On 04/30/2014 03:20 PM, Aline Manera wrote:

Applied. Thanks.

Regards,

Aline Manera

_______________________________________________
Kimchi-devel mailing list
Kimchi-devel@ovirt.org
http://lists.ovirt.org/mailman/listinfo/kimchi-devel

After applying this patch and make more tests I noticed we need to improve it.
In this way we are exposing all the noVNC files and let websockify web server render the noVNC page.
The websockify web server is limited - as far as I know it only exposes and renders content in a directory.
So if someone has the URL https://host-ip:64667/vnc.html?port=64667&path=?token=my-vm&encrypt=1 he/she can access
the VM console without Kimchi authentication.

My idea is very similar to what is being doing today BUT instead of exposing all the noVNC files, we expose just one vnc.html
That html will redirect the user to Kimchi vnc.html (so Kimchi will be responsible to render noVNC page) and we can add
authentication to it

The big picture will be:

JS connectToVNC() will redirect to https://host-ip:64667/vnc.html?port=64667&path=?token=my-vm&encrypt=1

https://host-ip:64667/vnc.html will redirect to https://host-ip:8001/vnc.html after loading the page.

So if the user haven't accepted the CA yet he/she will be able to do it beforing being redirected to Kimchi page.

I am working in a patch to do what I described above and also add Kimchi authentication to vnc.html and spice.html