- Login is based on sessionkey HttpOnly Cookie
- ApiServlet does login verification using sessionKey from both the request cookies
and the API parameters. In both cases, if either or both are passed they should
match the sessionKey stored in the current session of the HttpRequest
- UI: it no longer needs to read or set sessionkey cookie
- UI: it no longer needs to return g_sessionKey value in the API requests, though
to support a sso mechanism g_sessionKey is still passed in the API is not null
- Secure jsessionid cookie is set to be HttpOnly and Secure
- SAML login should also set HttpOnly cookie before redirecting to UI
- SAML: listIdps & getSPMetadata APIs are readonly now, won't log out a logged in user
Performed tests (login, saml login if applicable, page refreshes, opening
multiple tabs, logout) with following combinations:
- SAML disabled, normal auth as admin, domain-admin and user
- SAML enabled, normal auth as admin, domain-admin and user; and saml sso as
admin, domain-admin and user
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This closes#574
This closes#308
(cherry picked from commit 12edad3e20)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Conflicts:
server/src/com/cloud/api/ApiServlet.java
utils/src/com/cloud/utils/HttpUtils.java
Because buckets can contain a virtually unlimited number of keys, the
complete results of a list query can be extremely large. To manage large
result sets, Amazon S3 uses pagination to split them into multiple
responses.
Signed-off-by: Rajani Karuturi <rajanikaruturi@gmail.com>
This closes#25
(cherry picked from commit 0b6c540a20)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
- Adds X-XSS-Protection header
- Adds X-Content-Type-Options header
- Fixes to use json content type defined from global settings
- Uses secure cookie if enabled in global settings
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
In upgrade case, the db.properties file is not changed, but the following commit
would require passphrase for keystore in it, thus result in error(NPE in fact
due to there is no such properity).
commit 918c320438
Author: Upendra Moturi <upendra.moturi@sungard.com>
Date: Fri Jun 20 11:41:58 2014 +0530
CLOUDSTACK-6847.Link.java and console proxy files have hardcoded value
This commit fix it by put default value for passphrases, also set correct
passphrase if fail-safe keystore is used.
On hosts or containers where they don't have valid mac address on nic resulting
in null, NetUtils.getNetworkParam can throw NPE.
This was a case found on TravisCI where OpenVZ containers are used. This method
(getDefaultHostIp) is used at several other places within the ACS codebase to
get the host IP and if null is caught we fallback to localhost or 127.0.0.1, so
we therefore set info to null before trying to process network param and if we
fail we return null and expect other layers to use localhost.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
In MacAddress class, we start by settig macAddress String as null and go through
the output of ifconfig -a and pick the one string that is a valid mac address
but is not 0x00 and 0xff. With each loop we set the macAddress to null so that
it does not pick the last one if everything fails.
Tested on Ubuntu where I had an interface called cloud0 whose mac id was 0x00
and it was skipped to get the next one:
$ java -classpath <path-to-cloud-utils.jar> com.cloud.utils.net.MacAddress
addr in integer is 5071953436
addr in bytes is 0 1 2e 4f de 1c
addr in char is 00:01:2e:4f:de:1c
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Rohit Yadav
Wei Zhou
Rajani Karuturi
santhosh
Santhosh Edukulla
Damodar
amoghvk
Pierre-Yves Ritschard
Sheng Yang
Min Chen
Anshul Gangwar
David Nalley
Hugo Trippaers
Frank Zhang
Jayapal
Alena Prokharchyk
Kishan Kavala
Mike Tutkowski
Koushik Das