Return-Path: 
 <dev-return-7622-apmail-airavata-dev-archive=airavata.apache.org@airavata.apache.org>
X-Original-To: apmail-airavata-dev-archive@www.apache.org
Delivered-To: apmail-airavata-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id F035E10843
	for <apmail-airavata-dev-archive@www.apache.org>;
 Tue, 18 Jun 2013 16:09:34 +0000 (UTC)
Received: (qmail 66970 invoked by uid 500); 18 Jun 2013 16:09:34 -0000
Delivered-To: apmail-airavata-dev-archive@airavata.apache.org
Received: (qmail 66869 invoked by uid 500); 18 Jun 2013 16:09:34 -0000
Mailing-List: contact dev-help@airavata.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@airavata.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@airavata.apache.org>
List-Post: <mailto:dev@airavata.apache.org>
List-Id: <dev.airavata.apache.org>
Reply-To: dev@airavata.apache.org
Delivered-To: mailing list dev@airavata.apache.org
Received: (qmail 66861 invoked by uid 99); 18 Jun 2013 16:09:34 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Jun 2013 16:09:34 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=RCVD_IN_DNSWL_NONE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of viknesb@msn.com designates
 65.55.111.84 as permitted sender)
Received: from [65.55.111.84] (HELO blu0-omc2-s9.blu0.hotmail.com)
 (65.55.111.84)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Jun 2013 16:09:27 +0000
Received: from BLU405-EAS187 ([65.55.111.73]) by blu0-omc2-s9.blu0.hotmail.com
 with Microsoft SMTPSVC(6.0.3790.4675);
	 Tue, 18 Jun 2013 09:09:06 -0700
X-TMN: [fi7Ms9SOY4MFDqe6m4Hj0RtuCrY9Rljb]
X-Originating-Email: [viknesb@msn.com]
Message-ID: <BLU405-EAS1872248A0508318C45BCF7EAB8C0@phx.gbl>
Reply-To: <viknesb@msn.com>
From: Viknes Balasubramanee <viknesb@msn.com>
To: <dev@airavata.apache.org>
References: <BLU402-EAS4206EF6C70C9B433913A8D4AB860@phx.gbl>
	<CAKUcLKZ2WnfY8wQQoBeRLx4tjSHgEAgfUQ2pEavEsrbBL1vySQ@mail.gmail.com>
	<CAALcEpgGmXDjbZvJ8hMqZh09dEg3=jo9FzVpdO6RDnqyF6E7JA@mail.gmail.com>
	<CAKUcLKZ6EGHFNT5j6VOTh56jbCGF8ZX-1yDiou7ya1ESwayCiA@mail.gmail.com>
	<CAALcEphCM+TLBJ1mr1scF=NbDtWv07Ygg3Vcwrg7dAvFcUUUZw@mail.gmail.com>
	<CAKUcLKY0Uh3g8qR9N1RxJUC1smsWUM0Z-BAwZA3-dQ2SNL3AjQ@mail.gmail.com>
	<BLU402-EAS73502807A75FF856830B70AB860@phx.gbl>
 <CAKUcLKYx0UngkAtqS769FEviKorjsMG4ph4=V3-S=j8KfcXEGQ@mail.gmail.com>
 <BLU405-EAS329D9A0ED35623AF133E47BAB870@phx.gbl>
In-Reply-To: <BLU405-EAS329D9A0ED35623AF133E47BAB870@phx.gbl>
Subject: RE: Accessing the REST service from JavaScript
Date: Tue, 18 Jun 2013 12:09:02 -0400
X-Mailer: Microsoft Outlook 15.0
MIME-Version: 1.0
Thread-Index: AQABAgMEgPCqkVThpLGcb5Gb0N+CaQDUjAxSAJrUJ+gAQBPw8pzI+inQ
Content-Language: en-us
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
	micalg=SHA1; boundary="----=_NextPart_000_0164_01CE6C1C.9F3CF760"
X-OriginalArrivalTime: 18 Jun 2013 16:09:06.0514 (UTC)
 FILETIME=[2897EB20:01CE6C3E]
X-Virus-Checked: Checked by ClamAV on apache.org

------=_NextPart_000_0164_01CE6C1C.9F3CF760
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Some more poking around, configuration changes and I was able to solve the 
issue. The REST calls will now be intercepted by the CORS filter first and 
then by the authentication filter(basic authentication) in the airavata-server 
side. Now, with the CORS filter, we can restrict the domains, type of 
operations that can access the REST API. This adds to the security of the API 
as well. I will create a JIRA issue and attach my work as a patch to it.

