Dear Maxim,
Let me clarify. To establish an OM session, does OM send a cookie
containing JSESSIONID?
If yes, which file / line of code should we look into to understand
how OM generates a cookie and sends the JSESSIONID?
The proxy server we are using has a different algorithm (from how
Apache HTTPD does) to read cookies and JSESSIONID emitted from OM.
After we understand cookie generation mechanism of OM, we have to
write a proxy rule to read JSESSIONID in our proxy server.
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare,
Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at: <
http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html>
http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html
From: Maxim Solodovnik [mailto:solomax...@gmail.com]
Sent: Wednesday, November 29, 2017 12:43 AM
To: dev <dev@openmeetings.apache.org>; om.insig...@coscend.com
Subject: Re: Login Issue via Proxy Server from 3.3.1+
To be fair, I'm not sure what you are asking about .... :(((
On Wed, Nov 29, 2017 at 12:44 PM, Coscend@OM <om.insig...@coscend.com
<mailto:om.insig...@coscend.com> > wrote:
Good Morning, Maxim,
As you advised, we have almost zeroed in on the cause of the login
issue with 4.0.1 via proxy server. May we seek your favor to solve it further?
Could you help us with the following insights into the code?
(1). Does OM's Red5/Tomcat server send the 'HTTP Response' cookie as
HTTP's Set-Cookie header Or, Does the server send it embedded in URL
ONLY such as https://coscend.com/CoscendCC.Test/signin;jsessionid=
E916C54BB7A9EA30E3EC9021AEF4CB79
Which file should we look at? SignInDialog, SignInPage,
OmAuthenticationStrategy, WebSession, Application --all Java extensions.
(2) Does the client's 'HTTP Request' message send the cookie back as
HTTP's Cookie header or OR, does it send it embedded as URL ONLY such
as https://coscend.com/CoscendCC.Test/signin;jsessionid=
E916C54BB7A9EA30E3EC9021AEF4CB79?
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.Coscend.com>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare,
Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at:
http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html
-----Original Message-----
From: Maxim Solodovnik [mailto:solomax...@gmail.com <mailto:
solomax...@gmail.com> ]
Sent: Wednesday, November 22, 2017 3:13 AM
To: dev <dev@openmeetings.apache.org
<mailto:dev@openmeetings.apache.org>
; om.insig...@coscend.com <mailto:om.insig...@coscend.com>
Subject: Re: Login Issue via Proxy Server from 3.3.1+
AuthLevelUtil grant nothing, this is very simple utility class to
check user auth level So "Level Admin :: [GRANTED]" simply means
particular user was _tested_ to have ADMIN level and test was
successful It has nothing to do with your problem
Your signin request should fail at some level. It is vital to find
what is wrong _before_ fixing .... :)))
On Wed, Nov 22, 2017 at 3:37 PM, Coscend@OM <om.insig...@coscend.com
<mailto:om.insig...@coscend.com> > wrote:
Dear Maxim,
No error in browser dev tools, both console or network tabs. All
HTTP
200 status. To isolate the cause of login failure, we temporarily
commented out CSRF listener. (CSRF is an important and useful
feature for us.)
With “HTTPS proxy+ OM HTTP”, after executing this line in
SignInDialog.java, it reloads the login page with empty username and
password.
https://github.com/apache/openmeetings/blob/master/
openmeetings-web/src/main/java/org/apache/openmeetings/
web/pages/auth/SignInDialog.java#L196
1. Does it reload because of a malformed COOKIE_KEY due to
org.apache.wicket.authentication.strategy.DefaultAuthenticationStrategy?
decode (String value)
2. In successful login, could you tell us why AuthLevelUtil is called
3 times to grant Admin rights?
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.Coscend.com> <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare,
Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at: <
http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html>
http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html
From: Maxim Solodovnik [mailto:solomax...@gmail.com <mailto:
solomax...@gmail.com> ]
Sent: Wednesday, November 22, 2017 1:34 AM
To: dev <dev@openmeetings.apache.org
<mailto:dev@openmeetings.apache.org>
; om.insig...@coscend.com <mailto:om.insig...@coscend.com>
Subject: Re: Login Issue via Proxy Server from 3.3.1+
Not sure why you have removed CSRF listener, but it is your choice ....
I guess you have an error in your browser console? What is the error?
