You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@openmeetings.apache.org by "Coscend@OM" <OM...@Coscend.com> on 2017/09/20 20:56:40 UTC
3.3.2 Snapshot: Login not Posting via Proxy
Dear OpenMeetings Users,
We would appreciate any vectors to resolve the following issue:
We successfully installed, configured, logged in OM 3.3.2 Snapshot
1. Internally, i.e., http://IP:port/openmeetings
2. Externally, i.e., http://
<http://%3cour.FQDN.name%3e:port/openmeetings>
<our.FQDN.name>:port/openmeetings
OM logs have a line:
DEBUG 09-20 14:45:14.219 221956 388 o.a.o.w.a.Application [105-6083-exec-2]
- Adding online client: 63e8a860-65c6-4687-a7e0-ca435ca21ec6, room: null
ISSUE
--------
However, we are unable to login to OM 3.3.2 Snapshot via Proxy server.
When we click on submit username/password, it reloads the login page.
OM logs are MISSING this line: "Adding online client:."
QUESTIONS
--------
1. What has changed between OM 3.3.2 and 3.3.0 that does not POST login
credentials? Anything to do with Session variables and session request
handlers?
2. We have used the proxy server settings that are working perfectly
with OM 3.3.0 in which CSRF and CSP, XSS were introduced.
Alteametasoft Demo server: What additional proxy settings needed to be
added to Apache Web server to enable OM 3.3.2?
Source of proxy server settings:
i) CSRF: http://markmail.org/message/o4szinpxt4e2tzch
ii) Proxy logging: http://markmail.org/message/mft3m5bdjeqxwicw
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
<http://www.coscend.com/> www.Coscend.com
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education,
Telepresence Services, on the fly.
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at:
<http://www.coscend.com/Terms_and_Conditions.html>
http://www.Coscend.com/Terms_and_Conditions.html
---
This email has been checked for viruses by AVG.
http://www.avg.com
Re: 3.3.2 Snapshot: Login not Posting via Proxy
Posted by Maxim Solodovnik <so...@gmail.com>.
4.0.0 snapshots:
https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/
3.3.x snapshots:
https://builds.apache.org/view/M-R/view/OpenMeetings/job/Openmeetings%203.3.x/
3.3.2 was release (not announced yet)
On Thu, Sep 21, 2017 at 12:47 PM, Hossein Dehghanpoor <
hossein.dehghanpoor@gmail.com> wrote:
> how can we download version 3.3.2 or 4.0.0 snapshots?
>
> On Thu, Sep 21, 2017 at 10:11 AM, Maxim Solodovnik <so...@gmail.com>
> wrote:
>
>> In case of CSRF you should have the record in the logs CSRF was violated
>> Is it the case?
>>
>> On Thu, Sep 21, 2017 at 3:56 AM, Coscend@OM <OM...@coscend.com>
>> wrote:
>>
>>> Dear OpenMeetings Users,
>>>
>>>
>>>
>>> We would appreciate any vectors to resolve the following issue:
>>>
>>>
>>>
>>> We successfully installed, configured, logged in OM 3.3.2 Snapshot
>>>
>>> 1. Internally, i.e., http://IP:port/openmeetings
>>>
>>> 2. Externally, i.e., http://<our.FQDN.name>:port/openmeetings
>>>
>>> OM logs have a line:
>>>
>>> DEBUG 09-20 14:45:14.219 221956 388 o.a.o.w.a.Application
>>> [105-6083-exec-2] - Adding online client: 63e8a860-65c6-4687-a7e0-ca435ca21ec6,
>>> room: null
>>>
>>>
>>>
>>> ISSUE
>>>
>>> --------
>>>
>>> However, we are unable to login to OM 3.3.2 Snapshot via Proxy server.
>>> When we click on submit username/password, it reloads the login page.
>>>
>>> OM logs are MISSING this line: “Adding online client:…”
>>>
>>>
>>>
>>>
>>>
>>> QUESTIONS
>>>
>>> --------
>>>
>>>
>>>
>>> 1. What has changed between OM 3.3.2 and 3.3.0 that does not POST
>>> login credentials? Anything to do with Session variables and session
>>> request handlers?
>>>
>>> 2. We have used the proxy server settings that are working
>>> perfectly with OM 3.3.0 in which CSRF and CSP, XSS were introduced.
>>>
>>> Alteametasoft Demo server: What additional proxy settings needed to be
>>> added to Apache Web server to enable OM 3.3.2?
>>>
>>>
>>>
>>> Source of proxy server settings:
>>>
>>> i) CSRF: http://markmail.org/message/o4szinpxt4e2tzch
>>>
>>> ii) Proxy logging: http://markmail.org/message/mf
>>> t3m5bdjeqxwicw
>>>
>>>
>>>
>>> Thank you.
