Dear Maxim,
No error in browser dev tools, both console or network tabs. All HTTP 200 status. To isolate the cause of login failure, we temporarily commented out CSRF listener. (CSRF is an important and useful feature for us.) With “HTTPS proxy+ OM HTTP”, after executing this line in SignInDialog.java, it reloads the login page with empty username and password. https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/main/java/org/apache/openmeetings/web/pages/auth/SignInDialog.java#L196 1. Does it reload because of a malformed COOKIE_KEY due to org.apache.wicket.authentication.strategy.DefaultAuthenticationStrategy? decode (String value) 2. In successful login, could you tell us why AuthLevelUtil is called 3 times to grant Admin rights? Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions www.Coscend.com <http://www.coscend.com/> ------------------------------------------------------------------ Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly… ------------------------------------------------------------------ CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: <http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html> http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html From: Maxim Solodovnik [mailto:solomax...@gmail.com] Sent: Wednesday, November 22, 2017 1:34 AM To: dev <dev@openmeetings.apache.org>; om.insig...@coscend.com Subject: Re: Login Issue via Proxy Server from 3.3.1+ Not sure why you have removed CSRF listener, but it is your choice .... I guess you have an error in your browser console? What is the error? On Wed, Nov 22, 2017 at 2:27 PM, Coscend@OM <om.insig...@coscend.com <mailto:om.insig...@coscend.com> > wrote: Dear Maxim, Further, the key difference in logs is the line below. We have been trying to solve this problem for the past three months since 3.3.1 release. Therefore, we are seeking to learn the CHANGES in login logic. SUCCESSFUL login via OM HTTP: The line below appears 3 times ---------------------------------------------- DEBUG 11-21 22:28:48.406 88202 42 o.a.o.d.u.AuthLevelUtil [105-6083-exec-2] - Level Admin :: [GRANTED] DEBUG 11-21 22:28:48.508 88304 42 o.a.o.d.u.AuthLevelUtil [105-6083-exec-6] - Level Admin :: [GRANTED] DEBUG 11-21 22:28:48.751 88547 42 o.a.o.d.u.AuthLevelUtil [105-6083-exec-8] - Level Admin :: [GRANTED] Are there three checks of rights? ---------- FAILED login via HTTPS proxy + OM HTTP: This line appears only once and then reloads the login page. ---------------------------------------------------------- DEBUG 11-21 22:37:28.914 608710 42 o.a.o.d.u.AuthLevelUtil [05-6083-exec-10] - Level Admin :: [GRANTED] Here there is only one check for rights. Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions www.Coscend.com <http://www.Coscend.com> ------------------------------------------------------------------ Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly… ------------------------------------------------------------------ CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html -----Original Message----- From: Coscend@OM [mailto:om.insig...@coscend.com <mailto:om.insig...@coscend.com> ] Sent: Wednesday, November 22, 2017 1:18 AM To: dev@openmeetings.apache.org <mailto:dev@openmeetings.apache.org> Subject: RE: Login Issue via Proxy Server from 3.3.1+ Dear Maxim, 1) do you have https proxy + http OM ? YES. 2) what changes did you made to OM config files? NONE, except commented out CSRF and CSP code in Application.java Lines 245-260 (https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java#L245) The previous log was from HTTP OM direct (no proxy HTTPS): successful login FAILED USE CASE LOG: Login via HTTPS proxy + HTTP OM ----------------------------------------------------------------------------------- DEBUG 11-21 22:34:40.966 440762 74 o.a.o.d.d.s.LdapConfigDao [105-6083-exec-4] - getActiveLdapConfigs DEBUG 11-21 22:37:28.400 608196 594 o.a.o.d.d.u.UserDao [05-6083-exec-10] - login:: 1 users were found DEBUG 11-21 22:37:28.893 608689 42 o.a.o.d.u.AuthLevelUtil [05-6083-exec-10] - Level Login :: [GRANTED] DEBUG 11-21 22:37:28.894 608690 611 o.a.o.d.d.u.UserDao [05-6083-exec-10] - loginUser [GroupUser [id=1, moderator=false, group=Group [id=1, name=Coscend, deleted=false], user=User [id=1, firstname=firstname, lastname=lastname, login=Coscendtest, pictureuri=null, deleted=false, languageId=1, address=Address [id=1, country=US, street=null, town=null, zip=null, deleted=false, email=...