On Wed, Nov 22, 2017 at 2:27 PM, Coscend@OM <om.insig...@coscend.com
<mailto:om.insig...@coscend.com>
<mailto:om.insig...@coscend.com <mailto:om.insig...@coscend.com> > >
wrote:
Dear Maxim,
Further, the key difference in logs is the line below. We have been
trying to solve this problem for the past three months since 3.3.1
release. Therefore, we are seeking to learn the CHANGES in login logic.
SUCCESSFUL login via OM HTTP: The line below appears 3 times
----------------------------------------------
DEBUG 11-21 22:28:48.406 88202 42 o.a.o.d.u.AuthLevelUtil
[105-6083-exec-2] - Level Admin :: [GRANTED]
DEBUG 11-21 22:28:48.508 88304 42 o.a.o.d.u.AuthLevelUtil
[105-6083-exec-6] - Level Admin :: [GRANTED]
DEBUG 11-21 22:28:48.751 88547 42 o.a.o.d.u.AuthLevelUtil
[105-6083-exec-8] - Level Admin :: [GRANTED]
Are there three checks of rights?
----------
FAILED login via HTTPS proxy + OM HTTP: This line appears only once
and then reloads the login page.
----------------------------------------------------------
DEBUG 11-21 22:37:28.914 608710 42 o.a.o.d.u.AuthLevelUtil
[05-6083-exec-10] - Level Admin :: [GRANTED]
Here there is only one check for rights.
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.Coscend.com> <http://www.Coscend.com>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare,
Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at:
http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html
-----Original Message-----
From: Coscend@OM [mailto:om.insig...@coscend.com <mailto:
om.insig...@coscend.com> <mailto:
om.insig...@coscend.com> ]
Sent: Wednesday, November 22, 2017 1:18 AM
To: dev@openmeetings.apache.org <mailto:dev@openmeetings.apache.org>
<mailto:dev@openmeetings.apache.org
<mailto:dev@openmeetings.apache.org> >
Subject: RE: Login Issue via Proxy Server from 3.3.1+
Dear Maxim,
1) do you have https proxy + http OM ?
YES.
2) what changes did you made to OM config files?
NONE,
except commented out CSRF and CSP code in Application.java Lines
245-260 ( https://github.com/apache/openmeetings/blob/master/
openmeetings-web/src/main/java/org/apache/openmeetings/
web/app/Application.java#L245)
The previous log was from HTTP OM direct (no proxy HTTPS):
successful login
FAILED USE CASE LOG: Login via HTTPS proxy + HTTP OM
------------------------------------------------------------
-----------------------
DEBUG 11-21 22:34:40.966 440762 74 o.a.o.d.d.s.LdapConfigDao
[105-6083-exec-4] - getActiveLdapConfigs DEBUG 11-21 22:37:28.400
608196 594 o.a.o.d.d.u.UserDao [05-6083-exec-10]
- login:: 1 users were found
DEBUG 11-21 22:37:28.893 608689 42 o.a.o.d.u.AuthLevelUtil
[05-6083-exec-10] - Level Login :: [GRANTED] DEBUG 11-21
22:37:28.894
608690 611 o.a.o.d.d.u.UserDao [05-6083-exec-10]
- loginUser [GroupUser [id=1, moderator=false, group=Group [id=1,
name=Coscend, deleted=false], user=User [id=1, firstname=firstname,
lastname=lastname, login=Coscendtest, pictureuri=null,
deleted=false, languageId=1, address=Address [id=1, country=US,
street=null, town=null, zip=null, deleted=false,
email=...@Coscend.com <mailto:email
=...@Coscend.com>
<mailto:email <mailto:email> =...@Coscend.com> , phone=null],
externalId=null,
externalType=null, type=user]]] DEBUG 11-21 22:37:28.894 608690 619
o.a.o.d.d.u.UserDao [05-6083-exec-10]
- User login - after all ifs - u User [id=1, firstname=firstname,
lastname=lastname, login=Coscendtest, pictureuri=null,
deleted=false, languageId=1, address=Address [id=1, country=US,
street=null, town=null, zip=null, deleted=false,
email=i...@coscend.com <mailto:email
=i...@coscend.com>
<mailto:email <mailto:email> =i...@coscend.com> , phone=null],
externalId=null,
externalType=null, type=user] DEBUG 11-21 22:37:28.914 608710 42
o.a.o.d.u.AuthLevelUtil [05-6083-exec-10] - Level Admin :: [GRANTED]
DEBUG 11-21 22:37:28.915 608711 178 o.a.o.w.a.WebSession
[05-6083-exec-10]
- userId: 1
DEBUG 11-21 22:37:28.979 608775 114 o.a.o.w.p.a.SignInPage
[105-6083-exec-4] - pp: org.apache.wicket.protocol.http.servlet.
