Hey Donal,
Sorry , I should have responded you a bit earlier but had no access to email
today . Yeah you are absolutely right . UI uses Jsession ID to bypaas login
check something like this as shown below -
// Use this for checking the session, to bypass login screen
bypassLoginCheck: function(args) { //determine to show or bypass login
screen
if (g_loginResponse == null) { //show login screen
g_mySession = $.cookie('JSESSIONID');
g_sessionKey = $.cookie('sessionKey');
g_role = $.cookie('role');
g_username = $.cookie('username');
g_userid = $.cookie('userid');
g_account = $.cookie('account');
g_domainid = $.cookie('domainid');
g_userfullname =
$.cookie('userfullname');
g_timezone = $.cookie('timezone');
if($.cookie('timezoneoffset') != null)
g_timezoneoffset =
isNaN($.cookie('timezoneoffset'))? null: parseFloat($.cookie('timezoneoffset'));
else
g_timezoneoffset = null;
}
Let me know if you need any more details.
Thanks,
Pranav
-----Original Message-----
From: Donal Lafferty [mailto:[email protected]]
Sent: Thursday, April 04, 2013 9:33 PM
To: [email protected]
Cc: [email protected]
Subject: RE: CloudStack UI Authentication Mechanism
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf
> Of Rohit Yadav
> Sent: 04 April 2013 4:36 PM
> To: [email protected]
> Cc: [email protected]
> Subject: Re: CloudStack UI Authentication Mechanism
>
> On Thu, Apr 4, 2013 at 7:59 PM, Donal Lafferty
> <[email protected]>wrote:
>
> >
> >
> > > -----Original Message-----
> > > From: [email protected] [mailto:[email protected]] On
> > > Behalf Of Rohit Yadav
> > > Sent: 04 April 2013 2:52 PM
> > > To: [email protected]
> > > Cc: [email protected]
> > > Subject: Re: CloudStack UI Authentication Mechanism
> > >
> > > On Thu, Apr 4, 2013 at 4:50 PM, Donal Lafferty
> > > <[email protected]>wrote:
> > >
> > > > I noticed that the CloudStack UI allows VM control to accounts
> > > > that don't have an API key set defined.
> > > >
> > > > How does its authentication mechanism work? E.g.
> > > >
> > > >
> > > > 1. How are API calls authenticated and authorized if
> > they
> > > > are not signed with API keys?
> > > >
> > >
> > > On integration port, defined in the global settings, 8096
> > > generally
> > there is no
> > > authentication done, user is admin has max. power.
> > >
> > [Donal Lafferty]
> > Okay, but the UI doesn't usually go over 8096. How does it work
> > when its not bypassing authentication?
> >
>
> jquery UI experts will let you know the internals. When authentication
> in UI is done, the keys are obtained and subsequently used while querying.
> Just attach your debugger to ApiServlet's GET handlers and follow the
> sequence which will help you discover how it all works till it reaches
> ApiDispatcher (through ApiServer class) where the actual cmd class is
> found, filled and executed.
>
[Donal Lafferty]
Looks like it uses a JSESSIONID cookie rather than HTTP Query signing.
See http://cloudstack.apache.org/docs/api/apidocs-4.0.0/root_admin/login.html
> Cheers.
>
>
> > >
> > > >
> > > > 2. Does this work equally well when LDAP is to
> > > > authenticate username / password?
> > > >
> > >
> > > Abhi can comment on this one.
> > >
> > > Cheers.
> > >
> > >
> > > >
> > > >
> > > > DL
> > > >
> > > >
> > > >
> >
