A new feature to be discussed

[Alexei Fedotov <al...@gmail.com>]

Hello folks,

I think of Openmeetings marketing. I suggest the following feature which
serves mostly for marketing purposes. For some special case I want to get
rid from hash. The secure hash makes things more secure, and more complex.
We need some form of lightweight integration people can try themselves.

The suggested interface is the following:
<iframe src="
http://demo.dataved.ru/openmeetings/?public=1&firstname=UrlEncodedFirstName&lastname=
 UrlEncodedLastName&language=LanguageNumber"></iframe>

It works best with 80 port tunnelling. The simpler URL is, the more people
will try it and put into their web sites. We get more users, more testing
and, maybe, more contributors.

Here is some data I used to come to the feature:
1. Monitoring of google search results for "embed videoconference into your
web site".
2. Jitsi plug-in where I invented special "SOAP proxy" for requesting the
hash due to very special network configuration our client uses.
3. A request from a web portal to embed the web conference. They do not
embed html5 banners because it is too complex, only swf or gif.
4. Discussions with Maxim.
5. Most of our clients use one room per server.

DDOS/security problem workarounds:
the feature is switched off by default, we enable it on demo servers with
free registration
the "public" server room has a limited number of users by default, so one
can expect no more than

Sebastian, folks,
is it ok to have this feature in the main branch?

--
With best regards / с наилучшими пожеланиями,
Alexei Fedotov / Алексей Федотов,
http://dataved.ru/
+7 916 562 8095

BTW, at some point we may start using standard language codes instead of
numbers.

Re: A new feature to be discussed

[Alexei Fedotov <al...@gmail.com>]

Hello Sebastian,
I found a solution. We can have a separate proxy server for serving these
"simplified" requests.

Ok, let's keep it out of the releases.

--
With best regards / с наилучшими пожеланиями,
Alexei Fedotov / Алексей Федотов,
http://dataved.ru/
+7 916 562 8095



On Thu, Sep 6, 2012 at 6:50 PM, seba.wagner@gmail.com <seba.wagner@gmail.com
> wrote:

> Hi Alexei,
>
> my idea was to generate an SDK that does the SOAP/REST API calls for the
> user.
> Your task has several security issues that we will not be able to push
> to a public version:
> The URL you are talking about would contain the SOAP/REST or even admin
> user.
> So by simply looking at the URL the user would have all access rights
> to the OpenMeetings server.
>
> It is essantial that the entity that does the SOAP/REST APi call is
> NOT the end user that enters the conference room.
> That is why all those SOAP API calls are implemented in PHP and not in
> JavaScript. You would never give any end user your SOAP/REST API
> credentials.
> The calls to integrate should always happen from server to server.
>
> Sebastian
>
> 2012/9/6 Alexei Fedotov <al...@gmail.com>:
> > Hello folks,
> >
> > I think of Openmeetings marketing. I suggest the following feature which
> > serves mostly for marketing purposes. For some special case I want to get
> > rid from hash. The secure hash makes things more secure, and more
> complex.
> > We need some form of lightweight integration people can try themselves.
> >
> > The suggested interface is the following:
> > <iframe src="
> >
> http://demo.dataved.ru/openmeetings/?public=1&firstname=UrlEncodedFirstName&lastname=
> >  UrlEncodedLastName&language=LanguageNumber"></iframe>
> >
> > It works best with 80 port tunnelling. The simpler URL is, the more
> people
> > will try it and put into their web sites. We get more users, more testing
> > and, maybe, more contributors.
> >
> > Here is some data I used to come to the feature:
> > 1. Monitoring of google search results for "embed videoconference into
> your
> > web site".
> > 2. Jitsi plug-in where I invented special "SOAP proxy" for requesting the
> > hash due to very special network configuration our client uses.
> > 3. A request from a web portal to embed the web conference. They do not
> > embed html5 banners because it is too complex, only swf or gif.
> > 4. Discussions with Maxim.
> > 5. Most of our clients use one room per server.
> >
> > DDOS/security problem workarounds:
> > the feature is switched off by default, we enable it on demo servers with
> > free registration
> > the "public" server room has a limited number of users by default, so one
> > can expect no more than
> >
> > Sebastian, folks,
> > is it ok to have this feature in the main branch?
> >
> > --
> > With best regards / с наилучшими пожеланиями,
> > Alexei Fedotov / Алексей Федотов,
> > http://dataved.ru/
> > +7 916 562 8095
> >
> > BTW, at some point we may start using standard language codes instead of
> > numbers.
>
>
>
> --
> Sebastian Wagner
> https://twitter.com/#!/dead_lock
> http://www.webbase-design.de
> http://www.wagner-sebastian.com
> seba.wagner@gmail.com
>

Re: A new feature to be discussed

[Maxim Solodovnik <so...@gmail.com>]

Alexey is talking about about "guest" access to the public room with no
1) registration
2) hash

URL used to implement such access has no credentials of any kind
but "display" name of given "guest" user.

