Dear Maxim,
Let me clarify. To establish an OM session, does OM send a cookie containing JSESSIONID? If yes, which file / line of code should we look into to understand how OM generates a cookie and sends the JSESSIONID? The proxy server we are using has a different algorithm (from how Apache HTTPD does) to read cookies and JSESSIONID emitted from OM. After we understand cookie generation mechanism of OM, we have to write a proxy rule to read JSESSIONID in our proxy server. Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions www.Coscend.com <http://www.coscend.com/> ------------------------------------------------------------------ Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly… ------------------------------------------------------------------ CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: <http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html> http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html From: Maxim Solodovnik [mailto:solomax...@gmail.com] Sent: Wednesday, November 29, 2017 12:43 AM To: dev <dev@openmeetings.apache.org>; om.insig...@coscend.com Subject: Re: Login Issue via Proxy Server from 3.3.1+ To be fair, I'm not sure what you are asking about .... :((( On Wed, Nov 29, 2017 at 12:44 PM, Coscend@OM <om.insig...@coscend.com <mailto:om.insig...@coscend.com> > wrote: Good Morning, Maxim, As you advised, we have almost zeroed in on the cause of the login issue with 4.0.1 via proxy server. May we seek your favor to solve it further? Could you help us with the following insights into the code? (1). Does OM's Red5/Tomcat server send the 'HTTP Response' cookie as HTTP's Set-Cookie header Or, Does the server send it embedded in URL ONLY such as https://coscend.com/CoscendCC.Test/signin;jsessionid=E916C54BB7A9EA30E3EC9021AEF4CB79 Which file should we look at? SignInDialog, SignInPage, OmAuthenticationStrategy, WebSession, Application --all Java extensions. (2) Does the client's 'HTTP Request' message send the cookie back as HTTP's Cookie header or OR, does it send it embedded as URL ONLY such as https://coscend.com/CoscendCC.Test/signin;jsessionid=E916C54BB7A9EA30E3EC9021AEF4CB79? Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions www.Coscend.com <http://www.Coscend.com> ------------------------------------------------------------------ Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly… ------------------------------------------------------------------ CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html -----Original Message----- From: Maxim Solodovnik [mailto:solomax...@gmail.com <mailto:solomax...@gmail.com> ] Sent: Wednesday, November 22, 2017 3:13 AM To: dev <dev@openmeetings.apache.org <mailto:dev@openmeetings.apache.org> >; om.insig...@coscend.com <mailto:om.insig...@coscend.com> Subject: Re: Login Issue via Proxy Server from 3.3.1+ AuthLevelUtil grant nothing, this is very simple utility class to check user auth level So "Level Admin :: [GRANTED]" simply means particular user was _tested_ to have ADMIN level and test was successful It has nothing to do with your problem Your signin request should fail at some level. It is vital to find what is wrong _before_ fixing .... :))) On Wed, Nov 22, 2017 at 3:37 PM, Coscend@OM <om.insig...@coscend.com <mailto:om.insig...