Apologies for replying to an old discussion, but since I could not find solutions, I took myself a jab a this.
The results can be found at https://github.com/mikkolehtisalo/grl-authen/tree/master I will also link my attempt to the issue, with couple suggestions based on what I learnt. On Wednesday, June 11, 2014 at 3:41:41 PM UTC+3, Kay Röpke wrote: > > Great! > > Could you link to it from the issue > https://github.com/Graylog2/graylog2-web-interface/issues/560 > <https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2FGraylog2%2Fgraylog2-web-interface%2Fissues%2F560&sa=D&sntz=1&usg=AFQjCNE9fSXYaZQaCXHz0YJets-DSl3uQg> > > ? > Maybe we can either integrate something, or at the very least point > people to it. > > Many thanks! > > On Wed, Jun 11, 2014 at 2:36 PM, Егор Морозов <[email protected] > <javascript:>> wrote: > > Hi, > > > > Hooray! I was finally able to do this. Thanks a lot :) I think I'll make > up > > the code and release it later~ > > > > > > On Tuesday, June 10, 2014 4:57:33 PM UTC+3, Kay Röpke wrote: > >> > >> Hi! > >> > >> I believe this is the Play framework signing the entire cookie. > >> The relevant code looks like: > >> /** > >> * Signs the given String with HMAC-SHA1 using the application’s > secret > >> key. > >> * > >> * By default this uses the platform default JSSE provider. This > >> can be overridden by defining > >> * `application.crypto.provider` in `application.conf`. > >> * > >> * @param message The message to sign. > >> * @return A hexadecimal encoded signature. > >> */ > >> def sign(message: String): String = { > >> secret.map(secret => sign(message, > >> secret.getBytes("utf-8"))).getOrElse { > >> throw new PlayException("Configuration error", "Missing > >> application.secret") > >> } > >> } > >> > >> /** > >> * Signs the given String with HMAC-SHA1 using the given key. > >> * > >> * By default this uses the platform default JSSE provider. This > >> can be overridden by defining > >> * `application.crypto.provider` in `application.conf`. > >> * > >> * @param message The message to sign. > >> * @param key The private key to sign with. > >> * @return A hexadecimal encoded signature. > >> */ > >> def sign(message: String, key: Array[Byte]): String = { > >> val mac = provider.map(p => Mac.getInstance("HmacSHA1", > >> p)).getOrElse(Mac.getInstance("HmacSHA1")) > >> mac.init(new SecretKeySpec(key, "HmacSHA1")) > >> Codecs.toHexString(mac.doFinal(message.getBytes("utf-8"))) > >> } > >> > >> So you should be able to take the application.secret, use that as the > >> HmacSHA1 secret, sign the entire cookie value (incl. the cookie name > >> and '=') and prepend the sha + '-'. > >> > >> What I couldn't find the code for right away is how the cookie value > >> is generated if it is a map. But I think that's not relevant here. > >> > >> Hope that helps! > >> > >> Kay > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "graylog2" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/fdddc688-541b-4d52-b36e-a100496fa560%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