>>>
>>>
>>>
>>> Sincerely,
>>>
>>>
>>>
>>> Hemant K. Sabat
>>>
>>>
>>>
>>> Coscend Communications Solutions
>>>
>>> www.Coscend.com <http://www.coscend.com/>
>>>
>>> ------------------------------------------------------------------
>>>
>>> *Real-time, Interactive Video Collaboration, Tele-healthcare,
>>> Tele-education, Telepresence Services, on the fly…*
>>>
>>> ------------------------------------------------------------------
>>>
>>> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
>>> Messages from Coscend Communications Solutions' posted at:
>>> http://www.Coscend.com/Terms_and_Conditions.html
>>> <http://www.coscend.com/Terms_and_Conditions.html>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Virus-free.
>>> www.avg.com
>>> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>>> <#m_-8495956365656384996_m_3427411054342320803_m_-3774582028157409911_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>>>
>>
>>
>>
>> --
>> WBR
>> Maxim aka solomax
>>
>
>
--
WBR
Maxim aka solomax
RE: 3.3.2 Snapshot: Login not Posting via Proxy
Posted by "Coscend@OM" <OM...@Coscend.com>.
Dear Hossein,
4.0.0: https://git-wip-us.apache.org/repos/asf?p=openmeetings.git
3.3.2 from mirror: https://builds.apache.org/view/M-R/view/OpenMeetings/
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
From: Hossein Dehghanpoor [mailto:hossein.dehghanpoor@gmail.com]
Sent: Thursday, September 21, 2017 12:48 AM
To: user@openmeetings.apache.org
Subject: Re: 3.3.2 Snapshot: Login not Posting via Proxy
how can we download version 3.3.2 or 4.0.0 snapshots?
On Thu, Sep 21, 2017 at 10:11 AM, Maxim Solodovnik <solomax666@gmail.com <ma...@gmail.com> > wrote:
In case of CSRF you should have the record in the logs CSRF was violated
Is it the case?
On Thu, Sep 21, 2017 at 3:56 AM, Coscend@OM <OM.Insights@coscend.com <ma...@coscend.com> > wrote:
Dear OpenMeetings Users,
We would appreciate any vectors to resolve the following issue:
We successfully installed, configured, logged in OM 3.3.2 Snapshot
1. Internally, i.e., http://IP:port/openmeetings
2. Externally, i.e., http:// <http://%3cour.FQDN.name%3e:port/openmeetings> <our.FQDN.name>:port/openmeetings
OM logs have a line:
DEBUG 09-20 14:45:14.219 221956 388 o.a.o.w.a.Application [105-6083-exec-2] - Adding online client: 63e8a860-65c6-4687-a7e0-ca435ca21ec6, room: null
ISSUE
--------
However, we are unable to login to OM 3.3.2 Snapshot via Proxy server. When we click on submit username/password, it reloads the login page.
OM logs are MISSING this line: “Adding online client:…”
QUESTIONS
--------
1. What has changed between OM 3.3.2 and 3.3.0 that does not POST login credentials? Anything to do with Session variables and session request handlers?
2. We have used the proxy server settings that are working perfectly with OM 3.3.0 in which CSRF and CSP, XSS were introduced.
Alteametasoft Demo server: What additional proxy settings needed to be added to Apache Web server to enable OM 3.3.2?
Source of proxy server settings:
i) CSRF: http://markmail.org/message/o4szinpxt4e2tzch
ii) Proxy logging: http://markmail.org/message/mft3m5bdjeqxwicw
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
Virus-free. <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> www.avg.com
--
WBR
Maxim aka solomax
---
This email has been checked for viruses by AVG.
http://www.avg.com
Re: 3.3.2 Snapshot: Login not Posting via Proxy
Posted by Hossein Dehghanpoor <ho...@gmail.com>.
how can we download version 3.3.2 or 4.0.0 snapshots?
On Thu, Sep 21, 2017 at 10:11 AM, Maxim Solodovnik <so...@gmail.com>
wrote:
> In case of CSRF you should have the record in the logs CSRF was violated
> Is it the case?
>
> On Thu, Sep 21, 2017 at 3:56 AM, Coscend@OM <OM...@coscend.com>
> wrote:
>
>> Dear OpenMeetings Users,
>>
>>
>>
>> We would appreciate any vectors to resolve the following issue:
>>
>>
>>
>> We successfully installed, configured, logged in OM 3.3.2 Snapshot
>>
>> 1. Internally, i.e., http://IP:port/openmeetings
>>
>> 2. Externally, i.e., http://<our.FQDN.name>:port/openmeetings
>>
>> OM logs have a line:
>>
>> DEBUG 09-20 14:45:14.219 221956 388 o.a.o.w.a.Application
>> [105-6083-exec-2] - Adding online client: 63e8a860-65c6-4687-a7e0-ca435ca21ec6,
>> room: null
>>
>>
>>
>> ISSUE
>>
>> --------
>>
>> However, we are unable to login to OM 3.3.2 Snapshot via Proxy server.