@Coscend.com <mailto:email=...@Coscend.com> , phone=null], externalId=null, externalType=null, type=user]]] DEBUG 11-21 22:37:28.894 608690 619 o.a.o.d.d.u.UserDao [05-6083-exec-10] - User login - after all ifs - u User [id=1, firstname=firstname, lastname=lastname, login=Coscendtest, pictureuri=null, deleted=false, languageId=1, address=Address [id=1, country=US, street=null, town=null, zip=null, deleted=false, email=i...@coscend.com <mailto:email=i...@coscend.com> , phone=null], externalId=null, externalType=null, type=user] DEBUG 11-21 22:37:28.914 608710 42 o.a.o.d.u.AuthLevelUtil [05-6083-exec-10] - Level Admin :: [GRANTED] DEBUG 11-21 22:37:28.915 608711 178 o.a.o.w.a.WebSession [05-6083-exec-10] - userId: 1 DEBUG 11-21 22:37:28.979 608775 114 o.a.o.w.p.a.SignInPage [105-6083-exec-4] - pp: org.apache.wicket.protocol.http.servlet.ServletWebRequest$1@4de5c338 <mailto:org.apache.wicket.protocol.http.servlet.ServletWebRequest$1@4de5c338> DEBUG 11-21 22:37:28.980 608776 156 o.a.o.w.a.WebSession [105-6083-exec-4] - data: null DEBUG 11-21 22:37:28.998 608794 147 o.a.o.w.p.a.SignInPage [105-6083-exec-4] - r: [RegisterDialog [Component id = register]] Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions www.Coscend.com <http://www.Coscend.com> ------------------------------------------------------------------ Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly… ------------------------------------------------------------------ CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html -----Original Message----- From: Maxim Solodovnik [mailto:solomax...@gmail.com <mailto:solomax...@gmail.com> ] Sent: Wednesday, November 22, 2017 12:38 AM To: dev <dev@openmeetings.apache.org <mailto:dev@openmeetings.apache.org> >; om.insig...@coscend.com <mailto:om.insig...@coscend.com> Subject: Re: Login Issue via Proxy Server from 3.3.1+ I see no issues in your log, is it filtered? Also I need more details on your configuration: 1) do you have https proxy + http OM ? 2) what changes did you made to OM config files? On Wed, Nov 22, 2017 at 1:23 PM, Coscend@OM <om.insig...@coscend.com <mailto:om.insig...@coscend.com> > wrote: > Dear OpenMeetings Developers, > > > > We would appreciate any vectors regarding this issue we have been > facing since OpenMeetings 3.3.1 release. > > > > 1. We are able to successfully login into OM DIRECTLY (without proxy > server) all versions including 4.0.1-SNAPSHOT. > > 2. Via a proxy server, we are unable to login into versions 3.3.1 and > later. Upon clicking on submit button, it reloads the login page with > empty username and password fields. The browser dev gives status 200 > with no exceptions. The proxy logs give status 200. > > In 3.3.0, CSRF and other security features were introduced. Our proxy > server has these configurations including redirect rule to same origin > for HTTP request. > > > > > > SEEKING GUIDANCE: LOGIN LOGIC IN 3.3.1+ / 4.0.1 > > ---------------------------------------------------------------------- > ---- > > Could someone describe the "changes in LOGIN LOGIC" from v. 3.3.1 > onwards (which is also in v. 4.0.1)? > > > > Process flow: > > > > To isolate the issue, content security policy code was commented out > in Application.java before compilation. > > > > Om-web/./web/app/Websession.java > > Om-web/./web/pages/auth/SignInPage.java --> calls SignInDialog.java > > Om-db/./dao/user/UserDao.java > > Om-db/./dao/util/AuthLevelUtil.java - Level Admin :: [GRANTED] > > [ > > ==>IT IS FAILING HERE.during login via proxy server. It goes back and > reloads the login page with empty fields. > > ] > > > > Om-db/./dao/util/AuthLevelUtil.java - Level Admin :: [GRANTED] > > Om-db/./dao/util/AuthLevelUtil.java - Level Admin :: [GRANTED] > > Om-web/./web/app/Application.java > > Om-web/./web/common/MainPanel.java --> home page loads > > > > DETAILED LOGS > > DEBUG 11-21 22:27:38.412 18208 74 o.a.o.d.d.s.LdapConfigDao > [105-6083-exec-2] - getActiveLdapConfigs > > DEBUG 11-21 22:28:47.783 87579 594 o.a.o.d.d.u.UserDao > [105-6083-exec-2] - > login:: 1 users were found > > DEBUG 11-21 22:28:47.791 87587 39 o.a.o.u.c.CryptProvider > [105-6083-exec-2] > - getInstanceOfCrypt:: configKeyCryptClassName: > org.apache.openmeetings.util.crypt.SCryptImplementation > > DEBUG 11-21 22:28:48.365 88161 42 o.a.o.d.u.AuthLevelUtil > [105-6083-exec-2] > - Level Login :: [GRANTED] > > DEBUG 11-21 22:28:48.374 88170 611 o.a.o.d.d.u.UserDao > [105-6083-exec-2] - loginUser [GroupUser [id=1, moderator=false, > group=Group [id=1, name=Coscend, deleted=false], user=User [id=1, > firstname=firstname, lastname=lastname, login=Coscendtest, > pictureuri=null, deleted=false, languageId=1, address=Address [id=1, > country=US, street=null, town=null, zip=null, deleted=false, > email=i...@coscend.com <mailto:email=i...@coscend.com> , phone=null], > externalId=null, externalType=null, > type=user]]] > > DEBUG 11-21 22:28:48.406 88202 42 o.a.o.d.u.AuthLevelUtil > [105-6083-exec-2] > - Level Admin :: [GRANTED] > > DEBUG 11-21 22:28:48.508 88304 42 o.a.o.d.u.AuthLevelUtil > [105-6083-exec-6] > - Level Admin :: [GRANTED] > > DEBUG 11-21 22:28:48.751 88547 42 o.a.o.d.u.AuthLevelUtil > [105-6083-exec-8] > - Level Admin :: [GRANTED] > > DEBUG 11-21 22:28:50.412 90208 388 o.a.o.w.a.Application > [105-6083-exec-6] > - > Adding online client: a36ff887-25cd-4774-a5f6-6ceafaaf88db, room: null > > DEBUG 11-21 22:28:50.421 90217 145 o.a.o.w.c.MainPanel > [105-6083-exec-6] - WebSocketBehavior::onConnect [uid: > a36ff887-25cd-4774-a5f6-6ceafaaf88db, > session: CDD77C3323F2D33735824E1B0FCC0570, key: > org.apache.wicket.protocol.ws <http://org.apache.wicket.protocol.ws> > .api.registry.PageIdKey@0] > > DEBUG 11-21 22:28:50.427 90223 154 o.a.o.w.c.MainPanel > [105-6083-exec-6] - > WebSocketBehavior:: pingTimer is attached > > DEBUG 11-21 22:28:51.683 91479 255 o.a.o.d.d.r.RoomDao > [105-6083-exec-4] - getUserRoom : 1 || conference > > DEBUG 11-21 22:28:51.691 91487 263 o.a.o.d.d.r.RoomDao > [105-6083-exec-4] - Could not find room 1 || conference > > WARN 11-21 22:28:51.693 91489 78 o.a.o.d.d.r.SipDao [105-6083-exec-4] > - There is no Asterisk configured > > DEBUG 11-21 22:28:51.703 91499 255 o.a.o.d.d.r.RoomDao > [105-6083-exec-4] - getUserRoom : 1 || presentation > > DEBUG 11-21 22:28:51.706 91502 263 o.a.o.d.d.r.RoomDao > [105-6083-exec-4] - Could not find room 1 || presentation > > WARN 11-21 22:28:51.706 91502 78 o.a.o.d.d.r.SipDao [105-6083-exec-4] > - There is no Asterisk configured > > DEBUG 11-21 22:28:51.711 91507 191 o.a.o.d.d.r.RoomDao > [105-6083-exec-4] - getAppointedRoomsByUser : UserID - 1 > > > > > > Thank you. > > > > Sincerely, > > > > Hemant K. Sabat > > > > Coscend Communications Solutions > > <http://www.coscend.com/> www.Coscend.com <http://www.Coscend.com> > > ------------------------------------------------------------------ > > Real-time, Interactive Video Collaboration, Tele-healthcare, > Tele-education, Telepresence Services, on the fly. > > ------------------------------------------------------------------ > > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > Messages from Coscend Communications Solutions' posted at: > <http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html> > http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html > > > > > > > > --- > This email has been checked for viruses by AVG. > http://www.avg.com > -- WBR Maxim aka solomax -- WBR Maxim aka solomax
