You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "huyao (JIRA)" <ji...@apache.org> on 2013/10/08 11:28:50 UTC
[jira] [Updated] (CLOUDSTACK-4829) vnc access instance's console
through apikey failed
[ https://issues.apache.org/jira/browse/CLOUDSTACK-4829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
huyao updated CLOUDSTACK-4829:
------------------------------
Affects Version/s: (was: 4.2.0)
4.1.1
> vnc access instance's console through apikey failed
> ---------------------------------------------------
>
> Key: CLOUDSTACK-4829
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-4829
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: VNC Proxy
> Affects Versions: 4.1.1
> Environment: windows 7 + cygwin + xenserver 6.1.0 + cloudstack 4.1.1
> Reporter: huyao
> Priority: Critical
>
> I compiled cloudstack 4.1.1 source code in cygwin, then test it using jetty, it works fine. But, when I access instance's console through vnc using apikey, it fails, the browser shows the follow message:
> Access denied. Invalid web session or API key in request
> my url:
> http://localhost:8080/client/console?cmd=access&vm=b194369f-e0d4-45d8-a50f-09ec51095e68&apikey=fmS7oyThP6MGxN5X_CgeOCxQIqgTu5QFDz46r2Pv5kLp88EYYBquSu6_3s3d9MXdbUHPpxj5qDDy1jvhEpQWvQ&signature=y3dNHn580NJiCVRGwrBTR4JHImo%3D
> I test the listAccounts api, it's ok.
> my url:
> http://localhost:8080/client/api?command=listAccounts&apikey=fmS7oyThP6MGxN5X_CgeOCxQIqgTu5QFDz46r2Pv5kLp88EYYBquSu6_3s3d9MXdbUHPpxj5qDDy1jvhEpQWvQ&signature=ALhJtw%2Bzi7Rcmo%2Bkk3xH3cTJgp4%3D
> then, I debug the source code, find where it fails.
> file: ConsoleProxyServlet.java
> private boolean verifyRequest(Map<String, Object[]> requestParameters) {
> try {
> ...
> ...
> unsignedRequest = unsignedRequest.toLowerCase();
> Mac mac = Mac.getInstance("HmacSHA1");
> SecretKeySpec keySpec = new SecretKeySpec(secretKey.getBytes(), "HmacSHA1");
> mac.init(keySpec);
> mac.update(unsignedRequest.getBytes());
> byte[] encryptedBytes = mac.doFinal();
> String computedSignature = Base64.encodeBase64URLSafeString(encryptedBytes);
> boolean equalSig = signature.equals(computedSignature);
> if (!equalSig) {
> s_logger.debug("User signature: " + signature + " is not equaled to computed signature: " + computedSignature);
> }
> ...
> ...
> return equalSig;
> } catch (Exception ex) {
> s_logger.error("unable to verifty request signature", ex);
> }
> return false;
> }
> in this method, signature not equals to computedSignature, so it returns false
> then, I view ApiServer.java,the verifyRequest method:
> public boolean verifyRequest(Map<String, Object[]> requestParameters, Long userId) throws ServerApiException {
> try {
> ...
> ...
> unsignedRequest = unsignedRequest.toLowerCase();
> Mac mac = Mac.getInstance("HmacSHA1");
> SecretKeySpec keySpec = new SecretKeySpec(secretKey.getBytes(), "HmacSHA1");
> mac.init(keySpec);
> mac.update(unsignedRequest.getBytes());
> byte[] encryptedBytes = mac.doFinal();
> String computedSignature = Base64.encodeBase64String(encryptedBytes);
> boolean equalSig = signature.equals(computedSignature);
> if (!equalSig) {
> s_logger.debug("User signature: " + signature + " is not equaled to computed signature: " + computedSignature);
> }
> ...
> ...
> return equalSig;
> } catch (Exception ex) {
> s_logger.error("unable to verifty request signature", ex);
> }
> return false;
> }
> these two verifyRequest method produce different signature, because the former use :
> String computedSignature = Base64.encodeBase64URLSafeString(encryptedBytes);
> while the later use:
> String computedSignature = Base64.encodeBase64String(encryptedBytes);
> this is why listAccouts works fine, but vnc console is failed.
> when I replace Base64.encodeBase64URLSafeString by Base64.encodeBase64String, vnc console is ok too.
> so I am confused, why use different encode method? It is a bug?
--
This message was sent by Atlassian JIRA
(v6.1#6144)
Re: [jira] [Updated] (CLOUDSTACK-4829) vnc access instance's console
through apikey failed
Posted by sunko2014 <su...@gmail.com>.