>> When we click on submit username/password, it reloads the login page.
>>
>> OM logs are MISSING this line: “Adding online client:…”
>>
>>
>>
>>
>>
>> QUESTIONS
>>
>> --------
>>
>>
>>
>> 1. What has changed between OM 3.3.2 and 3.3.0 that does not POST
>> login credentials? Anything to do with Session variables and session
>> request handlers?
>>
>> 2. We have used the proxy server settings that are working perfectly
>> with OM 3.3.0 in which CSRF and CSP, XSS were introduced.
>>
>> Alteametasoft Demo server: What additional proxy settings needed to be
>> added to Apache Web server to enable OM 3.3.2?
>>
>>
>>
>> Source of proxy server settings:
>>
>> i) CSRF: http://markmail.org/message/o4szinpxt4e2tzch
>>
>> ii) Proxy logging: http://markmail.org/message/mf
>> t3m5bdjeqxwicw
>>
>>
>>
>> Thank you.
>>
>>
>>
>> Sincerely,
>>
>>
>>
>> Hemant K. Sabat
>>
>>
>>
>> Coscend Communications Solutions
>>
>> www.Coscend.com <http://www.coscend.com/>
>>
>> ------------------------------------------------------------------
>>
>> *Real-time, Interactive Video Collaboration, Tele-healthcare,
>> Tele-education, Telepresence Services, on the fly…*
>>
>> ------------------------------------------------------------------
>>
>> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
>> Messages from Coscend Communications Solutions' posted at:
>> http://www.Coscend.com/Terms_and_Conditions.html
>> <http://www.coscend.com/Terms_and_Conditions.html>
>>
>>
>>
>>
>>
>>
>>
>>
>> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Virus-free.
>> www.avg.com
>> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>> <#m_3427411054342320803_m_-3774582028157409911_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>>
>
>
>
> --
> WBR
> Maxim aka solomax
>
Re: 3.3.2 Snapshot: Login not Posting via Proxy
Posted by Maxim Solodovnik <so...@gmail.com>.
JSESSIONID should be in the cookies
And since everything works without proxy I guess it is in the cookies
On Fri, Sep 22, 2017 at 2:04 AM, Coscend@OM <OM...@coscend.com> wrote:
> Dear Maxim,
>
>
>
> Based on your vector, we found out the cause of the error (see below).
> Your further guidance would help us resolve the error.
>
>
>
> Cause
>
> ---------
>
> In 3.3.0, proxy server is capturing JSESSIONID. In 3.3.2, proxy server is
> NOT ABLE TO capture JSESSIONID.
>
>
>
>
>
> QUESTION
>
> ----------------
>
> Could you please advise in publishing session cookie, how is OM 3.3.2
> different from 3.3.0? Proxy server logs are below. Thank you.
>
>
>
>
>
> Proxy server logs
>
> -----------------
>
> In OM 3.3.0, proxy server is capturing JSESSIONID in each line.
>
> Sep 21 13:36:07 localhost proxy-server[10415]: 192.168.100.152:56085
> [21/Sep/2017:13:36:07.914] webapps-frontend~ subdomain-backend/openmeetings
> 0/0/0/3/10 200 86916 JSESSIONID=66BC3A6F228503A5D39F4B8E6F1FF951 - ----
> 6/6/0/0/0 0/0 {<ourdomain>.com||https://<ourdomain>.com/Co}
> {|86575|max-age=||||||||||cache|||||} "GET /openmeetings/wicket/resource/
> org.apache.wicket.resource.JQueryResourceReference/
> jquery/jquery-3.2.1-ver-3B390F5614B3789CE71FFA5C856AA35E.js HTTP/1.1"
>
>
>
>
>
> In OM 3.3.2, JSESSIONID is missing.
>
> Sep 21 13:39:23 localhost proxy-server[10517]: 192.168.100.152:56391
> [21/Sep/2017:13:39:23.450] webapps-frontend~ subdomain-backend/openmeetings
> 0/0/1/4/8 200 86916 - - ---- 6/6/0/0/0 0/0 {<ourdomain>.com||https://<ourdomain>.com/Co}
> {|86575|max-age=||||||||||cache|||||} "GET /openmeetings/wicket/resource/
> org.apache.wicket.resource.JQueryResourceReference/
> jquery/jquery-3.2.1-ver-3B390F5614B3789CE71FFA5C856AA35E.js HTTP/1.1"
>
>
>
> Sincerely,
>
>
>
> Hemant K. Sabat
>
>
>
> Coscend Communications Solutions
>
> www.Coscend.com <http://www.coscend.com/>
>
> ------------------------------------------------------------------
>
> *Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly…*
>
> ------------------------------------------------------------------
>
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted at:
> http://www.Coscend.com/Terms_and_Conditions.html
> <http://www.coscend.com/Terms_and_Conditions.html>
>
>
>
>
>
>
>
>
>
> *From:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Sent:* Thursday, September 21, 2017 9:50 AM
> *To:* Openmeetings user-list <us...@openmeetings.apache.org>;
> OM.Insights@coscend.com
> *Subject:* Re: 3.3.2 Snapshot: Login not Posting via Proxy
>
>
>
> Not sure what is going on
>
> Maybe you can check with wireshark what data is being sent/received?
