Bug 916285

Summary: RHEVM-SDK: session based authentication is broken
Product: Red Hat Enterprise Virtualization Manager Reporter: Michael Pasternak <mpastern>
Component: ovirt-engine-sdkAssignee: Michael Pasternak <mpastern>
Status: CLOSED ERRATA QA Contact: Elena <edolinin>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.2.0CC: aburden, acathrow, bazulay, dyasny, iheim, oramraz, Rhev-m-bugs, srevivo, yeylon, ykaul
Target Milestone: ---Keywords: Regression
Target Release: 3.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: sf10 Doc Type: Bug Fix
Doc Text:
A previous bug fix to API session-based authentication impacted SDK session-based authentication as including 'Prefer' header with 'Authorization' header bypassed the JSESSION cookie. Now, the JSESSION cookie is not bypassed and session-based authentication works as expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-10 20:14:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 922807    

Description Michael Pasternak 2013-02-27 18:09:25 UTC 
Description of problem:

Fixing api bug 876641 broke sdk session based authentication.
Comment 2 Michael Pasternak 2013-02-28 09:36:57 UTC 
session based auth. is broken only for the /localhost, - removing 'blocker'.
Comment 4 Michael Pasternak 2013-03-03 08:37:47 UTC 
detailed explanation:
=====================

REST-API introduced new functionality at #876641 to JSESSION based authentication,

if HTTP header Prefer:persistent-auth is set and client sends the Authorization header as well, - will be re-initiated new JSESSION, what is made all clients sending both Prefer and Authorization headers to get authorised again using
Authorization header and not JSESSION,

correct behaviour is:
====================

1. send Authorization & Prefer headers
2. store JSESSION returned in cookie
3. use for authorization Prefer header & JSESSION cookie

disabling session based authentication:
======================================

1. omit from request Prefer header
2. add Authorization header
Comment 6 Elena 2013-03-12 14:15:37 UTC 
Verified in sf10
Comment 7 errata-xmlrpc 2013-06-10 20:14:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0912.html