Thanks
Viknes

-----Original Message-----
From: Viknes Balasubramanee [mailto:viknesb@msn.com]
Sent: Thursday, June 13, 2013 11:46 AM
To: dev@airavata.apache.org
Subject: RE: Accessing the REST service from JavaScript

So the problem is Cross Domain Authorization. I spent some more time on this
and added a CORS filter(CORS filter by ebay) on the airavata server side and
tried the requests. This time, requests from both firefox and chrome were
intercepted by the HttpAuthenticationFilter but still the authorization
headers were not found and it returned a 401. This post [1] contains a similar
problem in Spring Security. Im guessing some configuration changes in Jersey
could actually resolve it.

[1] -
http://stackoverflow.com/questions/10063597/jquery-cross-domain-basic-auth-call

Thanks
Viknes

-----Original Message-----
From: Amila Jayasekara [mailto:thejaka.amila@gmail.com]
Sent: Wednesday, June 12, 2013 10:35 AM
To: dev@airavata.apache.org; viknesb
Subject: Re: Accessing the REST service from JavaScript

Hi Viknes,

You still need to set user name as a Authorisation header. I doubt you will be
able to do this even, cos browsers doesnt allow any kind of http header
manipulations.

Thanks
Amila


On Wed, Jun 12, 2013 at 10:29 AM, Viknes Balasubramanee
<viknesb@msn.com>wrote:

