Bug 1033090

Summary: When webadmin redirects to reports the browser shows resend confirmation dialog
Product: Red Hat Enterprise Virtualization Manager Reporter: Juan Hernández <juan.hernandez>
Component: jasperreports-server-proAssignee: Juan Hernández <juan.hernandez>
Status: CLOSED ERRATA QA Contact: Barak Dagan <bdagan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.3.0CC: acathrow, bazulay, iheim, juan.hernandez, pstehlik, Rhev-m-bugs, sherold, yeylon, ylavi
Target Milestone: ---Keywords: Triaged
Target Release: 3.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: IS25 - rhevm-reports-3.3.0-23.el6ev.noarch.rpm Doc Type: Bug Fix
Doc Text:
Previously, when accessing reports from the administration portal, the browser opened a new tab with the following message: "To display this page, Firefox must send information that will repeat any action (such as search or order confirmation) that was performed earlier." This has been fixed by removing the Javascript code that checks authentication and resubmits the request, so this confirmation message no longer appears.
Story Points: ---
Clone Of:
: 1053234 (view as bug list) Environment:
Last Closed: 2014-01-21 17:45:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1038284, 1053234    
Attachments:
Description Flags
Screenshot of the confirmation dialog none

Description Juan Hernández 2013-11-21 14:25:26 UTC
Description of problem:

When the user opens webadmin and selects a report from the popup menu the browser opens a new tab and shows a confirmation dialog with the following text:

---8<---
To display this page, Firefox must send information that will repeat any action (such as search or order confirmation) that was performed earlier.
--->8---


Version-Release number of selected component (if applicable):

rhev-3.3


How reproducible:

Always.


Steps to Reproduce:

1. Install RHEV-M and the reports application.
2. Close the browser and open it again, as this situation only happens with a fresh browser session.
3. Go to webadmin and in the data centers main tab select the default data center, right click and select any report.


Actual results:

The browser opens a new tab and before displaying the reports application it shows the confirmation dialog described above. After clicking the "Resend" button in that dialog the reports application is displayed correctly.


Expected results:

The reports application should be displayed without the confirmation dialog.


Additional info:

This only happens with a fresh browser session.

Comment 1 Juan Hernández 2013-11-21 14:32:37 UTC
This is the POST request that is sent twice, one without confirmation, second one after clicking "Resend":

---8<---
POST /rhevm-reports/flow.html?viewAsDashboardFrame=false HTTP/1.1
Host: rhel.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,en-us;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://rhel.example.com/webadmin/webadmin/WebAdmin.html?locale=en_US
Cookie: userLocale=en_US; userTimezone=Europe/Madrid; locale=en_US
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 235

sessionID=6m9vudQBEVicuxDJV3b-mH0r&_flowId=viewReportFlow&active_hosts_select=AND%2Bdelete_date%2BIS%2BNULL&userLocale=en_US&reportUnit=%2FReports%2FExecutive%2Factive_vms_by_os_br18&P_DataCenter_ID=5849b030-626e-47cb-ad90-3ce782d831b3
--->8---

The integration mechanism between webadmin and reports works as follows:

1. When a report is selected in webadmin the GWT application creates a new frame named "_blank" (this corresponds to a new tab by default) and generates a form inside this frame that when posted will send the above request.

2. Immediately the GWT application forces the post of the form, which loads the reports application in the new tab.

I don't yet understand what is forcing the browser to post the same form again.

Comment 2 Juan Hernández 2013-11-21 14:35:39 UTC
Created attachment 827242 [details]
Screenshot of the confirmation dialog

Comment 3 Juan Hernández 2013-11-21 16:23:53 UTC
I have tested to replace the /rhevm-reports application with a dummy application that has only a dummy flow.html page. With this dummy application the integration works correctly, there is no repeated post or confirmation dialog. This probably means that whatever forces the repeated post is in the reports application itself, and may be completely legitimate. As the browser shows this dialog only for POST requests I think that we can solve this issue using GET instead.

Comment 5 Juan Hernández 2013-11-21 17:02:31 UTC
Agreed, GET isn't an option, I am retiring the proposed patch.

Comment 6 Juan Hernández 2013-11-21 18:33:37 UTC
This is the sequence of requests that leads to the confirmation dialog displayed by the browser:

1. Connect to webadmin and authenticate with your user name and password. This will have the side effect of generating a session cookie.

2. In the data centers main tab right click in the default data center and select the first report (BR18).

3. Webadmin dynamically creates a new browser tab (or window, it is just a new frame named "_blank") and will populate it with a form similar to this one:

<form action="/rhevm-reports/flow.html?viewAsDashboardFrame=false" method="post">
<input type="hidden" name="sessionID" value="the value of the JSESSIONID cookie"/>
<input type="hidden" name="_flowId" value="viewReportFlow"/>
<input type="hidden" name="active_hosts_select" value="AND delete_date IS NULL"/>
<input type="hidden" name="userLocale" value="en_US"/>
<input type="hidden" name="reportUnit" value="/Reports/Executive/active_vms_by_os_br18"/>
<input type="hidden" name="P_DataCenter_ID" value="the id of the default datacenter"/>