>
>
>
> On Thu, Sep 21, 2017 at 3:05 PM, Coscend@OM <OM...@coscend.com>
> wrote:
>
> Dear Maxim,
>
>
>
> Below is the summary (and detail) of browser log. Why is Form data being
> blocked? Any vectors to resolve this would be appreciated.
>
>
>
> Summary of browser log
>
> ==================
>
> Browser / Network tab log has status 200 for all requests except cookie
> (302 status for redirection via proxy).
>
> All security headers enabled.
>
> The signin field at the end is ‘(empty)’.
>
> ‘Form data’ (login and pass) is missing.
>
>
>
>
>
> Browser log Detailed
>
> ===============
>
> Browser log of request https://ourdomain.com/openmeetings/wicket/
> bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=
> BD8C3A0FC93992B0A980ADC9690B2F94?1-1.0-signin&_=1505980053143&
> navigatorAppName=Netscape&navigatorAppVersion=5.0%20(
> Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(
> KHTML%2C%20like%20Gecko)%20Chrome%2F60.0.3112.113%20Safari%2F537.36&
> navigatorAppCodeName=Mozilla&navigatorCookieEnabled=true&
> navigatorJavaEnabled=false&navigatorLanguage=en-US&
> navigatorPlatform=Win32&navigatorUserAgent=Mozilla%
> 2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%
> 20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%
> 20Chrome%2F60.0.3112.113%20Safari%2F537.36&screenWidth=
> 1600&screenHeight=900&screenColorDepth=24&utcOffset=-6&utcDSTOffset=-5&
> browserWidth=2000&browserHeight=187&hostname=coscend.fortiddns.com&
> codebase=https%3A%2F%2Fcoscend.fortiddns.com%2Fopenmeetings%2Fsignin%
> 3Bjsessionid%3DBD8C3A0FC93992B0A980ADC9690B2F94&settings=%7B%7D
>
>
>
> Request URL:https://ourdomain.com/openmeetings/wicket/
> bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=
> 74112B08358FDA7D4EE6F1FB8A85D0E5?2-1.0-&_=1505979797255&
>
> Request Method:GET
>
> Status Code:200
>
> Remote Address:76.186.214.195:443
>
> Referrer Policy:no-referrer-when-downgrade
>
> Response Headers
>
> view source
>
> Access-Control-Allow-Credentials:true
>
> Access-Control-Allow-Headers:Origin, X-Requested-With, Content-Type,
> Accept, X-CSRF-Token, X-XSRF-TOKEN
>
> Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS
>
> Access-Control-Allow-Origin:*
>
> Cache-Control:nocache, no-store
>
> Content-Security-Policy:default-src 'self'; style-src 'self'
> 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';
>
> Content-Type:text/xml;charset=UTF-8
>
> Date:Thu, 21 Sep 2017 07:43:18 GMT
>
> Expires:Thu, 01 Jan 1970 00:00:00 GMT
>
> Origin:http://Coscend.Fortiddns.com
>
> Pragma:no-cache
>
> Referrer-Policy:no-referrer-when-downgrade
>
> Strict-Transport-Security:max-age=31536000; includeSubDomains; preload
>
> Transfer-Encoding:chunked
>
> X-Backend-Server-Name:openmeetings
>
> X-Content-Type-Options:nosniff
>
> X-Frame-Options:SAMEORIGIN
>
> X-XSS-Protection:1; mode=block
>
> Request Headers
>
> view source
>
> Accept:application/xml, text/xml, */*; q=0.01
>
> Accept-Encoding:gzip, deflate, br
>
> Accept-Language:en-US,en;q=0.8
>
> Connection:keep-alive
>
> DNT:1
>
> Host:coscend.fortiddns.com
>
> Referer:https://ourdomain.com/openmeetings/signin;jsessionid=
> 74112B08358FDA7D4EE6F1FB8A85D0E5
>
> User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
>
> Wicket-Ajax:true
>
> Wicket-Ajax-BaseURL:signin
>
> X-Requested-With:XMLHttpRequest
>
> Query String Parameters
>
> view source
>
> view URL encoded
>
> 2-1.0-:
>
> _:1505979797255
>
> (empty)
>
>
>
>
>
> Thank you.
