[
https://issues.apache.org/jira/browse/CLOUDSTACK-4829?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13790183#comment-13790183
]
shangxu commented on CLOUDSTACK-4829:
-------------------------------------
I have the same problem
> vnc access instance's console through apikey failed
> ---------------------------------------------------
>
> Key: CLOUDSTACK-4829
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-4829
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: VNC Proxy
> Affects Versions: 4.1.1
> Environment: windows 7 + cygwin + xenserver 6.1.0 + cloudstack 4.1.1
> Reporter: huyao
> Priority: Critical
>
> I compiled cloudstack 4.1.1 source code in cygwin, then test it using jetty,
> it works fine. But, when I access instance's console through vnc using
> apikey, it fails, the browser shows the follow message:
> Access denied. Invalid web session or API key in request
> my url:
> http://localhost:8080/client/console?cmd=access&vm=b194369f-e0d4-45d8-a50f-09ec51095e68&apikey=fmS7oyThP6MGxN5X_CgeOCxQIqgTu5QFDz46r2Pv5kLp88EYYBquSu6_3s3d9MXdbUHPpxj5qDDy1jvhEpQWvQ&signature=y3dNHn580NJiCVRGwrBTR4JHImo%3D
> I test the listAccounts api, it's ok.
> my url:
> http://localhost:8080/client/api?command=listAccounts&apikey=fmS7oyThP6MGxN5X_CgeOCxQIqgTu5QFDz46r2Pv5kLp88EYYBquSu6_3s3d9MXdbUHPpxj5qDDy1jvhEpQWvQ&signature=ALhJtw%2Bzi7Rcmo%2Bkk3xH3cTJgp4%3D
> then, I debug the source code, find where it fails.
> file: ConsoleProxyServlet.java
> private boolean verifyRequest(Map<String, Object[]> requestParameters) {
> try {
> ...
> ...
> unsignedRequest = unsignedRequest.toLowerCase();
> Mac mac = Mac.getInstance("HmacSHA1");
> SecretKeySpec keySpec = new SecretKeySpec(secretKey.getBytes(),
> "HmacSHA1");
> mac.init(keySpec);
> mac.update(unsignedRequest.getBytes());
> byte[] encryptedBytes = mac.doFinal();
> String computedSignature =
> Base64.encodeBase64URLSafeString(encryptedBytes);
> boolean equalSig = signature.equals(computedSignature);
> if (!equalSig) {
> s_logger.debug("User signature: " + signature + " is
> not equaled to computed signature: " + computedSignature);
> }
> ...
> ...
> return equalSig;
> } catch (Exception ex) {
> s_logger.error("unable to verifty request signature", ex);
> }
> return false;
> }
> in this method, signature not equals to computedSignature, so it returns false
> then, I view ApiServer.javaļ¼the verifyRequest method:
> public boolean verifyRequest(Map<String, Object[]> requestParameters, Long
> userId) throws ServerApiException {
> try {
> ...
> ...
> unsignedRequest = unsignedRequest.toLowerCase();
> Mac mac = Mac.getInstance("HmacSHA1");
> SecretKeySpec keySpec = new SecretKeySpec(secretKey.getBytes(),
> "HmacSHA1");
> mac.init(keySpec);
> mac.update(unsignedRequest.getBytes());
> byte[] encryptedBytes = mac.doFinal();
> String computedSignature =
> Base64.encodeBase64String(encryptedBytes);
> boolean equalSig = signature.equals(computedSignature);
> if (!equalSig) {
> s_logger.debug("User signature: " + signature + " is
> not equaled to computed signature: " + computedSignature);
> }
> ...
> ...
> return equalSig;
> } catch (Exception ex) {
> s_logger.error("unable to verifty request signature", ex);
> }
> return false;
> }
> these two verifyRequest method produce different signature, because the
> former use :
> String computedSignature = Base64.encodeBase64URLSafeString(encryptedBytes);
> while the later use:
> String computedSignature = Base64.encodeBase64String(encryptedBytes);
> this is why listAccouts works fine, but vnc console is failed.
> when I replace Base64.encodeBase64URLSafeString by Base64.encodeBase64String,
> vnc console is ok too.
> so I am confused, why use different encode method? It is a bug?
--
This message was sent by Atlassian JIRA
(v6.1#6144)