> I'd like to avoid a backend server of my own or a proxy server. My aim
> is to develop a portable webapp of just HTML and JS pages that can be
> included by any client. I am pretty sure I have successfully made
> cross domain requests earlier. The only problem here is adding the
> authorization header and these
> 2 browsers don't allow it.
>
> Amila,
> When the security is disabled, should the username be still set in the
> authorization header or can it be passed as a parameter or data attribute.
>
> Thanks
> Viknes
>
> -----Original Message-----
> From: Amila Jayasekara [mailto:thejaka.amila@gmail.com]
> Sent: Wednesday, June 12, 2013 9:28 AM
> To: dev@airavata.apache.org
> Cc: viknesb
> Subject: Re: Accessing the REST service from JavaScript
>
> I am not quite sure, issue is more subtle I guess. Cos browser it self
> doesnt allow us to manipulate headers.
> But we can try and see.
>
> Thanks
> Amila
>
>
> On Wed, Jun 12, 2013 at 9:21 AM, Supun Kamburugamuva
> <supun06@gmail.com>wrote:
>
> > From the description my understand was this is a cross domain
> > scripting issue. If that is the case, using a proxy server will make
> > all the requests to go through the same server (domain) and avoid
> > the
> issue.
> >
> > Thanks,
> > Supun..
> >
> >
> > On Wed, Jun 12, 2013 at 8:58 AM, Amila Jayasekara
> > <thejaka.amila@gmail.com>wrote:
> >
> > > Hi Supun,
> > >
> > > Didn't quite understand how HTTPD going to solve the issue. You
> > > meant to (from browser) pass header in different format to HTTPD
> > > and set headers
> > at
> > > HTTPD server level ? If this is possible could you also point to a
> > > reference ?
> > >
> > > Thanks
> > > Amila
> > >
> > >
> > > On Wed, Jun 12, 2013 at 8:28 AM, Supun Kamburugamuva
> > > <supun06@gmail.com
> > > >wrote:
> > >
> > > > You can try proxying all your requests through a HTTPD server.
> > > > May be
> > it
> > > > will help.
> > > >
> > > > Thanks,
> > > > Supun..
> > > >
> > > >
> > > > On Wed, Jun 12, 2013 at 12:48 AM, Amila Jayasekara
> > > > <thejaka.amila@gmail.com>wrote:
> > > >
> > > > > Hi Viknes,
> > > > >
> > > > > As discussed offline the reason for authentication failure is
> > > > > not
> > > getting
> > > > > "Authorization" header to backend. We experienced that Firefox
> > > > > and
> > > Chrome
> > > > > does
> > > > > not allow user to set headers while IE allow user to set
> > > > > headers
> > > (Correct
> > > > > me if I am wrong). Further [1] describes this restriction in
> detail.
> > > > >
> > > > > It seems like due to security reasons some browsers does not
> > > > > allow
> > user
> > > > to
> > > > > manipulate headers. Maybe other Javascript experts can give
> > > > > more
> > > feedback
> > > > > to
> > > > > solve this issue.
> > > > >
> > > > > Further even though you disable security Airavata needs a user
> > > > > id to operate on. Therefore we still require a user id in the
> > > > > request
> > header.
> > > > >
> > > > > [1]
> > > http://news.anarchy46.net/2012/06/refused-to-set-unsafe-header.htm
> > > l
> > > > >
> > > > > Thanks
> > > > > Amila
> > > > >
> > > > >
> > > > > On Tue, Jun 11, 2013 at 11:42 PM, Viknes Balasubramanee <
> > > viknesb@msn.com
> > > > > >wrote:
> > > > >
> > > > > > Hi All,
> > > > > >
> > > > > > I am trying to get the list of experiments in Airavata by
> > > > > > accessing
> > > the
> > > > > > Registry API REST service from a webapp. When I make an AJAX
> > request
> > > > from
> > > > > > JavaScript, I get an error in the browser console(FireBug)
> > > > > > stating
> > > > > "Access
> > > > > > denied to restricted URI".  This is the URL that I am trying
> > > > > > to hit
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > http://localhost:8080/airavata-registry/api/experimentregistry/get/e
> > xp
> > erimen
> > > > > > ts/all . The URL works fine from the browser.
> > > > > >
> > > > > > 1. I have the basic authentication header set with the
> > > > > > encoded
> > > username
> > > > > and
> > > > > > password when I make the request. I have CORS enabled in jQuery.
> > Yet,
> > > > the
> > > > > > request seems to fail.
> > > > > > 2. In order to skip the authentication and try my request, I
> > > > > > set
> > the
> > > > > > enabled
> > > > > > parameter in authentication.xml to false. <authenticators
> > > > > enabled="false">.
> > > > > > When I do so, I get the below exception if I try to connect
> > > > > > to the
> > > > > registry
> > > > > > from XBaya.
> > > > > >
> > > > > >
> > > >
> > org.apache.airavata.client.api.exception.AiravataAPIInvocationException:
> > > > > > Error while initializing the Airavata API
> > > > > >         at
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFact
> > or
> > y.java
> > > > > > :64)
> > > > > >         at
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFact
> > or
> > y.java
> > > > > > :43)
> > > > > >         at
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.airavata.xbaya.ui.dialogs.registry.RegistryWindow.getAira
> > va
> > taAPI(
> > > > > > RegistryWindow.java:260)
> > > > > > Caused by:
> > > > > >
> > > >
> > org.apache.airavata.client.api.exception.AiravataAPIInvocationException:
> > > > > > Error while initializing the Airavat a API
> > > > > >         at
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> org.apache.airavata.client.AiravataClient.initialize(AiravataClient.ja
> va:163
> > > > > > )
> > > > > >         at
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFactor
> y.java
> > > > > > :61)
> > > > > >         ... 99 more
> > > > > > Caused by: java.lang.RuntimeException: Failed : HTTP error code :
> > 500
> > > > > >         at
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> org.apache.airavata.rest.client.ConfigurationResourceClient.getEventin
> gURI(C
> > > > > > onfigurationResourceClient.java:5
> > > > > > 19)
> > > > > >         at
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> org.apache.airavata.rest.client.RegistryClient.getEventingServiceURI(R
> egistr
> > > > > > yClient.java:164)
> > > > > >         at
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> org.apache.airavata.client.AiravataClient.createConfig(AiravataClient.
> java:1
> > > > > > 15)
> > > > > >
> > > > > > Please let me know if I am missing something here. For most
> > > > > > of
> the
> > > GSOC
> > > > > > projects, we are developing webapp and I believe this would
> > > > > > play
> an
> > > > > > important role.
> > > > > >
> > > > > > Thanks
> > > > > > Viknes
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Supun Kamburugamuva
> > > > Member, Apache Software Foundation; http://www.apache.org
> > > > E-mail: supun06@gmail.com;  Mobile: +1 812 369 6762
> > > > Blog: http://supunk.blogspot.com
> > > >
> > >
> >
> >
> >
> > --
> > Supun Kamburugamuva
> > Member, Apache Software Foundation; http://www.apache.org
> > E-mail: supun06@gmail.com;  Mobile: +1 812 369 6762
> > Blog: http://supunk.blogspot.com
> >
>

