Looks like a good how to section for Airavata and Viknesh you can add this to your blog as a more generic solution and will be useful for someone who encounter same issue.
Regards Lahiru On Tue, Jun 18, 2013 at 12:09 PM, Viknes Balasubramanee <[email protected]>wrote: > Some more poking around, configuration changes and I was able to solve the > issue. The REST calls will now be intercepted by the CORS filter first and > then by the authentication filter(basic authentication) in the > airavata-server > side. Now, with the CORS filter, we can restrict the domains, type of > operations that can access the REST API. This adds to the security of the > API > as well. I will create a JIRA issue and attach my work as a patch to it. > > Thanks > Viknes > > -----Original Message----- > From: Viknes Balasubramanee [mailto:[email protected]] > Sent: Thursday, June 13, 2013 11:46 AM > To: [email protected] > Subject: RE: Accessing the REST service from JavaScript > > So the problem is Cross Domain Authorization. I spent some more time on > this > and added a CORS filter(CORS filter by ebay) on the airavata server side > and > tried the requests. This time, requests from both firefox and chrome were > intercepted by the HttpAuthenticationFilter but still the authorization > headers were not found and it returned a 401. This post [1] contains a > similar > problem in Spring Security. Im guessing some configuration changes in > Jersey > could actually resolve it. > > [1] - > > http://stackoverflow.com/questions/10063597/jquery-cross-domain-basic-auth-call > > Thanks > Viknes > > -----Original Message----- > From: Amila Jayasekara [mailto:[email protected]] > Sent: Wednesday, June 12, 2013 10:35 AM > To: [email protected]; viknesb > Subject: Re: Accessing the REST service from JavaScript > > Hi Viknes, > > You still need to set user name as a Authorisation header. I doubt you > will be > able to do this even, cos browsers doesnt allow any kind of http header > manipulations. > > Thanks > Amila > > > On Wed, Jun 12, 2013 at 10:29 AM, Viknes Balasubramanee > <[email protected]>wrote: > > > I'd like to avoid a backend server of my own or a proxy server. My aim > > is to develop a portable webapp of just HTML and JS pages that can be > > included by any client. I am pretty sure I have successfully made > > cross domain requests earlier. The only problem here is adding the > > authorization header and these > > 2 browsers don't allow it. > > > > Amila, > > When the security is disabled, should the username be still set in the > > authorization header or can it be passed as a parameter or data > attribute. > > > > Thanks > > Viknes > > > > -----Original Message----- > > From: Amila Jayasekara [mailto:[email protected]] > > Sent: Wednesday, June 12, 2013 9:28 AM > > To: [email protected] > > Cc: viknesb > > Subject: Re: Accessing the REST service from JavaScript > > > > I am not quite sure, issue is more subtle I guess. Cos browser it self > > doesnt allow us to manipulate headers. > > But we can try and see. > > > > Thanks > > Amila > > > > > > On Wed, Jun 12, 2013 at 9:21 AM, Supun Kamburugamuva > > <[email protected]>wrote: > > > > > From the description my understand was this is a cross domain > > > scripting issue. If that is the case, using a proxy server will make > > > all the requests to go through the same server (domain) and avoid > > > the > > issue. > > > > > > Thanks, > > > Supun.. > > > > > > > > > On Wed, Jun 12, 2013 at 8:58 AM, Amila Jayasekara > > > <[email protected]>wrote: > > > > > > > Hi Supun, > > > > > > > > Didn't quite understand how HTTPD going to solve the issue. You > > > > meant to (from browser) pass header in different format to HTTPD > > > > and set headers > > > at > > > > HTTPD server level ? If this is possible could you also point to a > > > > reference ? > > > > > > > > Thanks > > > > Amila > > > > > > > > > > > > On Wed, Jun 12, 2013 at 8:28 AM, Supun Kamburugamuva > > > > <[email protected] > > > > >wrote: > > > > > > > > > You can try proxying all your requests through a HTTPD server. > > > > > May be > > > it > > > > > will help. > > > > > > > > > > Thanks, > > > > > Supun.. > > > > > > > > > > > > > > > On Wed, Jun 12, 2013 at 12:48 AM, Amila Jayasekara > > > > > <[email protected]>wrote: > > > > > > > > > > > Hi Viknes, > > > > > > > > > > > > As discussed offline the reason for authentication failure is > > > > > > not > > > > getting > > > > > > "Authorization" header to backend. We experienced that Firefox > > > > > > and > > > > Chrome > > > > > > does > > > > > > not allow user to set headers while IE allow user to set > > > > > > headers > > > > (Correct > > > > > > me if I am wrong). Further [1] describes this restriction in > > detail. > > > > > > > > > > > > It seems like due to security reasons some browsers does not > > > > > > allow > > > user > > > > > to > > > > > > manipulate headers. Maybe other Javascript experts can give > > > > > > more > > > > feedback > > > > > > to > > > > > > solve this issue. > > > > > > > > > > > > Further even though you disable security Airavata needs a user > > > > > > id to operate on. Therefore we still require a user id in the > > > > > > request > > > header. > > > > > > > > > > > > [1] > > > > http://news.anarchy46.net/2012/06/refused-to-set-unsafe-header.htm > > > > l > > > > > > > > > > > > Thanks > > > > > > Amila > > > > > > > > > > > > > > > > > > On Tue, Jun 11, 2013 at 11:42 PM, Viknes Balasubramanee < > > > > [email protected] > > > > > > >wrote: > > > > > > > > > > > > > Hi All, > > > > > > > > > > > > > > I am trying to get the list of experiments in Airavata by > > > > > > > accessing > > > > the > > > > > > > Registry API REST service from a webapp. When I make an AJAX > > > request > > > > > from > > > > > > > JavaScript, I get an error in the browser console(FireBug) > > > > > > > stating > > > > > > "Access > > > > > > > denied to restricted URI". This is the URL that I am trying > > > > > > > to hit > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://localhost:8080/airavata-registry/api/experimentregistry/get/e > > > xp > > > erimen > > > > > > > ts/all . The URL works fine from the browser. > > > > > > > > > > > > > > 1. I have the basic authentication header set with the > > > > > > > encoded > > > > username > > > > > > and > > > > > > > password when I make the request. I have CORS enabled in > jQuery. > > > Yet, > > > > > the > > > > > > > request seems to fail. > > > > > > > 2. In order to skip the authentication and try my request, I > > > > > > > set > > > the > > > > > > > enabled > > > > > > > parameter in authentication.xml to false. <authenticators > > > > > > enabled="false">. > > > > > > > When I do so, I get the below exception if I try to connect > > > > > > > to the > > > > > > registry > > > > > > > from XBaya. > > > > > > > > > > > > > > > > > > > > > > > org.apache.airavata.client.api.exception.AiravataAPIInvocationException: > > > > > > > Error while initializing the Airavata API > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFact > > > or > > > y.java > > > > > > > :64) > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFact > > > or > > > y.java > > > > > > > :43) > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.apache.airavata.xbaya.ui.dialogs.registry.RegistryWindow.getAira > > > va > > > taAPI( > > > > > > > RegistryWindow.java:260) > > > > > > > Caused by: > > > > > > > > > > > > > > > > org.apache.airavata.client.api.exception.AiravataAPIInvocationException: > > > > > > > Error while initializing the Airavat a API > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.apache.airavata.client.AiravataClient.initialize(AiravataClient.ja > > va:163 > > > > > > > ) > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFactor > > y.java > > > > > > > :61) > > > > > > > ... 99 more > > > > > > > Caused by: java.lang.RuntimeException: Failed : HTTP error > code : > > > 500 > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.apache.airavata.rest.client.ConfigurationResourceClient.getEventin > > gURI(C > > > > > > > onfigurationResourceClient.java:5 > > > > > > > 19) > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.apache.airavata.rest.client.RegistryClient.getEventingServiceURI(R > > egistr > > > > > > > yClient.java:164) > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.apache.airavata.client.AiravataClient.createConfig(AiravataClient. > > java:1 > > > > > > > 15) > > > > > > > > > > > > > > Please let me know if I am missing something here. For most > > > > > > > of > > the > > > > GSOC > > > > > > > projects, we are developing webapp and I believe this would > > > > > > > play > > an > > > > > > > important role. > > > > > > > > > > > > > > Thanks > > > > > > > Viknes > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Supun Kamburugamuva > > > > > Member, Apache Software Foundation; http://www.apache.org > > > > > E-mail: [email protected]; Mobile: +1 812 369 6762 > > > > > Blog: http://supunk.blogspot.com > > > > > > > > > > > > > > > > > > > > > -- > > > Supun Kamburugamuva > > > Member, Apache Software Foundation; http://www.apache.org > > > E-mail: [email protected]; Mobile: +1 812 369 6762 > > > Blog: http://supunk.blogspot.com > > > > > > -- System Analyst Programmer PTI Lab Indiana University
