916285 – RHEVM-SDK: session based authentication is broken

Bug 916285 - RHEVM-SDK: session based authentication is broken

Summary: RHEVM-SDK: session based authentication is broken

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine-sdk
Sub Component:
Version:	3.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	3.2.0
Assignee:	Michael Pasternak
QA Contact:	Elena
Docs Contact:
URL:
Whiteboard:	infra
Depends On:
Blocks:	922807
TreeView+	depends on / blocked

Reported:	2013-02-27 18:09 UTC by Michael Pasternak
Modified:	2016-02-10 19:13 UTC (History)
CC List:	10 users (show)
Fixed In Version:	sf10
Doc Type:	Bug Fix
Doc Text:	A previous bug fix to API session-based authentication impacted SDK session-based authentication as including 'Prefer' header with 'Authorization' header bypassed the JSESSION cookie. Now, the JSESSION cookie is not bypassed and session-based authentication works as expected.
Clone Of:
Environment:
Last Closed:	2013-06-10 20:14:36 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0912	normal	SHIPPED_LIVE	new package: rhevm-sdk	2013-06-11 00:04:02 UTC
oVirt gerrit	12520	None	None	None	Never
oVirt gerrit	12578	None	None	None	Never

Description Michael Pasternak 2013-02-27 18:09:25 UTC

Description of problem:

Fixing api bug 876641 broke sdk session based authentication.

Comment 2 Michael Pasternak 2013-02-28 09:36:57 UTC

session based auth. is broken only for the /localhost, - removing 'blocker'.

Comment 4 Michael Pasternak 2013-03-03 08:37:47 UTC

detailed explanation:
=====================

REST-API introduced new functionality at #876641 to JSESSION based authentication,

if HTTP header Prefer:persistent-auth is set and client sends the Authorization header as well, - will be re-initiated new JSESSION, what is made all clients sending both Prefer and Authorization headers to get authorised again using
Authorization header and not JSESSION,

correct behaviour is:
====================

1. send Authorization & Prefer headers
2. store JSESSION returned in cookie
3. use for authorization Prefer header & JSESSION cookie

disabling session based authentication:
======================================

1. omit from request Prefer header
2. add Authorization header

Comment 6 Elena 2013-03-12 14:15:37 UTC

Verified in sf10

Comment 7 errata-xmlrpc 2013-06-10 20:14:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0912.html

Note You need to log in before you can comment on or make changes to this bug.