > org.apache.airavata.rest.client.RegistryClient.getEventingServiceURI(R
> > egistr
> > > > > > > yClient.java:164)
> > > > > > >         at
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> > org.apache.airavata.client.AiravataClient.createConfig(AiravataClient.
> > java:1
> > > > > > > 15)
> > > > > > >
> > > > > > > Please let me know if I am missing something here. For
most
> > > > > > > of
> > the
> > > > GSOC
> > > > > > > projects, we are developing webapp and I believe this would
> > > > > > > play
> > an
> > > > > > > important role.
> > > > > > >
> > > > > > > Thanks
> > > > > > > Viknes
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Supun Kamburugamuva
> > > > > Member, Apache Software Foundation; http://www.apache.org
> > > > > E-mail: supun06@gmail.com;  Mobile: +1 812 369 6762
> > > > > Blog: http://supunk.blogspot.com
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Supun Kamburugamuva
> > > Member, Apache Software Foundation; http://www.apache.org
> > > E-mail: supun06@gmail.com;  Mobile: +1 812 369 6762
> > > Blog: http://supunk.blogspot.com
> > >
> >
>



-- 
System Analyst Programmer
PTI Lab
Indiana University

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message