Bug 1032508

Summary: The GWT applications should use /api/ instead of /api to avoid sending credentials to /rhevm-reports
Product: Red Hat Enterprise Virtualization Manager Reporter: Juan Hernández <juan.hernandez>
Component: ovirt-engine-webadmin-portalAssignee: Juan Hernández <juan.hernandez>
Status: CLOSED CURRENTRELEASE QA Contact: Barak Dagan <bdagan>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 3.3.0CC: acathrow, bazulay, ecohen, iheim, pstehlik, Rhev-m-bugs, sherold, yeylon, ylavi
Target Milestone: ---Keywords: TestBlocker, Triaged
Target Release: 3.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: is24.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1038284    

Description Juan Hernández 2013-11-20 10:21:59 UTC 
Description of problem:

The GWT applications need to call RESTAPI in order to get a session id that can then be handed to UI plugins. They do this sending a request to the /api URL. This URL is protected with basic authentication, so the application server send back a response requiring authentication. When the browser sees this response it will send the credentials and will remember that it has to send the credentials again with any request to an URL that starts with / (the result of removing anything from the end of the first URL that required authentication up to the first slash). In this case it means that it will send the credentials with any request, in particular with requests for the reports URL. The reports application doesn't tolerate this: when it sees an authentication header it assumes that it has to perform authentication itself, and this breaks the SSO implementation.


Version-Release number of selected component (if applicable):

rhevm-3.3


How reproducible:

Always.


Steps to Reproduce:

1. Install RHEV, including the reports application.
1. Close the browser to avoid cached sessions and authentication credentials.
2. Connect to webadmin and in the data centers main tab right click in the default data center and from the popup menu select any report.


Actual results:

A new browser tab is opened and it asks for user name and password using basic authentication (a browser popup for real "Protected area").


Expected results:

The reports application should go directly to the report without requiring any additional authentication.


Additional info:

This problem can be avoided modifying the GUI so that it requests /api/ instead of /api, this way the browser will only send the credentials to the URLs starging with /api/ and not to all the URLs.
Comment 1 Barak Dagan 2013-12-01 11:22:39 UTC 
Verified in is25.

reports was loaded without browser authentication popup
Comment 2 Itamar Heim 2014-01-21 22:28:05 UTC 
Closing - RHEV 3.3 Released
Comment 3 Itamar Heim 2014-01-21 22:28:05 UTC 
Closing - RHEV 3.3 Released
Comment 4 Itamar Heim 2014-01-21 22:31:03 UTC 
Closing - RHEV 3.3 Released