------=_NextPart_000_0164_01CE6C1C.9F3CF760
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIITCjCCBDYw
ggMeoAMCAQICAQEwDQYJKoZIhvcNAQEFBQAwbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRy
dXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZ
QWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0wMDA1MzAxMDQ4MzhaFw0yMDA1MzAxMDQ4Mzha
MG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3Qg
RXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3Qw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC39xoz5vIABC054E5b7R+8bA/Ntfojts7e
mxEzl6QpTH2Tn71KvJPtAxrjj8/lbVBa1pcplFqAsEl62y6V/bjKvzc4LR4+kUGtcFbH8E8/6DKe
dMrIkFTpxl8PeJ2aQDwOrGGqXhSPnoehalDc15pOrwWzpnGUnHGzUGAKxxOdOAeGAqjpqGkmGJCr
TLBPI6s6T4TY386f4Wlvu9dC12tE5Met7m1BX3JacQg3s3llpFmglDf3AC8NwpJy2tA4ctsUqEXE
XSp9t7TWxO6szRNEt8kr3UMAJfphuWlqWCMRt6czj1Z1WfXNKddGtworZbbTQm8Vsrh7++/pXVPV
NFonAgMBAAGjgdwwgdkwHQYDVR0OBBYEFK29mHo0tCb3+sQmVO8DveAky1QaMAsGA1UdDwQEAwIB
BjAPBgNVHRMBAf8EBTADAQH/MIGZBgNVHSMEgZEwgY6AFK29mHo0tCb3+sQmVO8DveAky1QaoXOk
cTBvMQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0
IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
ggEBMA0GCSqGSIb3DQEBBQUAA4IBAQCwm+CFJcLWI+IPlgaSnUGYnNmEeYHZHlsUByM2ZY+w2He7
rEFsR2CDUbD5Mj3n/PYmE8eAFqW/WvyHz3h5iSGa4kwHCoY1vPLeUcTSlrfcfk7ucP0cOesMAlEU
LY69FuDB30Z15ySt7PRCtIWTcBBnup0GNUoY0yt6zFFCoXpj0ea7ocUrwja+Ew3mvWN+eXunCQ1A
q2rdj4rD9vaMGkIFUdRF9Z+nYiFoFSBDPJnnfL0k2KmRF3OIP1YbMTgYtHEPms3IDp6OLhvhjJiD
yx8x8URMxgRzSXZgD8f4vReAay7pzEwOWpp5DyAKLtWeYyYeVZKU2IIXWnvQvMePToYEMIIEijCC
A3KgAwIBAgIQJ/TqEfR6hsRunbtuqRcHBzANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3
b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTA1MDYwNzA4MDkxMFoX
DTIwMDUzMDEwNDgzOFowga4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2Fs
dCBMYWtlIENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0
cDovL3d3dy51c2VydHJ1c3QuY29tMTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRo
ZW50aWNhdGlvbiBhbmQgRW1haWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyOYWk
8n2rQTtiRjeuzcFgdbw5ZflKGkeiucxIzGqY1U01GbmkQuXOSeKKLx580jEHx060g2SdLinVomTE
hb2FUTV5pE5okHsceqSSqBfymBXyk8zJpDKVuwxPML2YoAuL5W4bokb6eLyib6tZXqUvz8rabaov
66yhs2qqty5nNYt54R5piOLmRs2gpeq+C852OnoOm+r82idbPXMfIuZIYcZM82mxqC4bttQxICy8
goqOpA6l14lD/BZarx1x1xFZ2rqHDa/68+HC8KTFZ4zW1lQ63gqkugN3s2XI/R7TdGKqGMpokx6h
hX71R2XL+E1XKHTSNP8wtu72YjAUjCzrAgMBAAGjgeEwgd4wHwYDVR0jBBgwFoAUrb2YejS0Jvf6
xCZU7wO94CTLVBowHQYDVR0OBBYEFImCZ33EnSZwAEu0UEh83j2uBG59MA4GA1UdDwEB/wQEAwIB
BjAPBgNVHRMBAf8EBTADAQH/MHsGA1UdHwR0MHIwOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2Eu
Y29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QuY3JsMDagNKAyhjBodHRwOi8vY3JsLmNvbW9kby5u
ZXQvQWRkVHJ1c3RFeHRlcm5hbENBUm9vdC5jcmwwDQYJKoZIhvcNAQEFBQADggEBABnYiRFvKKym
