faithjb
Contributor
Contributor

Cross-Origin Request is allowed in vSphere Client Plugin?

Jump to solution

Hi,

I have a plugin built on vSphere HTML5 Client SDK. If I would like to invoke the outside RESTful APIs directly from Typescript/JavaScript layer, that means Java service layer is skipped totally, is this valid/accepted behavior from vSphere H5 Client's view? Is there any security concern? Just want to check whether this is allowed by VMware. Thanks,

laurentsd​, if you can share your points, that should be appreciated much!!

1 Solution

Accepted Solutions
laurentsd
VMware Employee
VMware Employee

Have a look at plugin-seed 0.9.7 available on our Fling page at vSphere HTML5 Web Client

The documentation explains how to use the http-proxy-servlet to avoid CORS issues when talking to your backend directly.

View solution in original post

4 Replies
tganchev
VMware Employee
VMware Employee

Hi,

It's valid to directly call your backend from the plugin's frontend. On your backend you need to support CORS headers that accept requests coming from the vCenter server's domain (host). The other issue you'd be facing is trusting self-signed certificates - you need to have a way to open the backend server's URL in a new browser tub and accept the certificate (AJAX requests will not give you meaningful reason why the particular request failed until you accept the certificate).

From security standpoint the only issue is passing over sensitive vSphere information such as session IDs and cookies - it should be best done inside a custom HTTP header.

Edit: there is a middle-of-the road approach that can eliminate the CORS and certificate concerns - have a reverse proxy servlet implemented as the only piece of Java code in your plugin. By doing this, you'd have your frontend talking to a local endpoint in the same domain that will forward all requests to the actual remote backend automatically.

-Tony

laurentsd
VMware Employee
VMware Employee

Have a look at plugin-seed 0.9.7 available on our Fling page at vSphere HTML5 Web Client

The documentation explains how to use the http-proxy-servlet to avoid CORS issues when talking to your backend directly.

View solution in original post

faithjb
Contributor
Contributor

Thanks a lot, Tony!! Really helpful for my questions!!!

faithjb
Contributor
Contributor

Thanks, @laurentsd

0 Kudos