root icon indicating copy to clipboard operation
root copied to clipboard
verified publisher icon root-project

REve: Re-enable remote connections

Open alja opened this issue 1 year ago • 3 comments

The loopback option has been removed in January release. The change in #14136 allows to disable loopback in REveManager.

alja avatar Feb 20 '24 19:02 alja

Can one of the admins verify this patch?

phsft-bot avatar Feb 20 '24 19:02 phsft-bot

@linev Please check.

alja avatar Feb 20 '24 19:02 alja

Test Results

    12 files      12 suites   2d 3h 47m 1s :stopwatch:  2 563 tests  2 560 :white_check_mark: 0 :zzz: 3 :x: 28 834 runs  28 830 :white_check_mark: 0 :zzz: 4 :x:

For more details on these failures, see this check.

Results for commit 5a2d2085.

github-actions[bot] avatar Feb 21 '24 01:02 github-actions[bot]

It is not a proper place to disable authentication in REve.

Only in some specific application one should do so - when other protection mechanism is provided. @linev Why this is not a proper place?

alja avatar Feb 27 '24 17:02 alja

Why this is not a proper place?

Why all REve examples and demos will run by default without key authentication. As result - anybody can try attack and hijack such server.

You should put such code in CMS demo. And there one should use tokens, https, user authentication.

linev avatar Feb 28 '24 07:02 linev

@linev I now understand that changes are not needed. I can close this PR.

In the CMS web service we used RWebWindow::SetConnToken() with auto generated key. The connection key stayed visible in the browsers URL and multiple connections were possible.

Now if I enable (which is the default):

   ROOT::RWebWindowsManager::SetUseSessionKey(true);
   ROOT::Experimental::gEve->GetWebWindow()->SetRequireAuthKey(true);

I see the key in printed URL in terminal, but when past it to browser the key disappears in the browser's URL text entry. Also multiple connections are not possible with this same key.

Now I'm confused. What is the difference between ConnToken, AuthKey, and SessionKey?

One more question. Are multiple connections possible in any of the combinations?

alja avatar Feb 28 '24 18:02 alja

@linev I found out by testing that multiple connections are possible if I use session key and require auth key is disabled.

alja avatar Feb 28 '24 18:02 alja

I found out by testing that multiple connections are possible if I use session key and require auth key is disabled.

Session key is useless without connection key.

linev avatar Feb 28 '24 18:02 linev

No changes are needed in REve sources. I will add documentation in reve/tutorials.

alja avatar Feb 28 '24 19:02 alja