Bug 1032508 - The GWT applications should use /api/ instead of /api to avoid sending credentials to /rhevm-reports
The GWT applications should use /api/ instead of /api to avoid sending creden...
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-webadmin-portal (Show other bugs)
Unspecified Unspecified
urgent Severity urgent
: ---
: 3.3.0
Assigned To: Juan Hernández
Barak Dagan
: TestBlocker, Triaged
Depends On:
Blocks: 3.3snap3
  Show dependency treegraph
Reported: 2013-11-20 05:21 EST by Juan Hernández
Modified: 2016-02-10 14:12 EST (History)
9 users (show)

See Also:
Fixed In Version: is24.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 21431 None None None Never
oVirt gerrit 21472 None None None Never

  None (edit)
Description Juan Hernández 2013-11-20 05:21:59 EST
Description of problem:

The GWT applications need to call RESTAPI in order to get a session id that can then be handed to UI plugins. They do this sending a request to the /api URL. This URL is protected with basic authentication, so the application server send back a response requiring authentication. When the browser sees this response it will send the credentials and will remember that it has to send the credentials again with any request to an URL that starts with / (the result of removing anything from the end of the first URL that required authentication up to the first slash). In this case it means that it will send the credentials with any request, in particular with requests for the reports URL. The reports application doesn't tolerate this: when it sees an authentication header it assumes that it has to perform authentication itself, and this breaks the SSO implementation.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

1. Install RHEV, including the reports application.
1. Close the browser to avoid cached sessions and authentication credentials.
2. Connect to webadmin and in the data centers main tab right click in the default data center and from the popup menu select any report.

Actual results:

A new browser tab is opened and it asks for user name and password using basic authentication (a browser popup for real "Protected area").

Expected results:

The reports application should go directly to the report without requiring any additional authentication.

Additional info:

This problem can be avoided modifying the GUI so that it requests /api/ instead of /api, this way the browser will only send the credentials to the URLs starging with /api/ and not to all the URLs.
Comment 1 Barak Dagan 2013-12-01 06:22:39 EST
Verified in is25.

reports was loaded without browser authentication popup
Comment 2 Itamar Heim 2014-01-21 17:28:05 EST
Closing - RHEV 3.3 Released
Comment 3 Itamar Heim 2014-01-21 17:28:05 EST
Closing - RHEV 3.3 Released
Comment 4 Itamar Heim 2014-01-21 17:31:03 EST
Closing - RHEV 3.3 Released

Note You need to log in before you can comment on or make changes to this bug.