>
>
>
> Sincerely,
>
>
>
> Hemant K. Sabat
>
>
>
> Coscend Communications Solutions
>
> www.Coscend.com <http://www.coscend.com/>
>
> ------------------------------------------------------------------
>
> *Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly…*
>
> ------------------------------------------------------------------
>
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted at:
> http://www.Coscend.com/Terms_and_Conditions.html
> <http://www.coscend.com/Terms_and_Conditions.html>
>
>
>
>
>
>
>
>
>
> *From:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Sent:* Thursday, September 21, 2017 2:27 AM
> *To:* Openmeetings user-list <us...@openmeetings.apache.org>;
> OM.Insights@coscend.com
> *Subject:* Re: 3.3.2 Snapshot: Login not Posting via Proxy
>
>
>
> You have no chances to see "WebSocketBehavior::onConnect " log message
> due to your login is unsuccessful
>
>
>
> as you are saying there are no errors in the logs ...
>
>
>
> Are there any errors in browser console? network tab?
>
>
>
> On Thu, Sep 21, 2017 at 2:08 PM, Coscend@OM <OM...@coscend.com>
> wrote:
>
> Dear Maxim,
>
>
>
> CSRF is not violated in proxy scenario because:
>
> 1. No OM log records of CSRF violation.
>
> 2. Also, 3.3.0 is working fine that has CSRF event listener enabled
> (Application.Java @235). 3.3.0 is working fine under same proxy setting
> and same server / environment.
>
>
>
> -----------Log DIFFs---------Detailed logs at the end.
>
> DIFF between FAILED (via proxy) vs SUCCESSFUL (without proxy) login: the
> following lines are MISSING when it FAILS:
>
> DEBUG 09-20 11:05:33.339 631732 229 o.a.o.w.c.MainPanel [105-6083-exec-6]
> - WebSocketBehavior::onConnect [uid: 648aabcf-2bc0-4df5-b891-065e3ffde9c3,
> session: E73B6C62D991E218215709F7F7095547, key:
> org.apache.wicket.protocol.ws.api.registry.PageIdKey@0]
>
> DEBUG 09-20 11:05:33.342 631735 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> E73B6C62D991E218215709F7F7095547' and page id '0'
>
> DEBUG 09-20 11:05:33.351 631744 238 o.a.o.w.c.MainPanel [105-6083-exec-7]
> - WebSocketBehavior:: pingTimer is attached
>
>
>
> -------------Relevant DIFF of 3.3.2 and 3.3.0 files-----------
>
> Could any of these changes require some additional proxy settings?
>
>
>
> openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/
> ISlaveHTTPConnectionManager.jav
> a
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/remote/MainService.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/MainService.java>
>
> Changed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/remote/UserService.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/UserService.java>
>
> changed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/util/
> SessionVariablesUtil.java
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/session/ServerUtil.java
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/session/SessionManager.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/session/SessionManager.java>
>
> changed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/session/store/DatabaseStore.java
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/session/store/HashMapStore.java
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/session/store/IClientPersistenceStore.
> java
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/IClientUtil.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/IClientUtil.java>
>
> added
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/WebSocketHelper.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/WebSocketHelper.java>
>
> Changed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/ws/WsMessageAll.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageAll.java>
>
> Added
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/ws/WsMessageChat.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageChat.java>
>
> Added
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/ws/WsMessageRoom.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoom.java>
>
> Added
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/ws/WsMessageRoomMsg.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoomMsg.java>
>
> Added
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/ws/WsMessageUser.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageUser.java>
>
> Added
>
> openmeetings-db/src/main/java/org/apache/openmeetings/db/
> dao/server/ISessionManager.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ISessionManager.java>
>
> changed
>
> openmeetings-db/src/main/java/org/apache/openmeetings/db/
> dao/server/ServerDao.java
>
> removed
>
> openmeetings-db/src/main/java/org/apache/openmeetings/db/
> dao/server/SessiondataDao.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/SessiondataDao.java>
>
> changed
>
>
>
>
>
> Logs: FAILED LOGIN
>
> ===================
>
> Step 1: Load Login Page
>
> ----------
>
> DEBUG 09-20 15:33:59.748 388830 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
>
> DEBUG 09-20 15:33:59.915 388997 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
>
> DEBUG 09-20 15:33:59.947 389029 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
