Template download fails with message "Needs Authorization"
See original GitHub issueWhen running cryostat locally, attempting to download a template from the /events tab results in a 401
, even though the POST
request for the JWT token returns 200
.
Jan 21, 2022 10:34:31 PM io.cryostat.core.log.Logger info
INFO: (10.0.2.100:59668): GET /api/v1/targets/service%3Ajmx%3Armi%3A%2F%2F%2Fjndi%2Frmi%3A%2F%2Fcryostat%3A9091%2Fjmxrmi/templates 200 147ms
Jan 21, 2022 10:34:31 PM io.cryostat.core.log.Logger info
INFO: (10.0.2.100:59666): GET /api/v1/targets/service%3Ajmx%3Armi%3A%2F%2F%2Fjndi%2Frmi%3A%2F%2Fcryostat%3A9091%2Fjmxrmi/events 200 261ms
Jan 21, 2022 10:34:34 PM io.cryostat.core.log.Logger info
INFO: (10.0.2.100:59666): POST /api/beta/auth/token 200 101ms
Jan 21, 2022 10:34:34 PM io.cryostat.core.log.Logger warn
WARNING: HTTP 401: Unauthorized
io.cryostat.net.web.http.api.v2.ApiException: Unauthorized
Jan 21, 2022 10:34:34 PM io.cryostat.core.log.Logger info
INFO: (10.0.2.100:59666): GET /api/beta/targets/service%3Ajmx%3Armi%3A%2F%2F%2Fjndi%2Frmi%3A%2F%2Fcryostat%3A9091%2Fjmxrmi/templates/Cryostat/type/TARGET 401 11ms
Issue Analytics
- State:
- Created 2 years ago
- Comments:11 (11 by maintainers)
Top Results From Across the Web
Error "You're not authorized" when downloading PDF - Jotform
Hello, When I submit my form and click the link to download the PDF it gives me an error message:{"error":"You're not authorized","succ...
Read more >8 Ways Fix Download Errors in Google Chrome - WebNots
Needs Authorization Error. This error indicates that you don't have the permission to download the file similar to HTTP status code 401 –...
Read more >Fix file download errors - Google Chrome Help
If you get an error message on Chrome when you try to download apps, themes, extensions, or other files, try these fixes.
Read more >Request disallowed by policy error - Azure Resource Manager
Describes the error for request disallowed by policy when deploying resources with an Azure Resource Manager template (ARM template) or ...
Read more >Download and Upload Templates - DocuSign Support
Note: You must have the appropriate template permission setting (create or share) in order to download or upload templates. This setting is ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Okay, that makes more sense now.
This fix looks more flexible and would also let you HTTPie token resources with relative URLs.
Right,
.env
is used for dev mode and.env.prod
for full builds, which are what get packaged into the whole Cryostat OCI image when you do amvn package
.Makes sense…
Maybe - I’m not sure what you mean by “for running cryostat locally” here, though. The
.env.prod
uses an empty authority string because that basically causes the URLs generated by theApi.service
etc. to become relative URLs, so the client browser is what determines where the instance is running and where to actually send that relative URL request to. If we set the authority string to some non-empty value and package that into an OCI image then that OCI image becomes deployment-specific - it needs to have been built with an authority string that matches the scheme/host/port of where the OCI image will actually be running.Maybe the fix we need is to instead modify the backend where it handles processing the JWT token and checking the origin, and have it be ever so slightly more lenient. If it’s given an absolute URL then the authority portion must match. If it’s given a relative URL then the authority portion implicitly matches, but the rest of the URL (the path, really) still needs to match?
Otherwise, maybe we can work around this by adding an API handler that just reports the scheme/host/port being used by the backend. This is redundant information for any client that already knows how to contact the backend server, but it could be used by the web-client on startup to initialize its authority value with the actual location of the backend it’s being served from. Or instead of adding a new API handler just for this, maybe this could simply be an extra key:value pair in the object returned by the
/health
handler.