ServletWebRequest$1@4de5c338 <mailto:org.apache.wicket <mailto:
org.apache.wicket> .
protocol.http.servlet.ServletWebRequest$1@4de5c338 <mailto:
protocol.http.servlet.ServletWebRequest$1@4de5c338> >
DEBUG 11-21 22:37:28.980 608776 156 o.a.o.w.a.WebSession
[105-6083-exec-4]
- data: null
DEBUG 11-21 22:37:28.998 608794 147 o.a.o.w.p.a.SignInPage
[105-6083-exec-4] - r: [RegisterDialog [Component id = register]]
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.Coscend.com> <http://www.Coscend.com>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare,
Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at:
http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html
-----Original Message-----
From: Maxim Solodovnik [mailto:solomax...@gmail.com <mailto:
solomax...@gmail.com> <mailto:
solomax...@gmail.com <mailto:solomax...@gmail.com> > ]
Sent: Wednesday, November 22, 2017 12:38 AM
To: dev <dev@openmeetings.apache.org
<mailto:dev@openmeetings.apache.org
<mailto:dev@openmeetings.apache.org
<mailto:dev@openmeetings.apache.org>
; om.insig...@coscend.com <mailto:om.insig...@coscend.com> <mailto:
om.insig...@coscend.com <mailto:om.insig...@coscend.com> >
Subject: Re: Login Issue via Proxy Server from 3.3.1+
I see no issues in your log, is it filtered?
Also I need more details on your configuration:
1) do you have https proxy + http OM ?
2) what changes did you made to OM config files?
On Wed, Nov 22, 2017 at 1:23 PM, Coscend@OM <om.insig...@coscend.com
<mailto:om.insig...@coscend.com>
<mailto:om.insig...@coscend.com <mailto:om.insig...@coscend.com> > >
wrote:
Dear OpenMeetings Developers,
We would appreciate any vectors regarding this issue we have been
facing since OpenMeetings 3.3.1 release.
1. We are able to successfully login into OM DIRECTLY (without
proxy
server) all versions including 4.0.1-SNAPSHOT.
2. Via a proxy server, we are unable to login into versions 3.3.1
and
later. Upon clicking on submit button, it reloads the login page
with empty username and password fields. The browser dev gives
status 200 with no exceptions. The proxy logs give status 200.
In 3.3.0, CSRF and other security features were introduced. Our
proxy server has these configurations including redirect rule to
same origin for HTTP request.
SEEKING GUIDANCE: LOGIN LOGIC IN 3.3.1+ / 4.0.1
------------------------------------------------------------------
--
--
----
Could someone describe the "changes in LOGIN LOGIC" from v. 3.3.1
onwards (which is also in v. 4.0.1)?
Process flow:
To isolate the issue, content security policy code was commented
out in Application.java before compilation.
Om-web/./web/app/Websession.java
Om-web/./web/pages/auth/SignInPage.java --> calls
SignInDialog.java
Om-db/./dao/user/UserDao.java
Om-db/./dao/util/AuthLevelUtil.java - Level Admin :: [GRANTED]
[
==>IT IS FAILING HERE.during login via proxy server. It goes back
and reloads the login page with empty fields.