>
> DEBUG 09-20 15:34:00.236 389318 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
>
> DEBUG 09-20 15:34:00.316 389398 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
>
>
>
> Step 2: POST / Authentication
>
> --------
>
> DEBUG 09-20 15:35:50.776 499858 642 o.a.o.d.d.u.UserDao [105-6083-exec-5]
> - login:: 1 users were found
>
> DEBUG 09-20 15:35:51.228 500310 40 o.a.o.d.u.AuthLevelUtil
> [105-6083-exec-5] - Level Login :: [GRANTED]
>
> DEBUG 09-20 15:35:51.229 500311 659 o.a.o.d.d.u.UserDao [105-6083-exec-5]
> - loginUser [GroupUser [id=1, moderator=false, group=Group [id=1,
> name=Coscend, deleted=false], user=User [id=1, firstname=firstname,
> lastname=lastname, login=Coscend.Insights, pictureuri=null, deleted=false,
> languageId=1, address=Address [id=1, country=US, street=null, town=null,
> zip=null, deleted=false, email=<>@Coscend.com, phone=null],
> externalId=null, externalType=null, type=user]]]
>
> DEBUG 09-20 15:35:51.233 500315 40 o.a.o.d.u.AuthLevelUtil
> [105-6083-exec-5] - Level Admin :: [GRANTED]
>
> DEBUG 09-20 15:35:51.236 500318 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> EE17FFD4E063A1234AF5E595D772F897' and page id '1'
>
> DEBUG 09-20 15:35:51.286 500368 87 o.a.o.d.d.s.LdapConfigDao
> [105-6083-exec-1] - getActiveLdapConfigs
>
> DEBUG 09-20 15:35:51.297 500379 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> 1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
>
> DEBUG 09-20 15:35:51.468 500550 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> 1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
>
> DEBUG 09-20 15:35:51.501 500583 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> 1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
>
> DEBUG 09-20 15:35:51.812 500894 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> 1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
>
> DEBUG 09-20 15:35:51.892 500974 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> 1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
>
>
>
> Thank you.
>
>
>
> Sincerely,
>
>
>
> Hemant K. Sabat
>
>
>
> Coscend Communications Solutions
>
> www.Coscend.com <http://www.coscend.com/>
>
> ------------------------------------------------------------------
>
> *Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly…*
>
> ------------------------------------------------------------------
>
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted at:
> http://www.Coscend.com/Terms_and_Conditions.html
> <http://www.coscend.com/Terms_and_Conditions.html>
>
>
>
>
>
>
>
>
>
> *From:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Sent:* Thursday, September 21, 2017 12:41 AM
> *To:* Openmeetings user-list <us...@openmeetings.apache.org>;
> OM.Insights@coscend.com
> *Subject:* Re: 3.3.2 Snapshot: Login not Posting via Proxy
>
>
>
> In case of CSRF you should have the record in the logs CSRF was violated
>
> Is it the case?
>
>
>
> On Thu, Sep 21, 2017 at 3:56 AM, Coscend@OM <OM...@coscend.com>
> wrote:
>
> Dear OpenMeetings Users,
>
>
>
> We would appreciate any vectors to resolve the following issue:
>
>
>
> We successfully installed, configured, logged in OM 3.3.2 Snapshot
>
> 1. Internally, i.e., http://IP:port/openmeetings
>
> 2. Externally, i.e., http://<our.FQDN.name>:port/openmeetings
>
> OM logs have a line:
>
> DEBUG 09-20 14:45:14.219 221956 388 o.a.o.w.a.Application
> [105-6083-exec-2] - Adding online client: 63e8a860-65c6-4687-a7e0-ca435ca21ec6,
> room: null
>
>
>
> ISSUE
>
> --------
>
> However, we are unable to login to OM 3.3.2 Snapshot via Proxy server.
> When we click on submit username/password, it reloads the login page.
>
> OM logs are MISSING this line: “Adding online client:…”
>
>
>
>
>
> QUESTIONS
>
> --------
>
>
>
> 1. What has changed between OM 3.3.2 and 3.3.0 that does not POST
> login credentials? Anything to do with Session variables and session
> request handlers?
>
> 2. We have used the proxy server settings that are working perfectly
> with OM 3.3.0 in which CSRF and CSP, XSS were introduced.
>
> Alteametasoft Demo server: What additional proxy settings needed to be
> added to Apache Web server to enable OM 3.3.2?
>
>
>
> Source of proxy server settings:
>
> i) CSRF: http://markmail.org/message/o4szinpxt4e2tzch
>
> ii) Proxy logging: http://markmail.org/message/
> mft3m5bdjeqxwicw
>
>
>
> Thank you.
>
>
>
> Sincerely,
>
>
>
> Hemant K. Sabat
>
>
>
> Coscend Communications Solutions
>
> www.Coscend.com <http://www.coscend.com/>
>
> ------------------------------------------------------------------
>
> *Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly…*
>
> ------------------------------------------------------------------
>
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted at:
> http://www.Coscend.com/Terms_and_Conditions.html
> <http://www.coscend.com/Terms_and_Conditions.html>
>
>
>
>
>
>
>
>
>
>
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>
> Virus-free. www.avg.com
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
--
WBR
Maxim aka solomax
RE: 3.3.2 Snapshot: Login not Posting via Proxy
Posted by "Coscend@OM" <OM...@Coscend.com>.
