On Jun 12, 2013, at 10:35 AM, Amila Jayasekara <thejaka.am...@gmail.com> wrote:
> Hi Viknes, > > You still need to set user name as a Authorisation header. I doubt you will > be able to do this even, cos browsers doesnt allow any kind of http header > manipulations. Amila, this is making me wonder again, is this a good idea to expect a user if to be set in the request header? Why cannot we allow the user if to be set as a parameter? is this because of a security risk or any other technical reasons? Suresh > > Thanks > Amila > > > On Wed, Jun 12, 2013 at 10:29 AM, Viknes Balasubramanee > <vikn...@msn.com>wrote: > >> I'd like to avoid a backend server of my own or a proxy server. My aim is >> to >> develop a portable webapp of just HTML and JS pages that can be included by >> any client. I am pretty sure I have successfully made cross domain requests >> earlier. The only problem here is adding the authorization header and these >> 2 browsers don't allow it. >> >> Amila, >> When the security is disabled, should the username be still set in the >> authorization header or can it be passed as a parameter or data attribute. >> >> Thanks >> Viknes >> >> -----Original Message----- >> From: Amila Jayasekara [mailto:thejaka.am...@gmail.com] >> Sent: Wednesday, June 12, 2013 9:28 AM >> To: dev@airavata.apache.org >> Cc: viknesb >> Subject: Re: Accessing the REST service from JavaScript >> >> I am not quite sure, issue is more subtle I guess. Cos browser it self >> doesnt allow us to manipulate headers. >> But we can try and see. >> >> Thanks >> Amila >> >> >> On Wed, Jun 12, 2013 at 9:21 AM, Supun Kamburugamuva >> <supu...@gmail.com>wrote: >> >>> From the description my understand was this is a cross domain >>> scripting issue. If that is the case, using a proxy server will make >>> all the requests to go through the same server (domain) and avoid the >> issue. >>> >>> Thanks, >>> Supun.. >>> >>> >>> On Wed, Jun 12, 2013 at 8:58 AM, Amila Jayasekara >>> <thejaka.am...@gmail.com>wrote: >>> >>>> Hi Supun, >>>> >>>> Didn't quite understand how HTTPD going to solve the issue. You >>>> meant to (from browser) pass header in different format to HTTPD and >>>> set headers >>> at >>>> HTTPD server level ? If this is possible could you also point to a >>>> reference ? >>>> >>>> Thanks >>>> Amila >>>> >>>> >>>> On Wed, Jun 12, 2013 at 8:28 AM, Supun Kamburugamuva >>>> <supu...@gmail.com >>>>> wrote: >>>> >>>>> You can try proxying all your requests through a HTTPD server. May >>>>> be >>> it >>>>> will help. >>>>> >>>>> Thanks, >>>>> Supun.. >>>>> >>>>> >>>>> On Wed, Jun 12, 2013 at 12:48 AM, Amila Jayasekara >>>>> <thejaka.am...@gmail.com>wrote: >>>>> >>>>>> Hi Viknes, >>>>>> >>>>>> As discussed offline the reason for authentication failure is >>>>>> not >>>> getting >>>>>> "Authorization" header to backend. We experienced that Firefox >>>>>> and >>>> Chrome >>>>>> does >>>>>> not allow user to set headers while IE allow user to set headers >>>> (Correct >>>>>> me if I am wrong). Further [1] describes this restriction in >> detail. >>>>>> >>>>>> It seems like due to security reasons some browsers does not >>>>>> allow >>> user >>>>> to >>>>>> manipulate headers. Maybe other Javascript experts can give more >>>> feedback >>>>>> to >>>>>> solve this issue. >>>>>> >>>>>> Further even though you disable security Airavata needs a user >>>>>> id to operate on. Therefore we still require a user id in the >>>>>> request >>> header. >>>>>> >>>>>> [1] >>>> http://news.anarchy46.net/2012/06/refused-to-set-unsafe-header.html >>>>>> >>>>>> Thanks >>>>>> Amila >>>>>> >>>>>> >>>>>> On Tue, Jun 11, 2013 at 11:42 PM, Viknes Balasubramanee < >>>> vikn...