I have the same problem
On Tue, Oct 8, 2013 at 5:28 PM, huyao (JIRA) <j...@apache.org> wrote: > > [ > https://issues.apache.org/jira/browse/CLOUDSTACK-4829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel] > > huyao updated CLOUDSTACK-4829: > ------------------------------ > > Affects Version/s: (was: 4.2.0) > 4.1.1 > > > vnc access instance's console through apikey failed > > --------------------------------------------------- > > > > Key: CLOUDSTACK-4829 > > URL: > https://issues.apache.org/jira/browse/CLOUDSTACK-4829 > > Project: CloudStack > > Issue Type: Bug > > Security Level: Public(Anyone can view this level - this is the > default.) > > Components: VNC Proxy > > Affects Versions: 4.1.1 > > Environment: windows 7 + cygwin + xenserver 6.1.0 + cloudstack > 4.1.1 > > Reporter: huyao > > Priority: Critical > > > > I compiled cloudstack 4.1.1 source code in cygwin, then test it using > jetty, it works fine. But, when I access instance's console through vnc > using apikey, it fails, the browser shows the follow message: > > Access denied. Invalid web session or API key in request > > my url: > > > http://localhost:8080/client/console?cmd=access&vm=b194369f-e0d4-45d8-a50f-09ec51095e68&apikey=fmS7oyThP6MGxN5X_CgeOCxQIqgTu5QFDz46r2Pv5kLp88EYYBquSu6_3s3d9MXdbUHPpxj5qDDy1jvhEpQWvQ&signature=y3dNHn580NJiCVRGwrBTR4JHImo%3D > > I test the listAccounts api, it's ok. > > my url: > > > http://localhost:8080/client/api?command=listAccounts&apikey=fmS7oyThP6MGxN5X_CgeOCxQIqgTu5QFDz46r2Pv5kLp88EYYBquSu6_3s3d9MXdbUHPpxj5qDDy1jvhEpQWvQ&signature=ALhJtw%2Bzi7Rcmo%2Bkk3xH3cTJgp4%3D > > then, I debug the source code, find where it fails. > > file: ConsoleProxyServlet.java > > private boolean verifyRequest(Map<String, Object[]> requestParameters) { > > try { > > ... > > ... > > unsignedRequest = unsignedRequest.toLowerCase(); > > Mac mac = Mac.getInstance("HmacSHA1"); > > SecretKeySpec keySpec = new > SecretKeySpec(secretKey.getBytes(), "HmacSHA1"); > > mac.init(keySpec); > > mac.update(unsignedRequest.getBytes()); > > byte[] encryptedBytes = mac.doFinal(); > > String computedSignature = > Base64.encodeBase64URLSafeString(encryptedBytes); > > boolean equalSig = signature.equals(computedSignature); > > if (!equalSig) { > > s_logger.debug("User signature: " + signature + " > is not equaled to computed signature: " + computedSignature); > > } > > ... > > ... > > return equalSig; > > } catch (Exception ex) { > > s_logger.error("unable to verifty request signature", ex); > > } > > return false; > > } > > in this method, signature not equals to computedSignature, so it returns > false > > then, I view ApiServer.javaļ¼the verifyRequest method: > > public boolean verifyRequest(Map<String, Object[]> requestParameters, > Long userId) throws ServerApiException { > > try { > > ... > > ... > > unsignedRequest = unsignedRequest.toLowerCase(); > > Mac mac = Mac.getInstance("HmacSHA1"); > > SecretKeySpec keySpec = new > SecretKeySpec(secretKey.getBytes(), "HmacSHA1"); > > mac.init(keySpec); > > mac.update(unsignedRequest.getBytes()); > > byte[] encryptedBytes = mac.doFinal(); > > String computedSignature = > Base64.encodeBase64String(encryptedBytes); > > boolean equalSig = signature.equals(computedSignature); > > if (!equalSig) { > > s_logger.debug("User signature: " + signature + " > is not equaled to computed signature: " + computedSignature); > > } > > ... > > ... > > return equalSig; > > } catch (Exception ex) { > > s_logger.error("unable to verifty request signature", ex); > > } > > return false; > > } > > these two verifyRequest method produce different signature, because the > former use : > > String computedSignature = > Base64.encodeBase64URLSafeString(encryptedBytes); > > while the later use: > > String computedSignature = Base64.encodeBase64String(encryptedBytes); > > this is why listAccouts works fine, but vnc console is failed. > > when I replace Base64.encodeBase64URLSafeString by > Base64.encodeBase64String, vnc console is ok too. > > so I am confused, why use different encode method? It is a bug? > > > > -- > This message was sent by Atlassian JIRA > (v6.1#6144) >