AKLnh8GbkAPbfqES/R7z4vABqZRUQmuaCcSgbdeQkgQDZnlDcfz4b6/bdkXiNxo93eRZBHisHPSD
RvN6z1uEci3lRsG6GBEp88tJeYc8um0FnaRtaE+tchQ2qLmx/b/Pf/CkapQ1UI/PgW1Vsd1ZMErf
baCcZB9JfO82u/TjafT4OY9arUuFOrcO7dPPDUSi+wS/5C9wjiX7WlQGs9DEvG2N+3MyLOmbhCQt
1n+RemgCUB8OP03pzPW7Z+jcHC47/E7N/gKO46gTCqUmRGXpEPJNUqeu3D7KazJcQWz+9V2g6v/R
+puGWG09lkfl/i6VBMIAzI6h8rswggUaMIIEAqADAgECAhBtGeqnGU9qMyLmIjJ6qnHeMA0GCSqG
SIb3DQEBBQUAMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFr
ZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93
d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGlj
YXRpb24gYW5kIEVtYWlsMB4XDTExMDQyODAwMDAwMFoXDTIwMDUzMDEwNDgzOFowgZMxCzAJBgNV
BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAY
BgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTkwNwYDVQQDEzBDT01PRE8gQ2xpZW50IEF1dGhlbnRp
Y2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCShIRbS1eY1F4vi6ThQMijU1hfZmXxMk73nzJ9VdB4TFW3QpTg+SdxB8XGaaS5MsTxQBqQzCdW
Yn8XtXFpruUgG+TLY15gyqJB9mrho/+43x9IbWVDjCouK2M4d9+xF6zC2oIC1tQyatRnbyATj1w1
+uVUgK/YcQodNwoCUFNslR2pEBS0mZVZEjH/CaLSTNxS297iQAFbSGjdxUq04O0kHzqvcV8H46y/
FDuwJXFoPfQP1hdYRhWBPGiLi4MPbXohV+Y0sNsyfuNK4aVScmQmkU6lkg//4LFg/RpvaFGZY40a
i6XMQpubfSJj06mg/M6ekN9EGfRcWzW6FvOnm//BAgMBAAGjggFLMIIBRzAfBgNVHSMEGDAWgBSJ
gmd9xJ0mcABLtFBIfN49rgRufTAdBgNVHQ4EFgQUehNOAHRbxnhjZCfBL+KgW7x5xXswDgYDVR0P
AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwEQYDVR0gBAowCDAGBgRVHSAAMFgGA1UdHwRR
ME8wTaBLoEmGR2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VVE4tVVNFUkZpcnN0LUNsaWVudEF1
dGhlbnRpY2F0aW9uYW5kRW1haWwuY3JsMHQGCCsGAQUFBwEBBGgwZjA9BggrBgEFBQcwAoYxaHR0
cDovL2NydC51c2VydHJ1c3QuY29tL1VUTkFkZFRydXN0Q2xpZW50X0NBLmNydDAlBggrBgEFBQcw
AYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAhda+eFdVbTN/
RFL+QtUGqAEDgIr7DbL9Sr/2r0FJ9RtaxdKtG3NuPukmfOZMmMEwKN/L+0I8oSU+CnXW0D05hmbR
oZu1TZtvryhsHa/l6nRaqNqxwPF1ei+eupN5yv7ikR5WdLL4jdPgQ3Ib7Y/9YDkgR/uLrzplSDyY
PaUlv73vYOBJ5RbI6z9Dg/Dg7g3B080zX5vQvWBqszv++tTJOjwf7Zv/m0kzvkIpOYPuM2kugp1F
Tahp2oAbHj3SGl18R5mlmwhtEpmG1l1XBxunML5LSUS4kH7K0Xk467Qz+qA6XSZYnmFVGLQh1ZnV
4ENAQjC+6qXnlNKw/vN1+X9u5zCCBSAwggQIoAMCAQICEQC6ACYKqYYMvyFddpzOdMMqMA0GCSqG
SIb3DQEBBQUAMIGTMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw
DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE5MDcGA1UEAxMwQ09N
T0RPIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTEyMDkyNjAw
MDAwMFoXDTEzMDkyNjIzNTk1OVowIDEeMBwGCSqGSIb3DQEJARYPdmlrbmVzYkBtc24uY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2gLub8fMV9WKteiCxhkflIha82DuMGjZi4S8
EsCYcz2mFKE/CDfzuCAvdudWT+seH1FTp1wGUZWN7XNMjSKoy/oOx/D2SPVaG/xgBM9i9lOZ/B93
is8/LjXqJ9W6r7Y6aaLEOKcvlV2bzybuzq1z5yqIEQfMcxcoqK7cBiQ85sGNErwz8oarae6udPS5
hVjWZcfz8vk8gs324qfJSN487q5C4O9024e6O2ZExfy+217vw7BLA49k1kl7KjF1dbA49KThteEC
