To be fair, I'm not sure what you are asking about .... :((( On Wed, Nov 29, 2017 at 12:44 PM, Coscend@OM <om.insig...@coscend.com> wrote:
> Good Morning, Maxim, > > As you advised, we have almost zeroed in on the cause of the login issue > with 4.0.1 via proxy server. May we seek your favor to solve it further? > > Could you help us with the following insights into the code? > > (1). Does OM's Red5/Tomcat server send the 'HTTP Response' cookie as > HTTP's Set-Cookie header > Or, Does the server send it embedded in URL ONLY such as > https://coscend.com/CoscendCC.Test/signin;jsessionid= > E916C54BB7A9EA30E3EC9021AEF4CB79 > > Which file should we look at? SignInDialog, SignInPage, > OmAuthenticationStrategy, WebSession, Application --all Java extensions. > > (2) Does the client's 'HTTP Request' message send the cookie back as > HTTP's Cookie header or > OR, does it send it embedded as URL ONLY such as > https://coscend.com/CoscendCC.Test/signin;jsessionid= > E916C54BB7A9EA30E3EC9021AEF4CB79? > > Thank you. > > Sincerely, > > Hemant K. Sabat > > Coscend Communications Solutions > www.Coscend.com > ------------------------------------------------------------------ > Real-time, Interactive Video Collaboration, Tele-healthcare, > Tele-education, Telepresence Services, on the fly… > ------------------------------------------------------------------ > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > Messages from Coscend Communications Solutions' posted at: > http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html > > > -----Original Message----- > From: Maxim Solodovnik [mailto:solomax...@gmail.com] > Sent: Wednesday, November 22, 2017 3:13 AM > To: dev <dev@openmeetings.apache.org>; om.insig...@coscend.com > Subject: Re: Login Issue via Proxy Server from 3.3.1+ > > AuthLevelUtil grant nothing, this is very simple utility class to check > user auth level So "Level Admin :: [GRANTED]" simply means particular user > was _tested_ to have ADMIN level and test was successful It has nothing to > do with your problem > > Your signin request should fail at some level. It is vital to find what is > wrong _before_ fixing .... :))) > > On Wed, Nov 22, 2017 at 3:37 PM, Coscend@OM <om.insig...@coscend.com> > wrote: > > > Dear Maxim, > > > > > > > > No error in browser dev tools, both console or network tabs. All HTTP > > 200 status. To isolate the cause of login failure, we temporarily > > commented out CSRF listener. (CSRF is an important and useful feature > > for us.) > > > > > > > > With “HTTPS proxy+ OM HTTP”, after executing this line in > > SignInDialog.java, it reloads the login page with empty username and > > password. > > > > https://github.com/apache/openmeetings/blob/master/ > > openmeetings-web/src/main/java/org/apache/openmeetings/ > > web/pages/auth/SignInDialog.java#L196 > > > > > > > > 1. Does it reload because of a malformed COOKIE_KEY due to > > org.apache.wicket.authentication.strategy.DefaultAuthenticationStrategy? > > decode (String value) > > > > > > > > 2. In successful login, could you tell us why AuthLevelUtil is called > > 3 times to grant Admin rights? > > > > > > > > Thank you. > > > > > > > > Sincerely, > > > > > > > > Hemant K. Sabat > > > > > > > > Coscend Communications Solutions > > > > www.Coscend.com <http://www.coscend.com/> > > > > ------------------------------------------------------------------ > > > > Real-time, Interactive Video Collaboration, Tele-healthcare, > > Tele-education, Telepresence Services, on the fly… > > > > ------------------------------------------------------------------ > > > > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > > Messages from Coscend Communications Solutions' posted at: < > > http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html> > > http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html > > > > > > > > > > > > > > > > From: Maxim Solodovnik [mailto:solomax...@gmail.com] > > Sent: Wednesday, November 22, 2017 1:34 AM > > To: dev <dev@openmeetings.apache.org>; om.insig...