Dear Maxim,
Based on your vector, we found out the cause of the error (see below). Your further guidance would help us resolve the error.
Cause
---------
In 3.3.0, proxy server is capturing JSESSIONID. In 3.3.2, proxy server is NOT ABLE TO capture JSESSIONID.
QUESTION
----------------
Could you please advise in publishing session cookie, how is OM 3.3.2 different from 3.3.0? Proxy server logs are below. Thank you.
Proxy server logs
-----------------
In OM 3.3.0, proxy server is capturing JSESSIONID in each line.
Sep 21 13:36:07 localhost proxy-server[10415]: 192.168.100.152:56085 [21/Sep/2017:13:36:07.914] webapps-frontend~ subdomain-backend/openmeetings 0/0/0/3/10 200 86916 JSESSIONID=66BC3A6F228503A5D39F4B8E6F1FF951 - ---- 6/6/0/0/0 0/0 {<ourdomain>.com||https://<ourdomain>.com/Co} {|86575|max-age=||||||||||cache|||||} "GET /openmeetings/wicket/resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-3.2.1-ver-3B390F5614B3789CE71FFA5C856AA35E.js HTTP/1.1"
In OM 3.3.2, JSESSIONID is missing.
Sep 21 13:39:23 localhost proxy-server[10517]: 192.168.100.152:56391 [21/Sep/2017:13:39:23.450] webapps-frontend~ subdomain-backend/openmeetings 0/0/1/4/8 200 86916 - - ---- 6/6/0/0/0 0/0 {<ourdomain>.com||https://<ourdomain>.com/Co} {|86575|max-age=||||||||||cache|||||} "GET /openmeetings/wicket/resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-3.2.1-ver-3B390F5614B3789CE71FFA5C856AA35E.js HTTP/1.1"
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
From: Maxim Solodovnik [mailto:solomax666@gmail.com]
Sent: Thursday, September 21, 2017 9:50 AM
To: Openmeetings user-list <us...@openmeetings.apache.org>; OM.Insights@coscend.com
Subject: Re: 3.3.2 Snapshot: Login not Posting via Proxy
Not sure what is going on
Maybe you can check with wireshark what data is being sent/received?
On Thu, Sep 21, 2017 at 3:05 PM, Coscend@OM <OM.Insights@coscend.com <ma...@coscend.com> > wrote:
Dear Maxim,
Below is the summary (and detail) of browser log. Why is Form data being blocked? Any vectors to resolve this would be appreciated.
Summary of browser log
==================
Browser / Network tab log has status 200 for all requests except cookie (302 status for redirection via proxy).
All security headers enabled.
The signin field at the end is ‘(empty)’.
‘Form data’ (login and pass) is missing.
Browser log Detailed
===============
Browser log of request https://ourdomain.com/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=BD8C3A0FC93992B0A980ADC9690B2F94?1-1.0-signin&_=1505980053143&navigatorAppName=Netscape&navigatorAppVersion=5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F60.0.3112.113%20Safari%2F537.36&navigatorAppCodeName=Mozilla&navigatorCookieEnabled=true&navigatorJavaEnabled=false&navigatorLanguage=en-US&navigatorPlatform=Win32&navigatorUserAgent=Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F60.0.3112.113%20Safari%2F537.36&screenWidth=1600&screenHeight=900&screenColorDepth=24&utcOffset=-6&utcDSTOffset=-5&browserWidth=2000&browserHeight=187&hostname=coscend.fortiddns.com&codebase=https%3A%2F%2Fcoscend.fortiddns.com%2Fopenmeetings%2Fsignin%3Bjsessionid%3DBD8C3A0FC93992B0A980ADC9690B2F94&settings=%7B%7D
Request URL:https://ourdomain.com/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=74112B08358FDA7D4EE6F1FB8A85D0E5?2-1.0- <https://ourdomain.com/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=74112B08358FDA7D4EE6F1FB8A85D0E5?2-1.0-&_=1505979797255&> &_=1505979797255&
Request Method:GET
Status Code:200
Remote Address:76.186.214.195:443 <http://76.186.214.195:443>
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Origin, X-Requested-With, Content-Type, Accept, X-CSRF-Token, X-XSRF-TOKEN
Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin:*
Cache-Control:nocache, no-store
Content-Security-Policy:default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';
Content-Type:text/xml;charset=UTF-8
Date:Thu, 21 Sep 2017 07:43:18 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Origin:http://Coscend.Fortiddns.com
Pragma:no-cache
Referrer-Policy:no-referrer-when-downgrade
Strict-Transport-Security:max-age=31536000; includeSubDomains; preload
Transfer-Encoding:chunked
X-Backend-Server-Name:openmeetings
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:application/xml, text/xml, */*; q=0.01
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
DNT:1
Host:coscend.fortiddns.com <http://coscend.fortiddns.com>
Referer:https://ourdomain.com/openmeetings/signin;jsessionid=74112B08358FDA7D4EE6F1FB8A85D0E5
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Wicket-Ajax:true
Wicket-Ajax-BaseURL:signin
X-Requested-With:XMLHttpRequest
Query String Parameters
view source
view URL encoded
2-1.0-:
_:1505979797255
(empty)
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
From: Maxim Solodovnik [mailto:solomax666@gmail.com <ma...@gmail.com> ]
Sent: Thursday, September 21, 2017 2:27 AM
To: Openmeetings user-list <user@openmeetings.apache.org <ma...@openmeetings.apache.org> >; OM.Insights@coscend.com <ma...@coscend.com>
Subject: Re: 3.3.2 Snapshot: Login not Posting via Proxy
You have no chances to see "WebSocketBehavior::onConnect " log message due to your login is unsuccessful
as you are saying there are no errors in the logs ...
