Featured image for Cryostat (was ContainerJFR) topics.

Cryostat is a tool for managing JDK Flight Recorder data on Kubernetes. This article explains how new download APIs based on JSON Web Tokens (JWTs) help facilitate a more responsive and efficient download workflow in the Cryostat 2.1 web client.

The Cryostat web client download workflow

Previously, the web client download flow for resources such as recordings, reports, and templates consisted of the application firing an HTTP GET request with the appropriate authorization header(s) to the back-end, downloading the returned file into browser memory, creating a local object URL for the blob, and then assigning the URL to an anchor element prompting user response. The file size determined the download speed and when the "Save File" prompt would appear. Once this process was completed, the user would be prompted to save the file to disk or cancel the download even though the file had already been transferred to the user’s machine.

Cryostat 2.1 improves the download flow by using the HTML 5 download attribute available in most browsers. Specifically, an anchor element is created with the href attribute set to a URL for the resource provided by the back-end, and the download attribute is set to the file name. When the anchor is clicked,  the “Save File” prompt appears (see Figure 1).

Figure 1: The "Save File" prompt allows users to decide whether they want to save the recording file to disk or not.

If the user clicks “Save File,” the file downloads directly to disk. If the user clicks "Cancel," the file will not be downloaded. Another benefit is that the time to display the “Save File” dialog is no longer dependent on the file size because nothing is being downloaded into the browser memory.

However, a limitation of the href attribute is that it is not possible to provide headers with the URL without authorization to retrieve the resource. This is where JSON Web Tokens come in.

How JSON Web Tokens improve download workflow

JWTs are credentials that ensure the user sending the server request is the same user that was authenticated (i.e., logged in) previously in the session and also has access to the requested resource. They consist of JSON payloads containing authorization metadata. 

Cryostat 2.1 has implemented new API handlers to help facilitate JWT downloads. When a user downloads a file through the web client, a POST request containing the required authorization headers and a multipart form attribute identifying the requested resource is sent to the /api/v2.1/auth/token endpoint. The API handler encodes the information into a JWT token, symmetrically encrypts it, and returns a resource URL associated with the token. This is the URL to which the aforementioned href attribute is set. When the anchor element is clicked, the resulting GET request for the file resource will be authorized using the JWT token, solving the problem of not being able to provide any headers with the href attribute.

Any JWT token-associated GET requests are handled by new version 2.1 API handlers specifically designed for this purpose. The web client extensively uses these because of the improved browser-related performance. However, other API clients, such as user-created automated workflows, can continue using the original version 1 download APIs because they do not require generating JWT tokens which are functionally identical to the new version 2.1 handlers.

Figure 2 shows the main Cryostat container logs when a recording download request from the web client is received.

Figure 2: The recording download request in Figure 1 results in the two HTTP requests shown here.

Conclusion

New JWT-based download APIs allow the Cryostat web client to provide an improved resource download workflow for users. For more information on Cryostat such as guides and contact information, visit us at cryostat.io.

Find more Cryostat tutorials on Red Hat Developer:

Comments