@msn.com >>>>>>> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> I am trying to get the list of experiments in Airavata by >>>>>>> accessing >>>> the >>>>>>> Registry API REST service from a webapp. When I make an AJAX >>> request >>>>> from >>>>>>> JavaScript, I get an error in the browser console(FireBug) >>>>>>> stating >>>>>> "Access >>>>>>> denied to restricted URI". This is the URL that I am trying >>>>>>> to hit >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> http://localhost:8080/airavata-registry/api/experimentregistry/get/exp >>> erimen >>>>>>> ts/all . The URL works fine from the browser. >>>>>>> >>>>>>> 1. I have the basic authentication header set with the encoded >>>> username >>>>>> and >>>>>>> password when I make the request. I have CORS enabled in jQuery. >>> Yet, >>>>> the >>>>>>> request seems to fail. >>>>>>> 2. In order to skip the authentication and try my request, I >>>>>>> set >>> the >>>>>>> enabled >>>>>>> parameter in authentication.xml to false. <authenticators >>>>>> enabled="false">. >>>>>>> When I do so, I get the below exception if I try to connect to >>>>>>> the >>>>>> registry >>>>>>> from XBaya. >>>>>>> >>>>>>> >>>>> >>> org.apache.airavata.client.api.exception.AiravataAPIInvocationException: >>>>>>> Error while initializing the Airavata API >>>>>>> at >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFactor >>> y.java >>>>>>> :64) >>>>>>> at >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFactor >>> y.java >>>>>>> :43) >>>>>>> at >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> org.apache.airavata.xbaya.ui.dialogs.registry.RegistryWindow.getAirava >>> taAPI( >>>>>>> RegistryWindow.java:260) >>>>>>> Caused by: >>>>>>> >>>>> >>> org.apache.airavata.client.api.exception.AiravataAPIInvocationException: >>>>>>> Error while initializing the Airavat a API >>>>>>> at >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >> org.apache.airavata.client.AiravataClient.initialize(AiravataClient.java:163 >>>>>>> ) >>>>>>> at >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >> org.apache.airavata.client.AiravataAPIFactory.getAPI(AiravataAPIFactory.java >>>>>>> :61) >>>>>>> ... 99 more >>>>>>> Caused by: java.lang.RuntimeException: Failed : HTTP error code : >>> 500 >>>>>>> at >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >> org.apache.airavata.rest.client.ConfigurationResourceClient.getEventingURI(C >>>>>>> onfigurationResourceClient.java:5 >>>>>>> 19) >>>>>>> at >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >> org.apache.airavata.rest.client.RegistryClient.getEventingServiceURI(Registr >>>>>>> yClient.java:164) >>>>>>> at >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >> org.apache.airavata.client.AiravataClient.createConfig(AiravataClient.java:1 >>>>>>> 15) >>>>>>> >>>>>>> Please let me know if I am missing something here. For most of >> the >>>> GSOC >>>>>>> projects, we are developing webapp and I believe this would play >> an >>>>>>> important role. >>>>>>> >>>>>>> Thanks >>>>>>> Viknes >>>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Supun Kamburugamuva >>>>> Member, Apache Software Foundation; http://www.apache.org >>>>> E-mail: supu...@gmail.com; Mobile: +1 812 369 6762 >>>>> Blog: http://supunk.blogspot.com >>>>> >>>> >>> >>> >>> >>> -- >>> Supun Kamburugamuva >>> Member, Apache Software Foundation; http://www.apache.org >>> E-mail: supu...@gmail.com; Mobile: +1 812 369 6762 >>> Blog: http://supunk.blogspot.com >>> >>