@coscend.com> > wrote: > Dear Maxim, > > > > No error in browser dev tools, both console or network tabs. All HTTP > 200 status. To isolate the cause of login failure, we temporarily > commented out CSRF listener. (CSRF is an important and useful feature > for us.) > > > > With “HTTPS proxy+ OM HTTP”, after executing this line in > SignInDialog.java, it reloads the login page with empty username and > password. > > https://github.com/apache/openmeetings/blob/master/ > openmeetings-web/src/main/java/org/apache/openmeetings/ > web/pages/auth/SignInDialog.java#L196 > > > > 1. Does it reload because of a malformed COOKIE_KEY due to > org.apache.wicket.authentication.strategy.DefaultAuthenticationStrategy? > decode (String value) > > > > 2. In successful login, could you tell us why AuthLevelUtil is called > 3 times to grant Admin rights? > > > > Thank you. > > > > Sincerely, > > > > Hemant K. Sabat > > > > Coscend Communications Solutions > > www.Coscend.com <http://www.Coscend.com> <http://www.coscend.com/> > > ------------------------------------------------------------------ > > Real-time, Interactive Video Collaboration, Tele-healthcare, > Tele-education, Telepresence Services, on the fly… > > ------------------------------------------------------------------ > > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > Messages from Coscend Communications Solutions' posted at: < > http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html> > http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html > > > > > > > > From: Maxim Solodovnik [mailto:solomax...@gmail.com > <mailto:solomax...@gmail.com> ] > Sent: Wednesday, November 22, 2017 1:34 AM > To: dev <dev@openmeetings.apache.org <mailto:dev@openmeetings.apache.org> >; > om.insig...@coscend.com <mailto:om.insig...@coscend.com> > Subject: Re: Login Issue via Proxy Server from 3.3.1+ > > > > Not sure why you have removed CSRF listener, but it is your choice .... > > > > I guess you have an error in your browser console? What is the error? > > > > On Wed, Nov 22, 2017 at 2:27 PM, Coscend@OM <om.insig...@coscend.com > <mailto:om.insig...@coscend.com> > <mailto:om.insig...@coscend.com <mailto:om.insig...@coscend.com> > > wrote: > > Dear Maxim, > > Further, the key difference in logs is the line below. We have been > trying to solve this problem for the past three months since 3.3.1 > release. Therefore, we are seeking to learn the CHANGES in login logic. > > SUCCESSFUL login via OM HTTP: The line below appears 3 times > ---------------------------------------------- > DEBUG 11-21 22:28:48.406 88202 42 o.a.o.d.u.AuthLevelUtil > [105-6083-exec-2] - Level Admin :: [GRANTED] > DEBUG 11-21 22:28:48.508 88304 42 o.a.o.d.u.AuthLevelUtil > [105-6083-exec-6] - Level Admin :: [GRANTED] > DEBUG 11-21 22:28:48.751 88547 42 o.a.o.d.u.AuthLevelUtil > [105-6083-exec-8] - Level Admin :: [GRANTED] > > Are there three checks of rights? > > ---------- > FAILED login via HTTPS proxy + OM HTTP: This line appears only once > and then reloads the login page. > ---------------------------------------------------------- > DEBUG 11-21 22:37:28.914 608710 42 o.a.o.d.u.AuthLevelUtil > [05-6083-exec-10] - Level Admin :: [GRANTED] > > Here there is only one check for rights. > > Thank you. > > Sincerely, > > Hemant K. Sabat > > Coscend Communications Solutions > www.Coscend.com <http://www.Coscend.com> <http://www.Coscend.com> > ------------------------------------------------------------------ > Real-time, Interactive Video Collaboration, Tele-healthcare, > Tele-education, Telepresence Services, on the fly… > ------------------------------------------------------------------ > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > Messages from Coscend Communications Solutions' posted at: > http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html > > > > -----Original Message----- > > From: Coscend@OM [mailto:om.insig...