9IxOdUT+yoIjB9Az/OmnN7cwG99LbapD9hCmsMtGaLWEZ/ou40qlqrTfyX/fTkirgbcDxO9irKaw
ZwIDAQABo4IB3zCCAdswHwYDVR0jBBgwFoAUehNOAHRbxnhjZCfBL+KgW7x5xXswHQYDVR0OBBYE
FEYYhRVWO6Z0QwgTQ08r2VB56uPIMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1Ud
JQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8w
PTA7BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5l
dC9DUFMwVwYDVR0fBFAwTjBMoEqgSIZGaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPQ2xp
ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBiAYIKwYBBQUHAQEEfDB6MFIG
CCsGAQUFBzAChkZodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9DbGllbnRBdXRoZW50aWNh
dGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9j
YS5jb20wGgYDVR0RBBMwEYEPdmlrbmVzYkBtc24uY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCSHI/C
oyfSWr2B4EPIxcMmWU6MqKRVZY4jYAh5VVW+muq5ipWeJZxqiX5XTSj2Px0Eqf5AUHn5keoAqquA
ViVyYG52KZ9PC+0gUGatSEblAthzLtaw8XkthWELoDgED8/llQG7DCXJypKbk8GdvuIyeACgipMV
92P2U79c4Xil5MMCigI3ZEs5REAV3uRuPbZOY54kj6foHMqk+j0HXTfQRpx36XQlYxeSb/969vlP
7IIZH6Laz00SRts8U0bd1rDFeI47YstmG95/+odwO36zgUUByDtfSt0Cln4u2drzX/RPkPRSxVCh
CjkO1fI6RPdhRg6fQcvlmRiFfTVHppg+MYIERDCCBEACAQEwgakwgZMxCzAJBgNVBAYTAkdCMRsw
GQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP
TU9ETyBDQSBMaW1pdGVkMTkwNwYDVQQDEzBDT01PRE8gQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFu
ZCBTZWN1cmUgRW1haWwgQ0ECEQC6ACYKqYYMvyFddpzOdMMqMAkGBSsOAwIaBQCgggJvMBgGCSqG
SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEzMDYxODE2MDkwMlowIwYJKoZI
hvcNAQkEMRYEFDTHZSxReS6yD/Ld7nrGN+ncx5VpMIGTBgkqhkiG9w0BCQ8xgYUwgYIwCwYJYIZI
AWUDBAEqMAsGCWCGSAFlAwQBFjAKBggqhkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwIC
AgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIaMAsGCWCGSAFlAwQCAzALBglghkgBZQMEAgIwCwYJ
YIZIAWUDBAIBMIG6BgkrBgEEAYI3EAQxgawwgakwgZMxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJH
cmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBM
aW1pdGVkMTkwNwYDVQQDEzBDT01PRE8gQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUg
RW1haWwgQ0ECEQC6ACYKqYYMvyFddpzOdMMqMIG8BgsqhkiG9w0BCRACCzGBrKCBqTCBkzELMAkG
A1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEa
MBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENPTU9ETyBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRALoAJgqphgy/IV12nM50wyowDQYJKoZIhvcN
AQEBBQAEggEAXUbHGDUkQBTN7mjJREWeudnAEiPOtcYVA1wh/bv9PqYPPuh9Q/0ed9J/nDGZ70fS
aeCuQLe4QGxzRNXDE8w6cuXwtQHZFU5UB4AX0L0kjoH2EkRZGsEEI7gDo3vlLtBJ8uhLtCFfluf5
DS+03vO62aiyhWfuV4HE8TQY45MvKKwKh1+GPJn3dkJ8pZJvFxfvnOhWGFj91ulsfL2LFt/XJ/4f
l49dnw/0UQX59lYrDglJtOEaQi24dOIZO1iTRfeKfzB17sfQRqEav128aLKFVXrSzAlAKN1LVl9+
J1cR0ojPyfLxo9AmrKbKu0x1D/RgdSTNb+sD75uEBfQ7dL2htwAAAAAAAA==

------=_NextPart_000_0164_01CE6C1C.9F3CF760--