@coscend.com > > Subject: Re: Login Issue via Proxy Server from 3.3.1+ > > > > > > > > Not sure why you have removed CSRF listener, but it is your choice .... > > > > > > > > I guess you have an error in your browser console? What is the error? > > > > > > > > On Wed, Nov 22, 2017 at 2:27 PM, Coscend@OM <om.insig...@coscend.com > > <mailto:om.insig...@coscend.com> > wrote: > > > > Dear Maxim, > > > > Further, the key difference in logs is the line below. We have been > > trying to solve this problem for the past three months since 3.3.1 > > release. Therefore, we are seeking to learn the CHANGES in login logic. > > > > SUCCESSFUL login via OM HTTP: The line below appears 3 times > > ---------------------------------------------- > > DEBUG 11-21 22:28:48.406 88202 42 o.a.o.d.u.AuthLevelUtil > > [105-6083-exec-2] - Level Admin :: [GRANTED] > > DEBUG 11-21 22:28:48.508 88304 42 o.a.o.d.u.AuthLevelUtil > > [105-6083-exec-6] - Level Admin :: [GRANTED] > > DEBUG 11-21 22:28:48.751 88547 42 o.a.o.d.u.AuthLevelUtil > > [105-6083-exec-8] - Level Admin :: [GRANTED] > > > > Are there three checks of rights? > > > > ---------- > > FAILED login via HTTPS proxy + OM HTTP: This line appears only once > > and then reloads the login page. > > ---------------------------------------------------------- > > DEBUG 11-21 22:37:28.914 608710 42 o.a.o.d.u.AuthLevelUtil > > [05-6083-exec-10] - Level Admin :: [GRANTED] > > > > Here there is only one check for rights. > > > > Thank you. > > > > Sincerely, > > > > Hemant K. Sabat > > > > Coscend Communications Solutions > > www.Coscend.com <http://www.Coscend.com> > > ------------------------------------------------------------------ > > Real-time, Interactive Video Collaboration, Tele-healthcare, > > Tele-education, Telepresence Services, on the fly… > > ------------------------------------------------------------------ > > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > > Messages from Coscend Communications Solutions' posted at: > > http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html > > > > > > > > -----Original Message----- > > > > From: Coscend@OM [mailto:om.insig...@coscend.com <mailto: > > om.insig...@coscend.com> ] > > Sent: Wednesday, November 22, 2017 1:18 AM > > To: dev@openmeetings.apache.org <mailto:dev@openmeetings.apache.org> > > Subject: RE: Login Issue via Proxy Server from 3.3.1+ > > > > Dear Maxim, > > > > 1) do you have https proxy + http OM ? > > YES. > > 2) what changes did you made to OM config files? > > NONE, > > except commented out CSRF and CSP code in Application.java Lines > > 245-260 ( https://github.com/apache/openmeetings/blob/master/ > > openmeetings-web/src/main/java/org/apache/openmeetings/ > > web/app/Application.java#L245) > > > > > > The previous log was from HTTP OM direct (no proxy HTTPS): successful > > login > > > > > > FAILED USE CASE LOG: Login via HTTPS proxy + HTTP OM > > ------------------------------------------------------------ > > ----------------------- > > > > DEBUG 11-21 22:34:40.966 440762 74 o.a.o.d.d.s.LdapConfigDao > > [105-6083-exec-4] - getActiveLdapConfigs DEBUG 11-21 22:37:28.400 > > 608196 594 o.a.o.d.d.u.UserDao [05-6083-exec-10] > > - login:: 1 users were found > > DEBUG 11-21 22:37:28.893 608689 42 o.a.o.d.u.AuthLevelUtil > > [05-6083-exec-10] - Level Login :: [GRANTED] DEBUG 11-21 22:37:28.894 > > 608690 611 o.a.o.d.d.u.UserDao [05-6083-exec-10] > > - loginUser [GroupUser [id=1, moderator=false, group=Group [id=1, > > name=Coscend, deleted=false], user=User [id=1, firstname=firstname, > > lastname=lastname, login=Coscendtest, pictureuri=null, deleted=false, > > languageId=1, address=Address [id=1, country=US, street=null, > > town=null, zip=null, deleted=false, email=...@Coscend.com > > <mailto:email=...@Coscend.com> , phone=null], externalId=null, > > externalType=null, type=user]]] DEBUG 11-21 22:37:28.894 608690 619 > > o.a.o.d.d.u.UserDao [05-6083-exec-10] > > - User login - after all ifs - u User [id=1, firstname=firstname, > > lastname=lastname, login=Coscendtest, pictureuri=null, deleted=false, > > languageId=1, address=Address [id=1, country=US, street=null, > > town=null, zip=null, deleted=false, email=i...@coscend.com > > <mailto:email=i...