@coscend.com > <mailto:om.insig...@coscend.com> <mailto: > om.insig...@coscend.com> ] > Sent: Wednesday, November 22, 2017 1:18 AM > To: dev@openmeetings.apache.org <mailto:dev@openmeetings.apache.org> > <mailto:dev@openmeetings.apache.org <mailto:dev@openmeetings.apache.org> > > Subject: RE: Login Issue via Proxy Server from 3.3.1+ > > Dear Maxim, > > 1) do you have https proxy + http OM ? > YES. > 2) what changes did you made to OM config files? > NONE, > except commented out CSRF and CSP code in Application.java Lines > 245-260 ( https://github.com/apache/openmeetings/blob/master/ > openmeetings-web/src/main/java/org/apache/openmeetings/ > web/app/Application.java#L245) > > > The previous log was from HTTP OM direct (no proxy HTTPS): successful > login > > > FAILED USE CASE LOG: Login via HTTPS proxy + HTTP OM > ------------------------------------------------------------ > ----------------------- > > DEBUG 11-21 22:34:40.966 440762 74 o.a.o.d.d.s.LdapConfigDao > [105-6083-exec-4] - getActiveLdapConfigs DEBUG 11-21 22:37:28.400 > 608196 594 o.a.o.d.d.u.UserDao [05-6083-exec-10] > - login:: 1 users were found > DEBUG 11-21 22:37:28.893 608689 42 o.a.o.d.u.AuthLevelUtil > [05-6083-exec-10] - Level Login :: [GRANTED] DEBUG 11-21 22:37:28.894 > 608690 611 o.a.o.d.d.u.UserDao [05-6083-exec-10] > - loginUser [GroupUser [id=1, moderator=false, group=Group [id=1, > name=Coscend, deleted=false], user=User [id=1, firstname=firstname, > lastname=lastname, login=Coscendtest, pictureuri=null, deleted=false, > languageId=1, address=Address [id=1, country=US, street=null, > town=null, zip=null, deleted=false, email=...@Coscend.com > <mailto:email=...@Coscend.com> > <mailto:email <mailto:email> =...@Coscend.com> , phone=null], externalId=null, > externalType=null, type=user]]] DEBUG 11-21 22:37:28.894 608690 619 > o.a.o.d.d.u.UserDao [05-6083-exec-10] > - User login - after all ifs - u User [id=1, firstname=firstname, > lastname=lastname, login=Coscendtest, pictureuri=null, deleted=false, > languageId=1, address=Address [id=1, country=US, street=null, > town=null, zip=null, deleted=false, email=i...@coscend.com > <mailto:email=i...@coscend.com> > <mailto:email <mailto:email> =i...@coscend.com> , phone=null], > externalId=null, > externalType=null, type=user] DEBUG 11-21 22:37:28.914 608710 42 > o.a.o.d.u.AuthLevelUtil [05-6083-exec-10] - Level Admin :: [GRANTED] > DEBUG 11-21 22:37:28.915 608711 178 o.a.o.w.a.WebSession > [05-6083-exec-10] > - userId: 1 > DEBUG 11-21 22:37:28.979 608775 114 o.a.o.w.p.a.SignInPage > [105-6083-exec-4] - pp: org.apache.wicket.protocol.http.servlet. > ServletWebRequest$1@4de5c338 <mailto:org.apache.wicket > <mailto:org.apache.wicket> . > protocol.http.servlet.ServletWebRequest$1@4de5c338 > <mailto:protocol.http.servlet.ServletWebRequest$1@4de5c338> > > DEBUG 11-21 22:37:28.980 608776 156 o.a.o.w.a.WebSession > [105-6083-exec-4] > - data: null > DEBUG 11-21 22:37:28.998 608794 147 o.a.o.w.p.a.SignInPage > [105-6083-exec-4] - r: [RegisterDialog [Component id = register]] > > > Thank you. > > Sincerely, > > Hemant K. Sabat > > Coscend Communications Solutions > www.Coscend.com <http://www.Coscend.com> <http://www.Coscend.com> > ------------------------------------------------------------------ > Real-time, Interactive Video Collaboration, Tele-healthcare, > Tele-education, Telepresence Services, on the fly… > ------------------------------------------------------------------ > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > Messages from Coscend Communications Solutions' posted at: > http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html > > > > -----Original Message----- > From: Maxim Solodovnik [mailto:solomax...