Great!
Could you link to it from the issue
https://github.com/Graylog2/graylog2-web-interface/issues/560 ?
Maybe we can either integrate something, or at the very least point
people to it.
Many thanks!
On Wed, Jun 11, 2014 at 2:36 PM, Егор Морозов <akrusmob...@gmail.com> wrote:
> Hi,
>
> Hooray! I was finally able to do this. Thanks a lot :) I think I'll make up
> the code and release it later~
>
>
> On Tuesday, June 10, 2014 4:57:33 PM UTC+3, Kay Röpke wrote:
>>
>> Hi!
>>
>> I believe this is the Play framework signing the entire cookie.
>> The relevant code looks like:
>> /**
>> * Signs the given String with HMAC-SHA1 using the application’s secret
>> key.
>> *
>> * By default this uses the platform default JSSE provider. This
>> can be overridden by defining
>> * `application.crypto.provider` in `application.conf`.
>> *
>> * @param message The message to sign.
>> * @return A hexadecimal encoded signature.
>> */
>> def sign(message: String): String = {
>> secret.map(secret => sign(message,
>> secret.getBytes("utf-8"))).getOrElse {
>> throw new PlayException("Configuration error", "Missing
>> application.secret")
>> }
>> }
>>
>> /**
>> * Signs the given String with HMAC-SHA1 using the given key.
>> *
>> * By default this uses the platform default JSSE provider. This
>> can be overridden by defining
>> * `application.crypto.provider` in `application.conf`.
>> *
>> * @param message The message to sign.
>> * @param key The private key to sign with.
>> * @return A hexadecimal encoded signature.
>> */
>> def sign(message: String, key: Array[Byte]): String = {
>> val mac = provider.map(p => Mac.getInstance("HmacSHA1",
>> p)).getOrElse(Mac.getInstance("HmacSHA1"))
>> mac.init(new SecretKeySpec(key, "HmacSHA1"))
>> Codecs.toHexString(mac.doFinal(message.getBytes("utf-8")))
>> }
>>
>> So you should be able to take the application.secret, use that as the
>> HmacSHA1 secret, sign the entire cookie value (incl. the cookie name
>> and '=') and prepend the sha + '-'.
>>
>> What I couldn't find the code for right away is how the cookie value
>> is generated if it is a map. But I think that's not relevant here.
>>
>> Hope that helps!
>>
>> Kay
>
> --
> You received this message because you are subscribed to the Google Groups
> "graylog2" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