]
Om-db/./dao/util/AuthLevelUtil.java - Level Admin :: [GRANTED]
Om-db/./dao/util/AuthLevelUtil.java - Level Admin :: [GRANTED]
Om-web/./web/app/Application.java
Om-web/./web/common/MainPanel.java --> home page loads
DETAILED LOGS
DEBUG 11-21 22:27:38.412 18208 74 o.a.o.d.d.s.LdapConfigDao
[105-6083-exec-2] - getActiveLdapConfigs
DEBUG 11-21 22:28:47.783 87579 594 o.a.o.d.d.u.UserDao
[105-6083-exec-2] -
login:: 1 users were found
DEBUG 11-21 22:28:47.791 87587 39 o.a.o.u.c.CryptProvider
[105-6083-exec-2]
- getInstanceOfCrypt:: configKeyCryptClassName:
org.apache.openmeetings.util.crypt.SCryptImplementation
DEBUG 11-21 22:28:48.365 88161 42 o.a.o.d.u.AuthLevelUtil
[105-6083-exec-2]
- Level Login :: [GRANTED]
DEBUG 11-21 22:28:48.374 88170 611 o.a.o.d.d.u.UserDao
[105-6083-exec-2] - loginUser [GroupUser [id=1, moderator=false,
group=Group [id=1, name=Coscend, deleted=false], user=User [id=1,
firstname=firstname, lastname=lastname, login=Coscendtest,
pictureuri=null, deleted=false, languageId=1, address=Address
[id=1, country=US, street=null, town=null, zip=null,
deleted=false, email=i...@coscend.com <mailto:email=i...@coscend.com>
<mailto:email
<mailto:email> =i...@coscend.com> , phone=null],
externalId=null, externalType=null,
type=user]]]
DEBUG 11-21 22:28:48.406 88202 42 o.a.o.d.u.AuthLevelUtil
[105-6083-exec-2]
- Level Admin :: [GRANTED]
DEBUG 11-21 22:28:48.508 88304 42 o.a.o.d.u.AuthLevelUtil
[105-6083-exec-6]
- Level Admin :: [GRANTED]
DEBUG 11-21 22:28:48.751 88547 42 o.a.o.d.u.AuthLevelUtil
[105-6083-exec-8]
- Level Admin :: [GRANTED]
DEBUG 11-21 22:28:50.412 90208 388 o.a.o.w.a.Application
[105-6083-exec-6]
-
Adding online client: a36ff887-25cd-4774-a5f6-6ceafaaf88db, room:
null
DEBUG 11-21 22:28:50.421 90217 145 o.a.o.w.c.MainPanel
[105-6083-exec-6] - WebSocketBehavior::onConnect [uid:
a36ff887-25cd-4774-a5f6-6ceafaaf88db,
session: CDD77C3323F2D33735824E1B0FCC0570, key:
org.apache.wicket.protocol.ws
<http://org.apache.wicket.protocol.ws>
<http://org.apache.wicket.protocol.ws>
.api.registry.PageIdKey@0 <mailto:.api.registry.PageIdKey@0> ]
DEBUG 11-21 22:28:50.427 90223 154 o.a.o.w.c.MainPanel
[105-6083-exec-6] -
WebSocketBehavior:: pingTimer is attached
DEBUG 11-21 22:28:51.683 91479 255 o.a.o.d.d.r.RoomDao
[105-6083-exec-4] - getUserRoom : 1 || conference
DEBUG 11-21 22:28:51.691 91487 263 o.a.o.d.d.r.RoomDao
[105-6083-exec-4] - Could not find room 1 || conference
WARN 11-21 22:28:51.693 91489 78 o.a.o.d.d.r.SipDao
[105-6083-exec-4]
- There is no Asterisk configured
DEBUG 11-21 22:28:51.703 91499 255 o.a.o.d.d.r.RoomDao
[105-6083-exec-4] - getUserRoom : 1 || presentation
DEBUG 11-21 22:28:51.706 91502 263 o.a.o.d.d.r.RoomDao
[105-6083-exec-4] - Could not find room 1 || presentation
WARN 11-21 22:28:51.706 91502 78 o.a.o.d.d.r.SipDao
[105-6083-exec-4]
- There is no Asterisk configured
DEBUG 11-21 22:28:51.711 91507 191 o.a.o.d.d.r.RoomDao
[105-6083-exec-4] - getAppointedRoomsByUser : UserID - 1
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
<http://www.coscend.com/> www.Coscend.com
<http://www.Coscend.com> <
http://www.Coscend.com>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare,
Tele-education, Telepresence Services, on the fly.
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding
E-mail Messages from Coscend Communications Solutions' posted at:
<http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html>
http://www.Coscend.com/Anchor/Common/Terms_and_Conditions.html
---
This email has been checked for viruses by AVG.
http://www.avg.com
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