@gmail.com > <mailto:solomax...@gmail.com> <mailto: > solomax...@gmail.com <mailto:solomax...@gmail.com> > ] > Sent: Wednesday, November 22, 2017 12:38 AM > To: dev <dev@openmeetings.apache.org <mailto:dev@openmeetings.apache.org> > <mailto:dev@openmeetings.apache.org <mailto:dev@openmeetings.apache.org> > > >; om.insig...@coscend.com <mailto:om.insig...@coscend.com> > ><mailto:om.insig...@coscend.com <mailto:om.insig...@coscend.com> > > Subject: Re: Login Issue via Proxy Server from 3.3.1+ > > I see no issues in your log, is it filtered? > Also I need more details on your configuration: > 1) do you have https proxy + http OM ? > 2) what changes did you made to OM config files? > > On Wed, Nov 22, 2017 at 1:23 PM, Coscend@OM <om.insig...@coscend.com > <mailto:om.insig...@coscend.com> > <mailto:om.insig...@coscend.com <mailto:om.insig...@coscend.com> > > wrote: > > > Dear OpenMeetings Developers, > > > > > > > > We would appreciate any vectors regarding this issue we have been > > facing since OpenMeetings 3.3.1 release. > > > > > > > > 1. We are able to successfully login into OM DIRECTLY (without proxy > > server) all versions including 4.0.1-SNAPSHOT. > > > > 2. Via a proxy server, we are unable to login into versions 3.3.1 and > > later. Upon clicking on submit button, it reloads the login page > > with empty username and password fields. The browser dev gives > > status 200 with no exceptions. The proxy logs give status 200. > > > > In 3.3.0, CSRF and other security features were introduced. Our > > proxy server has these configurations including redirect rule to > > same origin for HTTP request. > > > > > > > > > > > > SEEKING GUIDANCE: LOGIN LOGIC IN 3.3.1+ / 4.0.1 > > > > -------------------------------------------------------------------- > > -- > > ---- > > > > Could someone describe the "changes in LOGIN LOGIC" from v. 3.3.1 > > onwards (which is also in v. 4.0.1)? > > > > > > > > Process flow: > > > > > > > > To isolate the issue, content security policy code was commented out > > in Application.java before compilation. > > > > > > > > Om-web/./web/app/Websession.java > > > > Om-web/./web/pages/auth/SignInPage.java --> calls SignInDialog.java > > > > Om-db/./dao/user/UserDao.java > > > > Om-db/./dao/util/AuthLevelUtil.java - Level Admin :: [GRANTED] > > > > [ > > > > ==>IT IS FAILING HERE.during login via proxy server. It goes back > > and reloads the login page with empty fields. > > > > ] > > > > > > > > Om-db/./dao/util/AuthLevelUtil.java - Level Admin :: [GRANTED] > > > > Om-db/./dao/util/AuthLevelUtil.java - Level Admin :: [GRANTED] > > > > Om-web/./web/app/Application.java > > > > Om-web/./web/common/MainPanel.java --> home page loads > > > > > > > > DETAILED LOGS > > > > DEBUG 11-21 22:27:38.412 18208 74 o.a.o.d.d.s.LdapConfigDao > > [105-6083-exec-2] - getActiveLdapConfigs > > > > DEBUG 11-21 22:28:47.783 87579 594 o.a.o.d.d.u.UserDao > > [105-6083-exec-2] - > > login:: 1 users were found > > > > DEBUG 11-21 22:28:47.791 87587 39 o.a.o.u.c.CryptProvider > > [105-6083-exec-2] > > - getInstanceOfCrypt:: configKeyCryptClassName: > > org.apache.openmeetings.util.crypt.SCryptImplementation > > > > DEBUG 11-21 22:28:48.365 88161 42 o.a.o.d.u.AuthLevelUtil > > [105-6083-exec-2] > > - Level Login :: [GRANTED] > > > > DEBUG 11-21 22:28:48.374 88170 611 o.a.o.d.d.u.UserDao > > [105-6083-exec-2] - loginUser [GroupUser [id=1, moderator=false, > > group=Group [id=1, name=Coscend, deleted=false], user=User [id=1, > > firstname=firstname, lastname=lastname, login=Coscendtest, > > pictureuri=null, deleted=false, languageId=1, address=Address [id=1, > > country=US, street=null, town=null, zip=null, deleted=false, > > email=i...