As far as I understand

On Thu, Sep 6, 2012 at 9:50 PM, seba.wagner@gmail.com <seba.wagner@gmail.com
> wrote:

> Hi Alexei,
>
> my idea was to generate an SDK that does the SOAP/REST API calls for the
> user.
> Your task has several security issues that we will not be able to push
> to a public version:
> The URL you are talking about would contain the SOAP/REST or even admin
> user.
> So by simply looking at the URL the user would have all access rights
> to the OpenMeetings server.
>
> It is essantial that the entity that does the SOAP/REST APi call is
> NOT the end user that enters the conference room.
> That is why all those SOAP API calls are implemented in PHP and not in
> JavaScript. You would never give any end user your SOAP/REST API
> credentials.
> The calls to integrate should always happen from server to server.
>
> Sebastian
>
> 2012/9/6 Alexei Fedotov <al...@gmail.com>:
> > Hello folks,
> >
> > I think of Openmeetings marketing. I suggest the following feature which
> > serves mostly for marketing purposes. For some special case I want to get
> > rid from hash. The secure hash makes things more secure, and more
> complex.
> > We need some form of lightweight integration people can try themselves.
> >
> > The suggested interface is the following:
> > <iframe src="
> >
> http://demo.dataved.ru/openmeetings/?public=1&firstname=UrlEncodedFirstName&lastname=
> >  UrlEncodedLastName&language=LanguageNumber"></iframe>
> >
> > It works best with 80 port tunnelling. The simpler URL is, the more
> people
> > will try it and put into their web sites. We get more users, more testing
> > and, maybe, more contributors.
> >
> > Here is some data I used to come to the feature:
> > 1. Monitoring of google search results for "embed videoconference into
> your
> > web site".
> > 2. Jitsi plug-in where I invented special "SOAP proxy" for requesting the
> > hash due to very special network configuration our client uses.
> > 3. A request from a web portal to embed the web conference. They do not
> > embed html5 banners because it is too complex, only swf or gif.
> > 4. Discussions with Maxim.
> > 5. Most of our clients use one room per server.
> >
> > DDOS/security problem workarounds:
> > the feature is switched off by default, we enable it on demo servers with
> > free registration
> > the "public" server room has a limited number of users by default, so one
> > can expect no more than
> >
> > Sebastian, folks,
> > is it ok to have this feature in the main branch?
> >
> > --
> > With best regards / с наилучшими пожеланиями,
> > Alexei Fedotov / Алексей Федотов,
> > http://dataved.ru/
> > +7 916 562 8095
> >
> > BTW, at some point we may start using standard language codes instead of
> > numbers.
>
>
>
> --
> Sebastian Wagner
> https://twitter.com/#!/dead_lock
> http://www.webbase-design.de
> http://www.wagner-sebastian.com
> seba.wagner@gmail.com
>



-- 
WBR
Maxim aka solomax

Re: A new feature to be discussed

["seba.wagner@gmail.com" <se...@gmail.com>]

Hi Alexei,

my idea was to generate an SDK that does the SOAP/REST API calls for the user.
Your task has several security issues that we will not be able to push
to a public version:
The URL you are talking about would contain the SOAP/REST or even admin user.
So by simply looking at the URL the user would have all access rights
to the OpenMeetings server.

It is essantial that the entity that does the SOAP/REST APi call is
NOT the end user that enters the conference room.
That is why all those SOAP API calls are implemented in PHP and not in
JavaScript. You would never give any end user your SOAP/REST API
credentials.
The calls to integrate should always happen from server to server.

Sebastian

2012/9/6 Alexei Fedotov <al...@gmail.com>:
> Hello folks,
>
> I think of Openmeetings marketing. I suggest the following feature which
> serves mostly for marketing purposes. For some special case I want to get
> rid from hash. The secure hash makes things more secure, and more complex.
> We need some form of lightweight integration people can try themselves.
>
> The suggested interface is the following:
> <iframe src="
> http://demo.dataved.ru/openmeetings/?public=1&firstname=UrlEncodedFirstName&lastname=
>  UrlEncodedLastName&language=LanguageNumber"></iframe>
>
> It works best with 80 port tunnelling. The simpler URL is, the more people
> will try it and put into their web sites. We get more users, more testing
> and, maybe, more contributors.
>
> Here is some data I used to come to the feature:
> 1. Monitoring of google search results for "embed videoconference into your
> web site".
> 2. Jitsi plug-in where I invented special "SOAP proxy" for requesting the
> hash due to very special network configuration our client uses.
> 3. A request from a web portal to embed the web conference. They do not
> embed html5 banners because it is too complex, only swf or gif.
> 4. Discussions with Maxim.
> 5. Most of our clients use one room per server.
>
> DDOS/security problem workarounds:
> the feature is switched off by default, we enable it on demo servers with
> free registration
> the "public" server room has a limited number of users by default, so one
> can expect no more than
>
> Sebastian, folks,
> is it ok to have this feature in the main branch?
>
> --
> With best regards / с наилучшими пожеланиями,
> Alexei Fedotov / Алексей Федотов,
> http://dataved.ru/
> +7 916 562 8095
>
> BTW, at some point we may start using standard language codes instead of
> numbers.



-- 
Sebastian Wagner
https://twitter.com/#!/dead_lock
http://www.webbase-design.de
http://www.wagner-sebastian.com
seba.wagner@gmail.com