From e7c887265132fb0178390775d86f67a98d4a60a1 Mon Sep 17 00:00:00 2001 From: Kelven Yang Date: Thu, 27 Jan 2011 11:54:22 -0800 Subject: [PATCH] Use URL safe BASE64 encoding for console access ticket generation. --- .../consoleproxy/ConsoleProxyManagerImpl.java | 18 ++++++++++++++---- .../com/cloud/servlet/ConsoleProxyServlet.java | 14 ++++++-------- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java b/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java index dc3dd6b28f8..b3a7e91279a 100644 --- a/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java +++ b/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java @@ -706,21 +706,31 @@ public class ConsoleProxyManagerImpl implements ConsoleProxyManager, ConsoleProx return new ConsoleAccessAuthenticationAnswer(cmd, false); } + if(s_logger.isDebugEnabled()) + s_logger.debug("Console authentication. Ticket in url for " + cmd.getHost() + ":" + cmd.getPort() + "-" + cmd.getVmId() + " is " + ticketInUrl); + String ticket = ConsoleProxyServlet.genAccessTicket(cmd.getHost(), cmd.getPort(), cmd.getSid(), cmd.getVmId()); - if(!ticket.startsWith(ticketInUrl)) { + if(s_logger.isDebugEnabled()) + s_logger.debug("Console authentication. Ticket in 1 minute boundary for " + cmd.getHost() + ":" + cmd.getPort() + "-" + cmd.getVmId() + " is " + ticket); + + if(!ticket.equals(ticketInUrl)) { Date now = new Date(); // considering of minute round-up String minuteEarlyTicket = ConsoleProxyServlet.genAccessTicket(cmd.getHost(), cmd.getPort(), cmd.getSid(), cmd.getVmId(), new Date(now.getTime() - 60*1000)); - if(!minuteEarlyTicket.startsWith(ticketInUrl)) { + + if(s_logger.isDebugEnabled()) + s_logger.debug("Console authentication. Ticket in 2-minute boundary for " + cmd.getHost() + ":" + cmd.getPort() + "-" + cmd.getVmId() + " is " + minuteEarlyTicket); + + if(!minuteEarlyTicket.equals(ticketInUrl)) { s_logger.error("Access ticket expired or has been modified. vmId: " + cmd.getVmId() + "ticket in URL: " + ticketInUrl + ", tickets to check against: " + ticket + "," + minuteEarlyTicket); return new ConsoleAccessAuthenticationAnswer(cmd, false); } } if (cmd.getVmId() != null && cmd.getVmId().isEmpty()) { - if (s_logger.isTraceEnabled()) { - s_logger.trace("Invalid vm id sent from proxy(happens when proxy session has terminated)"); + if (s_logger.isDebugEnabled()) { + s_logger.debug("Invalid vm id sent from proxy(happens when proxy session has terminated)"); } return new ConsoleAccessAuthenticationAnswer(cmd, false); } diff --git a/server/src/com/cloud/servlet/ConsoleProxyServlet.java b/server/src/com/cloud/servlet/ConsoleProxyServlet.java index e5696b8936d..9f689a2e9f4 100644 --- a/server/src/com/cloud/servlet/ConsoleProxyServlet.java +++ b/server/src/com/cloud/servlet/ConsoleProxyServlet.java @@ -34,10 +34,9 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; +import org.apache.commons.codec.binary.Base64; import org.apache.log4j.Logger; -import com.cloud.domain.dao.DomainDao; -import com.cloud.domain.dao.DomainDaoImpl; import com.cloud.host.HostVO; import com.cloud.server.ManagementServer; import com.cloud.user.Account; @@ -45,8 +44,6 @@ import com.cloud.user.User; import com.cloud.utils.Pair; import com.cloud.utils.component.ComponentLocator; import com.cloud.utils.db.Transaction; -import com.cloud.utils.encoding.Base64; -import com.cloud.vm.UserVmVO; import com.cloud.vm.VMInstanceVO; /** @@ -288,7 +285,7 @@ public class ConsoleProxyServlet extends HttpServlet { } String sid = vm.getVncPassword(); long tag = vm.getId(); - String ticket = URLEncoder.encode(genAccessTicket(host, String.valueOf(portInfo.second()), sid, String.valueOf(tag))); + String ticket = genAccessTicket(host, String.valueOf(portInfo.second()), sid, String.valueOf(tag)); sb.append("/getscreen?host=").append(host); sb.append("&port=").append(portInfo.second()); @@ -313,7 +310,7 @@ public class ConsoleProxyServlet extends HttpServlet { } String sid = vm.getVncPassword(); long tag = vm.getId(); - String ticket = URLEncoder.encode(genAccessTicket(host, String.valueOf(portInfo.second()), sid, String.valueOf(tag))); + String ticket = genAccessTicket(host, String.valueOf(portInfo.second()), sid, String.valueOf(tag)); sb.append("/ajax?host=").append(host); sb.append("&port=").append(portInfo.second()); @@ -347,7 +344,8 @@ public class ConsoleProxyServlet extends HttpServlet { mac.update(String.valueOf(ts).getBytes()); byte[] encryptedBytes = mac.doFinal(); - return Base64.encodeBytes(encryptedBytes); + + return Base64.encodeBase64URLSafeString(encryptedBytes); } catch(Exception e) { s_logger.error("Unexpected exception ", e); } @@ -518,7 +516,7 @@ public class ConsoleProxyServlet extends HttpServlet { mac.init(keySpec); mac.update(unsignedRequest.getBytes()); byte[] encryptedBytes = mac.doFinal(); - String computedSignature = Base64.encodeBytes(encryptedBytes); + String computedSignature = com.cloud.utils.encoding.Base64.encodeBytes(encryptedBytes); boolean equalSig = signature.equals(computedSignature); if (!equalSig) { s_logger.info("User signature: " + signature + " is not equaled to computed signature: " + computedSignature);