Red Hat Bugzilla – Bug 1032508
The GWT applications should use /api/ instead of /api to avoid sending credentials to /rhevm-reports
Last modified: 2016-02-10 14:12:28 EST
Description of problem:
The GWT applications need to call RESTAPI in order to get a session id that can then be handed to UI plugins. They do this sending a request to the /api URL. This URL is protected with basic authentication, so the application server send back a response requiring authentication. When the browser sees this response it will send the credentials and will remember that it has to send the credentials again with any request to an URL that starts with / (the result of removing anything from the end of the first URL that required authentication up to the first slash). In this case it means that it will send the credentials with any request, in particular with requests for the reports URL. The reports application doesn't tolerate this: when it sees an authentication header it assumes that it has to perform authentication itself, and this breaks the SSO implementation.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install RHEV, including the reports application.
1. Close the browser to avoid cached sessions and authentication credentials.
2. Connect to webadmin and in the data centers main tab right click in the default data center and from the popup menu select any report.
A new browser tab is opened and it asks for user name and password using basic authentication (a browser popup for real "Protected area").
The reports application should go directly to the report without requiring any additional authentication.
This problem can be avoided modifying the GUI so that it requests /api/ instead of /api, this way the browser will only send the credentials to the URLs starging with /api/ and not to all the URLs.
Verified in is25.
reports was loaded without browser authentication popup
Closing - RHEV 3.3 Released