[ https://issues.apache.org/jira/browse/CLOUDSTACK-4829?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13790183#comment-13790183 ]
shangxu commented on CLOUDSTACK-4829: ------------------------------------- I have the same problem > vnc access instance's console through apikey failed > --------------------------------------------------- > > Key: CLOUDSTACK-4829 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-4829 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: VNC Proxy > Affects Versions: 4.1.1 > Environment: windows 7 + cygwin + xenserver 6.1.0 + cloudstack 4.1.1 > Reporter: huyao > Priority: Critical > > I compiled cloudstack 4.1.1 source code in cygwin, then test it using jetty, > it works fine. But, when I access instance's console through vnc using > apikey, it fails, the browser shows the follow message: > Access denied. Invalid web session or API key in request > my url: > http://localhost:8080/client/console?cmd=access&vm=b194369f-e0d4-45d8-a50f-09ec51095e68&apikey=fmS7oyThP6MGxN5X_CgeOCxQIqgTu5QFDz46r2Pv5kLp88EYYBquSu6_3s3d9MXdbUHPpxj5qDDy1jvhEpQWvQ&signature=y3dNHn580NJiCVRGwrBTR4JHImo%3D > I test the listAccounts api, it's ok. > my url: > http://localhost:8080/client/api?command=listAccounts&apikey=fmS7oyThP6MGxN5X_CgeOCxQIqgTu5QFDz46r2Pv5kLp88EYYBquSu6_3s3d9MXdbUHPpxj5qDDy1jvhEpQWvQ&signature=ALhJtw%2Bzi7Rcmo%2Bkk3xH3cTJgp4%3D > then, I debug the source code, find where it fails. > file: ConsoleProxyServlet.java > private boolean verifyRequest(Map<String, Object[]> requestParameters) { > try { > ... > ... > unsignedRequest = unsignedRequest.toLowerCase(); > Mac mac = Mac.getInstance("HmacSHA1"); > SecretKeySpec keySpec = new SecretKeySpec(secretKey.getBytes(), > "HmacSHA1"); > mac.init(keySpec); > mac.update(unsignedRequest.getBytes()); > byte[] encryptedBytes = mac.doFinal(); > String computedSignature = > Base64.encodeBase64URLSafeString(encryptedBytes); > boolean equalSig = signature.equals(computedSignature); > if (!equalSig) { > s_logger.debug("User signature: " + signature + " is > not equaled to computed signature: " + computedSignature); > } > ... > ... > return equalSig; > } catch (Exception ex) { > s_logger.error("unable to verifty request signature", ex); > } > return false; > } > in this method, signature not equals to computedSignature, so it returns false > then, I view ApiServer.javaļ¼the verifyRequest method: > public boolean verifyRequest(Map<String, Object[]> requestParameters, Long > userId) throws ServerApiException { > try { > ... > ... > unsignedRequest = unsignedRequest.toLowerCase(); > Mac mac = Mac.getInstance("HmacSHA1"); > SecretKeySpec keySpec = new SecretKeySpec(secretKey.getBytes(), > "HmacSHA1"); > mac.init(keySpec); > mac.update(unsignedRequest.getBytes()); > byte[] encryptedBytes = mac.doFinal(); > String computedSignature = > Base64.encodeBase64String(encryptedBytes); > boolean equalSig = signature.equals(computedSignature); > if (!equalSig) { > s_logger.debug("User signature: " + signature + " is > not equaled to computed signature: " + computedSignature); > } > ... > ... > return equalSig; > } catch (Exception ex) { > s_logger.error("unable to verifty request signature", ex); > } > return false; > } > these two verifyRequest method produce different signature, because the > former use : > String computedSignature = Base64.encodeBase64URLSafeString(encryptedBytes); > while the later use: > String computedSignature = Base64.encodeBase64String(encryptedBytes); > this is why listAccouts works fine, but vnc console is failed. > when I replace Base64.encodeBase64URLSafeString by Base64.encodeBase64String, > vnc console is ok too. > so I am confused, why use different encode method? It is a bug? -- This message was sent by Atlassian JIRA (v6.1#6144)