@coscend.com> , phone=null], externalId=null, > > externalType=null, type=user] DEBUG 11-21 22:37:28.914 608710 42 > > o.a.o.d.u.AuthLevelUtil [05-6083-exec-10] - Level Admin :: [GRANTED] > > DEBUG 11-21 22:37:28.915 608711 178 o.a.o.w.a.WebSession > > [05-6083-exec-10] > > - userId: 1 > > DEBUG 11-21 22:37:28.979 608775 114 o.a.o.w.p.a.SignInPage > > [105-6083-exec-4] - pp: org.apache.wicket.protocol.http.servlet. > > ServletWebRequest$1@4de5c338 <mailto:org.apache.wicket. > > protocol.http.servlet.ServletWebRequest$1@4de5c338> > > DEBUG 11-21 22:37:28.980 608776 156 o.a.o.w.a.WebSession > > [105-6083-exec-4] > > - data: null > > DEBUG 11-21 22:37:28.998 608794 147 o.a.o.w.p.a.SignInPage > > [105-6083-exec-4] - r: [RegisterDialog [Component id = register]] > > > > > > Thank you. > > > > Sincerely, > > > > Hemant K. Sabat > > > > Coscend Communications Solutions > > www.Coscend.com <http://www.Coscend.com> > > ------------------------------------------------------------------ > > Real-time, Interactive Video Collaboration, Tele-healthcare, > > Tele-education, Telepresence Services, on the fly… > > ------------------------------------------------------------------ > > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > > Messages from Coscend Communications Solutions' posted at: > > http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html > > > > > > > > -----Original Message----- > > From: Maxim Solodovnik [mailto:solomax...@gmail.com <mailto: > > solomax...@gmail.com> ] > > Sent: Wednesday, November 22, 2017 12:38 AM > > To: dev <dev@openmeetings.apache.org > > <mailto:dev@openmeetings.apache.org> > > >; om.insig...@coscend.com <mailto:om.insig...@coscend.com> > > Subject: Re: Login Issue via Proxy Server from 3.3.1+ > > > > I see no issues in your log, is it filtered? > > Also I need more details on your configuration: > > 1) do you have https proxy + http OM ? > > 2) what changes did you made to OM config files? > > > > On Wed, Nov 22, 2017 at 1:23 PM, Coscend@OM <om.insig...@coscend.com > > <mailto:om.insig...@coscend.com> > wrote: > > > > > Dear OpenMeetings Developers, > > > > > > > > > > > > We would appreciate any vectors regarding this issue we have been > > > facing since OpenMeetings 3.3.1 release. > > > > > > > > > > > > 1. We are able to successfully login into OM DIRECTLY (without > proxy > > > server) all versions including 4.0.1-SNAPSHOT. > > > > > > 2. Via a proxy server, we are unable to login into versions 3.3.1 > and > > > later. Upon clicking on submit button, it reloads the login page > > > with empty username and password fields. The browser dev gives > > > status 200 with no exceptions. The proxy logs give status 200. > > > > > > In 3.3.0, CSRF and other security features were introduced. Our > > > proxy server has these configurations including redirect rule to > > > same origin for HTTP request. > > > > > > > > > > > > > > > > > > SEEKING GUIDANCE: LOGIN LOGIC IN 3.3.1+ / 4.0.1 > > > > > > -------------------------------------------------------------------- > > > -- > > > ---- > > > > > > Could someone describe the "changes in LOGIN LOGIC" from v. 3.3.1 > > > onwards (which is also in v. 4.0.1)? > > > > > > > > > > > > Process flow: > > > > > > > > > > > > To isolate the issue, content security policy code was commented out > > > in Application.java before compilation. > > > > > > > > > > > > Om-web/./web/app/Websession.java > > > > > > Om-web/./web/pages/auth/SignInPage.java --> calls SignInDialog.java > > > > > > Om-db/./dao/user/UserDao.java > > > > > > Om-db/./dao/util/AuthLevelUtil.java - Level Admin :: [GRANTED] > > > > > > [ > > > > > > ==>IT IS FAILING HERE.during login via proxy server. It goes back > > > and reloads the login page with empty fields. > > > > > > ] > > > > > > > > > > > > Om-db/./dao/util/AuthLevelUtil.java - Level Admin :: [GRANTED] > > > > > > Om-db/./dao/util/AuthLevelUtil.java - Level Admin :: [GRANTED] > > > > > > Om-web/./web/app/Application.java > > > > > > Om-web/./web/common/MainPanel.java --> home page loads > > > > > > > > > > > > DETAILED LOGS > > > > > > DEBUG 11-21 22:27:38.412 18208 74 o.a.o.d.d.s.LdapConfigDao > > > [105-6083-exec-2] - getActiveLdapConfigs > > > > > > DEBUG 11-21 22:28:47.783 87579 594 o.a.o.d.d.u.UserDao > > > [105-6083-exec-2] - > > > login:: 1 users were found > > > > > > DEBUG 11-21 22:28:47.791 87587 39 o.a.o.u.c.CryptProvider > > > [105-6083-exec-2] > > > - getInstanceOfCrypt:: configKeyCryptClassName: > > > org.apache.openmeetings.util.crypt.SCryptImplementation > > > > > > DEBUG 11-21 22:28:48.365 88161 42 o.a.o.d.u.AuthLevelUtil > > > [105-6083-exec-2] > > > - Level Login :: [GRANTED] > > > > > > DEBUG 11-21 22:28:48.374 88170 611 o.a.o.d.d.u.UserDao > > > [105-6083-exec-2] - loginUser [GroupUser [id=1, moderator=false, > > > group=Group [id=1, name=Coscend, deleted=false], user=User [id=1, > > > firstname=firstname, lastname=lastname, login=Coscendtest, > > > pictureuri=null, deleted=false, languageId=1, address=Address [id=1, > > > country=US, street=null, town=null, zip=null, deleted=false, > > > email=i...@coscend.com <mailto:email=i...@coscend.com> , phone=null], > > externalId=null, externalType=null, > > > type=user]]] > > > > > > DEBUG 11-21 22:28:48.406 88202 42 o.a.o.d.u.AuthLevelUtil > > > [105-6083-exec-2] > > > - Level Admin :: [GRANTED] > > > > > > DEBUG 11-21 22:28:48.508 88304 42 o.a.o.d.u.AuthLevelUtil > > > [105-6083-exec-6] > > > - Level Admin :: [GRANTED] > > > > > > DEBUG 11-21 22:28:48.751 88547 42 o.a.o.d.u.AuthLevelUtil > > > [105-6083-exec-8] > > > - Level Admin :: [GRANTED] > > > > > > DEBUG 11-21 22:28:50.412 90208 388 o.a.o.w.a.Application > > > [105-6083-exec-6] > > > - > > > Adding online client: a36ff887-25cd-4774-a5f6-6ceafaaf88db, room: > > > null > > > > > > DEBUG 11-21 22:28:50.421 90217 145 o.a.o.w.c.MainPanel > > > [105-6083-exec-6] - WebSocketBehavior::onConnect [uid: > > > a36ff887-25cd-4774-a5f6-6ceafaaf88db, > > > session: CDD77C3323F2D33735824E1B0FCC0570, key: > > > org.apache.wicket.protocol.ws <http://org.apache.wicket.protocol.ws> > > .api.registry.PageIdKey@0] > > > > > > DEBUG 11-21 22:28:50.427 90223 154 o.a.o.w.c.MainPanel > > > [105-6083-exec-6] - > > > WebSocketBehavior:: pingTimer is attached > > > > > > DEBUG 11-21 22:28:51.683 91479 255 o.a.o.d.d.r.RoomDao > > > [105-6083-exec-4] - getUserRoom : 1 || conference > > > > > > DEBUG 11-21 22:28:51.691 91487 263 o.a.o.d.d.r.RoomDao > > > [105-6083-exec-4] - Could not find room 1 || conference > > > > > > WARN 11-21 22:28:51.693 91489 78 o.a.o.d.d.r.SipDao > > > [105-6083-exec-4] > > > - There is no Asterisk configured > > > > > > DEBUG 11-21 22:28:51.703 91499 255 o.a.o.d.d.r.RoomDao > > > [105-6083-exec-4] - getUserRoom : 1 || presentation > > > > > > DEBUG 11-21 22:28:51.706 91502 263 o.a.o.d.d.r.RoomDao > > > [105-6083-exec-4] - Could not find room 1 || presentation > > > > > > WARN 11-21 22:28:51.706 91502 78 o.a.o.d.d.r.SipDao > > > [105-6083-exec-4] > > > - There is no Asterisk configured > > > > > > DEBUG 11-21 22:28:51.711 91507 191 o.a.o.d.d.r.RoomDao > > > [105-6083-exec-4] - getAppointedRoomsByUser : UserID - 1 > > > > > > > > > > > > > > > > > > Thank you. > > > > > > > > > > > > Sincerely, > > > > > > > > > > > > Hemant K. Sabat > > > > > > > > > > > > Coscend Communications Solutions > > > > > > <http://www.coscend.com/> www.Coscend.com <http://www.Coscend.com> > > > > > > ------------------------------------------------------------------ > > > > > > Real-time, Interactive Video Collaboration, Tele-healthcare, > > > Tele-education, Telepresence Services, on the fly. > > > > > > ------------------------------------------------------------------ > > > > > > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > > > Messages from Coscend Communications Solutions' posted at: > > > <http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html> > > > http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html > > > > > > > > > > > > > > > > > > > > > > > > --- > > > This email has been checked for viruses by AVG. > > > http://www.avg.com > > > > > > > > > > > -- > > WBR > > Maxim aka solomax > > > > > > > > > > > > > > > > -- > > > > WBR > > Maxim aka solomax > > > > > > > -- > WBR > Maxim aka solomax > > -- WBR Maxim aka solomax
