Bug 1161734 - Double backend login during frontend login
Summary: Double backend login during frontend login
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-engine-webadmin
Version: 3.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 3.5.1
Assignee: Vojtech Szocs
QA Contact: Ondra Machacek
URL:
Whiteboard: ux
Depends On:
Blocks: 1113937
TreeView+ depends on / blocked
 
Reported: 2014-11-07 18:04 UTC by Alon Bar-Lev
Modified: 2016-02-10 19:47 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-21 16:06:22 UTC
oVirt Team: UX
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 35069 0 master MERGED aaa: filters: enable accept engine session using header Never
oVirt gerrit 35185 0 master MERGED webadmin: Use existing Engine session for REST API integration Never
oVirt gerrit 35188 0 master MERGED aaa: filters: add Prefer new-auth option Never
oVirt gerrit 35213 0 master MERGED aaa: bll: generate engine session as plain random string Never
oVirt gerrit 35245 0 ovirt-engine-3.5 MERGED aaa: bll: generate engine session as plain random string Never
oVirt gerrit 35246 0 ovirt-engine-3.5 MERGED aaa: filters: enable accept engine session using header Never
oVirt gerrit 35247 0 ovirt-engine-3.5 MERGED aaa: filters: add Prefer new-auth option Never
oVirt gerrit 35248 0 ovirt-engine-3.5 MERGED webadmin: Use existing Engine session for REST API integration Never

Description Alon Bar-Lev 2014-11-07 18:04:10 UTC 
In 3.5.0 there is double login into application:
1. backend
2. restapi

This result in double delay when login, we already had many bugs opened because of login performance when user is using ldap and many groups.

We tried to improve this greatly in 3.5, however because of the double login it won't be visible or even worse.

Options to solve this in 3.5 should be applied:
1. use ovirt-engine/webadmin/api to redirect into api.
2. add query to return the engine session id, and add a internal private header to restapi to accept context.
3. retrieve session if using ssl.

Anything to avoid double login, even temporary solutions that are to be removed in 3.6.
Comment 1 Alon Bar-Lev 2014-11-12 07:09:05 UTC 
actually since 3.2.2
Comment 2 Alon Bar-Lev 2014-11-24 13:45:39 UTC 
BTW: this also solved SSO into the application, as the unexpected assumption of reusing password would have caused application not to work within SSO environment in which password is not available to application.
Comment 3 Ondra Machacek 2014-12-17 13:49:36 UTC 
...
Accept-Language	en-US,en;q=0.5
Authorization	Basic XXXXXXXXXXXXXXXXXXXXXXXXXX
Connection	keep-alive
Cookie	JSESSIONID=P6sJvYVOoQk95pn0l84OwVBI; locale=en_US
DNT	1
Host	10.34.63.31
JSESSIONID	P6sJvYVOoQk95pn0l84OwVBI
Prefer	persistent-auth, csrf-protection
...

is there a reason to still send "Authorization" header?
Comment 4 Alon Bar-Lev 2014-12-17 14:09:53 UTC 
(In reply to Ondra Machacek from comment #3)
> is there a reason to still send "Authorization" header?

no. are you sure you invalidated all credentials from your browser instance?
Comment 5 Ondra Machacek 2014-12-17 14:39:45 UTC 
aha, after I invalidated it. no "Authorization" header appears.
Comment 6 Vojtech Szocs 2015-01-05 15:27:07 UTC 
(In reply to Ondra Machacek from comment #3)
> ...
> Accept-Language	en-US,en;q=0.5
> Authorization	Basic XXXXXXXXXXXXXXXXXXXXXXXXXX
> Connection	keep-alive
> Cookie	JSESSIONID=P6sJvYVOoQk95pn0l84OwVBI; locale=en_US
> DNT	1
> Host	10.34.63.31
> JSESSIONID	P6sJvYVOoQk95pn0l84OwVBI
> Prefer	persistent-auth, csrf-protection
> ...
> 
> is there a reason to still send "Authorization" header?

Sorry for late reply.

The reason why "Authorization" header is still sent is probably due to default web browser behavior - once this header is set, it will aways be sent by the browser alongside request to given target origin. This is also why "Authorization" header is not really appropriate for doing auth stuff in modern web applications.
Comment 7 Sandro Bonazzola 2015-01-21 16:06:22 UTC 
oVirt 3.5.1 has been released. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.