@coscend.com <mailto:email=i...@coscend.com> <mailto:email > > <mailto:email> =i...@coscend.com> , phone=null], > externalId=null, externalType=null, > > type=user]]] > > > > DEBUG 11-21 22:28:48.406 88202 42 o.a.o.d.u.AuthLevelUtil > > [105-6083-exec-2] > > - Level Admin :: [GRANTED] > > > > DEBUG 11-21 22:28:48.508 88304 42 o.a.o.d.u.AuthLevelUtil > > [105-6083-exec-6] > > - Level Admin :: [GRANTED] > > > > DEBUG 11-21 22:28:48.751 88547 42 o.a.o.d.u.AuthLevelUtil > > [105-6083-exec-8] > > - Level Admin :: [GRANTED] > > > > DEBUG 11-21 22:28:50.412 90208 388 o.a.o.w.a.Application > > [105-6083-exec-6] > > - > > Adding online client: a36ff887-25cd-4774-a5f6-6ceafaaf88db, room: > > null > > > > DEBUG 11-21 22:28:50.421 90217 145 o.a.o.w.c.MainPanel > > [105-6083-exec-6] - WebSocketBehavior::onConnect [uid: > > a36ff887-25cd-4774-a5f6-6ceafaaf88db, > > session: CDD77C3323F2D33735824E1B0FCC0570, key: > > org.apache.wicket.protocol.ws <http://org.apache.wicket.protocol.ws> > > <http://org.apache.wicket.protocol.ws> > .api.registry.PageIdKey@0 <mailto:.api.registry.PageIdKey@0> ] > > > > DEBUG 11-21 22:28:50.427 90223 154 o.a.o.w.c.MainPanel > > [105-6083-exec-6] - > > WebSocketBehavior:: pingTimer is attached > > > > DEBUG 11-21 22:28:51.683 91479 255 o.a.o.d.d.r.RoomDao > > [105-6083-exec-4] - getUserRoom : 1 || conference > > > > DEBUG 11-21 22:28:51.691 91487 263 o.a.o.d.d.r.RoomDao > > [105-6083-exec-4] - Could not find room 1 || conference > > > > WARN 11-21 22:28:51.693 91489 78 o.a.o.d.d.r.SipDao > > [105-6083-exec-4] > > - There is no Asterisk configured > > > > DEBUG 11-21 22:28:51.703 91499 255 o.a.o.d.d.r.RoomDao > > [105-6083-exec-4] - getUserRoom : 1 || presentation > > > > DEBUG 11-21 22:28:51.706 91502 263 o.a.o.d.d.r.RoomDao > > [105-6083-exec-4] - Could not find room 1 || presentation > > > > WARN 11-21 22:28:51.706 91502 78 o.a.o.d.d.r.SipDao > > [105-6083-exec-4] > > - There is no Asterisk configured > > > > DEBUG 11-21 22:28:51.711 91507 191 o.a.o.d.d.r.RoomDao > > [105-6083-exec-4] - getAppointedRoomsByUser : UserID - 1 > > > > > > > > > > > > Thank you. > > > > > > > > Sincerely, > > > > > > > > Hemant K. Sabat > > > > > > > > Coscend Communications Solutions > > > > <http://www.coscend.com/> www.Coscend.com <http://www.Coscend.com> > > <http://www.Coscend.com> > > > > ------------------------------------------------------------------ > > > > Real-time, Interactive Video Collaboration, Tele-healthcare, > > Tele-education, Telepresence Services, on the fly. > > > > ------------------------------------------------------------------ > > > > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > > Messages from Coscend Communications Solutions' posted at: > > <http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html> > > http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html > > > > > > > > > > > > > > > > --- > > This email has been checked for viruses by AVG. > > http://www.avg.com > > > > > > -- > WBR > Maxim aka solomax > > > > > > > > -- > > WBR > Maxim aka solomax > > -- WBR Maxim aka solomax -- WBR Maxim aka solomax