3. Webadmin will automatically submit this form, with a request like this:

POST /rhevm-reports/flow.html?viewAsDashboardFrame=false HTTP/1.1
Host: rhel.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,en-us;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://rhel.example.com/webadmin/a.html
Cookie: userLocale=en_US; locale=en_US
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 229

sessionID=the_value_of_the_JSESSIONID_cookie&_flowId=viewReportFlow&active_hosts_select=AND+delete_date+IS+NULL&userLocale=en_US&reportUnit=%2FReports%2FExecutive%2Factive_vms_by_os_br18&P_DataCenter_ID=the_id_of_the_data_center

4. The reports application responds like this:

200 OK
Date: Thu, 21 Nov 2013 17:49:00 GMT
P3P: CP="ALL"
Set-Cookie: JSESSIONID=Nln6WPijJnWqgfFQ1V2f6-N6; Path=/rhevm-reports
Set-Cookie: userLocale=en_US;Expires=Fri, 22-Nov-2013 17:49:00 GMT;HttpOnly
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
X-Powered-By: JSP/2.2
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 11546
Connection: close

The body of this reponse is too long to post here, but I guess that it contains a copy of the parameters of the initial request:

Report.allRequestParameters = {"_flowId":["viewReportFlow"],"sessionID":["the_value_of_the_JSESSIONID_cookie"],"P_DataCenter_ID":["the_id_of_the_data_center"],"active_hosts_select":["AND delete_date IS NULL"],"userLocale":["en_US"],"reportUnit":["/Reports/Executive/active_vms_by_os_br18"],"viewAsDashboardFrame":["false"]};

I guess that this is saved in order to submit the form again after authentication.

4. The HTML page in the body returned in the previous step makes a reference the following Javascript resource:

<script type="text/javascript" src="/rhevm-reports/getRequirejsConfig.html"></script>

So the browser tries to fetch this with the following request:

GET /rhevm-reports/getRequirejsConfig.html HTTP/1.1
Host: rhel.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: */*
Accept-Language: en,en-us;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://rhel.example.com/rhevm-reports/flow.html?viewAsDashboardFrame=false
Cookie: userLocale=en_US; JSESSIONID=Nln6WPijJnWqgfFQ1V2f6-N6; locale=en_US
Connection: keep-alive

5. The reports application responds with a redirection to the login page:

HTTP/1.1 302 Moved Temporarily
Date: Thu, 21 Nov 2013 17:49:00 GMT
P3P: CP="ALL"
Location: http://rhel.example.com/rhevm-reports/login.html
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8

6. The browser then goes to the new location:

GET /rhevm-reports/login.html HTTP/1.1
Host: rhel.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,en-us;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://rhel.example.com/rhevm-reports/flow.html?viewAsDashboardFrame=false
Cookie: userLocale=en_US; JSESSIONID=Nln6WPijJnWqgfFQ1V2f6-N6; locale=en_US
Connection: keep-alive

7. The reports application responds with this:

HTTP/1.1 200 OK
Date: Thu, 21 Nov 2013 17:49:01 GMT
P3P: CP="ALL"
X-Powered-By: JSP/2.2
LoginRequested: true
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 9939
Connection: close

I guess that the HTML page that this return contains Javascript code that checks if the user is already authenticated and then  uses the Referer header and the saved form parameters to submit the original form again. It is here where the browser displays the confirmation dialog.

Comment 7 Yaniv Lavi 2013-11-24 14:07:48 UTC
Cased opened number 00041745


Yaniv

Comment 8 Juan Hernández 2013-11-25 13:42:38 UTC
This is the recommendation from the Jaspersoft team:

---8<---
We found the exact issue.
As a workaround, you could go to webapp\WEB-INF\jsp\modules\viewReport\ViewReportState.jsp and take out
window.location.reload();

You might want to do the same in
\webapp\WEB-INF\jsp\modules\dashboard\dashboardDesignerViewFrame.jsp

Make sure to clean up the work directory with compiled jsp's too.
--->8---

I tested that manually and it worked correctly for me.

Comment 10 Charlie 2013-11-28 01:08:45 UTC
This bug is currently attached to errata RHSA-2013:15137 . If this change is not to be documented in the text for this errata please either remove it from the errata, set the requires_doc_text flag to 
minus (-), or leave a "Doc Text" value of "--no tech note required" if you do not have permission to alter the flag.

Otherwise to aid in the development of relevant and accurate release documentation, please fill out the "Doc Text" field above with these four (4) pieces of information:

* Cause: What actions or circumstances cause this bug to present.
* Consequence: What happens when the bug presents.
* Fix: What was done to fix the bug.
* Result: What now happens when the actions or circumstances above occur. (NB: this is not the same as 'the bug doesn't present anymore')

Once filled out, please set the "Doc Type" field to the appropriate value for the type of change made and submit your edits to the bug.

For further details on the Cause, Consequence, Fix, Result format please refer to:

https://bugzilla.redhat.com/page.cgi?id=fields.html#cf_release_notes 

Thanks in advance.

Comment 11 Barak Dagan 2013-12-01 15:27:27 UTC
Verified on is25

Comment 13 errata-xmlrpc 2014-01-21 17:45:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-0037.html