I have the same problem
On Tue, Oct 8, 2013 at 5:28 PM, huyao (JIRA) <ji...@apache.org> wrote:
>
> [
> https://issues.apache.org/jira/browse/CLOUDSTACK-4829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel]
>
> huyao updated CLOUDSTACK-4829:
> ------------------------------
>
> Affects Version/s: (was: 4.2.0)
> 4.1.1
>
> > vnc access instance's console through apikey failed
> > ---------------------------------------------------
> >
> > Key: CLOUDSTACK-4829
> > URL:
> https://issues.apache.org/jira/browse/CLOUDSTACK-4829
> > Project: CloudStack
> > Issue Type: Bug
> > Security Level: Public(Anyone can view this level - this is the
> default.)
> > Components: VNC Proxy
> > Affects Versions: 4.1.1
> > Environment: windows 7 + cygwin + xenserver 6.1.0 + cloudstack
> 4.1.1
> > Reporter: huyao
> > Priority: Critical
> >
> > I compiled cloudstack 4.1.1 source code in cygwin, then test it using
> jetty, it works fine. But, when I access instance's console through vnc
> using apikey, it fails, the browser shows the follow message:
> > Access denied. Invalid web session or API key in request
> > my url:
> >
> http://localhost:8080/client/console?cmd=access&vm=b194369f-e0d4-45d8-a50f-09ec51095e68&apikey=fmS7oyThP6MGxN5X_CgeOCxQIqgTu5QFDz46r2Pv5kLp88EYYBquSu6_3s3d9MXdbUHPpxj5qDDy1jvhEpQWvQ&signature=y3dNHn580NJiCVRGwrBTR4JHImo%3D
> > I test the listAccounts api, it's ok.
> > my url:
> >
> http://localhost:8080/client/api?command=listAccounts&apikey=fmS7oyThP6MGxN5X_CgeOCxQIqgTu5QFDz46r2Pv5kLp88EYYBquSu6_3s3d9MXdbUHPpxj5qDDy1jvhEpQWvQ&signature=ALhJtw%2Bzi7Rcmo%2Bkk3xH3cTJgp4%3D
> > then, I debug the source code, find where it fails.
> > file: ConsoleProxyServlet.java
> > private boolean verifyRequest(Map<String, Object[]> requestParameters) {
> > try {
> > ...
> > ...
> > unsignedRequest = unsignedRequest.toLowerCase();
> > Mac mac = Mac.getInstance("HmacSHA1");
> > SecretKeySpec keySpec = new
> SecretKeySpec(secretKey.getBytes(), "HmacSHA1");
> > mac.init(keySpec);
> > mac.update(unsignedRequest.getBytes());
> > byte[] encryptedBytes = mac.doFinal();
> > String computedSignature =
> Base64.encodeBase64URLSafeString(encryptedBytes);
> > boolean equalSig = signature.equals(computedSignature);
> > if (!equalSig) {
> > s_logger.debug("User signature: " + signature + "
> is not equaled to computed signature: " + computedSignature);
> > }
> > ...
> > ...
> > return equalSig;
> > } catch (Exception ex) {
> > s_logger.error("unable to verifty request signature", ex);
> > }
> > return false;
> > }
> > in this method, signature not equals to computedSignature, so it returns
> false
> > then, I view ApiServer.java,the verifyRequest method:
> > public boolean verifyRequest(Map<String, Object[]> requestParameters,
> Long userId) throws ServerApiException {
> > try {
> > ...
> > ...
> > unsignedRequest = unsignedRequest.toLowerCase();
> > Mac mac = Mac.getInstance("HmacSHA1");
> > SecretKeySpec keySpec = new
> SecretKeySpec(secretKey.getBytes(), "HmacSHA1");
> > mac.init(keySpec);
> > mac.update(unsignedRequest.getBytes());
> > byte[] encryptedBytes = mac.doFinal();
> > String computedSignature =
> Base64.encodeBase64String(encryptedBytes);
> > boolean equalSig = signature.equals(computedSignature);
> > if (!equalSig) {
> > s_logger.debug("User signature: " + signature + "
> is not equaled to computed signature: " + computedSignature);
> > }
> > ...
> > ...
> > return equalSig;
> > } catch (Exception ex) {
> > s_logger.error("unable to verifty request signature", ex);
> > }
> > return false;
> > }
> > these two verifyRequest method produce different signature, because the
> former use :
> > String computedSignature =
> Base64.encodeBase64URLSafeString(encryptedBytes);
> > while the later use:
> > String computedSignature = Base64.encodeBase64String(encryptedBytes);
> > this is why listAccouts works fine, but vnc console is failed.
> > when I replace Base64.encodeBase64URLSafeString by
> Base64.encodeBase64String, vnc console is ok too.
> > so I am confused, why use different encode method? It is a bug?
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v6.1#6144)
>