Are there any errors in browser console? network tab?
On Thu, Sep 21, 2017 at 2:08 PM, Coscend@OM <OM.Insights@coscend.com <ma...@coscend.com> > wrote:
Dear Maxim,
CSRF is not violated in proxy scenario because:
1. No OM log records of CSRF violation.
2. Also, 3.3.0 is working fine that has CSRF event listener enabled (Application.Java @235). 3.3.0 is working fine under same proxy setting and same server / environment.
-----------Log DIFFs---------Detailed logs at the end.
DIFF between FAILED (via proxy) vs SUCCESSFUL (without proxy) login: the following lines are MISSING when it FAILS:
DEBUG 09-20 11:05:33.339 631732 229 o.a.o.w.c.MainPanel [105-6083-exec-6] - WebSocketBehavior::onConnect [uid: 648aabcf-2bc0-4df5-b891-065e3ffde9c3, session: E73B6C62D991E218215709F7F7095547, key: org.apache.wicket.protocol.ws <http://org.apache.wicket.protocol.ws> .api.registry.PageIdKey@0]
DEBUG 09-20 11:05:33.342 631735 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'E73B6C62D991E218215709F7F7095547' and page id '0'
DEBUG 09-20 11:05:33.351 631744 238 o.a.o.w.c.MainPanel [105-6083-exec-7] - WebSocketBehavior:: pingTimer is attached
-------------Relevant DIFF of 3.3.2 and 3.3.0 files-----------
Could any of these changes require some additional proxy settings?
openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/ISlaveHTTPConnectionManager.jav
a
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/MainService.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/MainService.java
Changed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/UserService.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/UserService.java
changed
openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/util/SessionVariablesUtil.java
removed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/ServerUtil.java
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/session/SessionManager.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/session/SessionManager.java
changed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/DatabaseStore.java
removed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/HashMapStore.java
removed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/IClientPersistenceStore.
java
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/IClientUtil.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/IClientUtil.java
added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/WebSocketHelper.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/WebSocketHelper.java
Changed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageAll.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageAll.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageChat.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageChat.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoom.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoom.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoomMsg.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoomMsg.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageUser.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageUser.java
Added
openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ISessionManager.java <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ISessionManager.java>
changed
openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ServerDao.java
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/SessiondataDao.java> openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/SessiondataDao.java
changed
Logs: FAILED LOGIN
===================
Step 1: Load Login Page
----------
DEBUG 09-20 15:33:59.748 388830 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:33:59.915 388997 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:33:59.947 389029 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:34:00.236 389318 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:34:00.316 389398 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
Step 2: POST / Authentication
--------
DEBUG 09-20 15:35:50.776 499858 642 o.a.o.d.d.u.UserDao [105-6083-exec-5] - login:: 1 users were found
DEBUG 09-20 15:35:51.228 500310 40 o.a.o.d.u.AuthLevelUtil [105-6083-exec-5] - Level Login :: [GRANTED]
DEBUG 09-20 15:35:51.229 500311 659 o.a.o.d.d.u.UserDao [105-6083-exec-5] - loginUser [GroupUser [id=1, moderator=false, group=Group [id=1, name=Coscend, deleted=false], user=User [id=1, firstname=firstname, lastname=lastname, login=Coscend.Insights, pictureuri=null, deleted=false, languageId=1, address=Address [id=1, country=US, street=null, town=null, zip=null, deleted=false, email=<>@Coscend.com, phone=null], externalId=null, externalType=null, type=user]]]
DEBUG 09-20 15:35:51.233 500315 40 o.a.o.d.u.AuthLevelUtil [105-6083-exec-5] - Level Admin :: [GRANTED]
DEBUG 09-20 15:35:51.236 500318 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'EE17FFD4E063A1234AF5E595D772F897' and page id '1'
DEBUG 09-20 15:35:51.286 500368 87 o.a.o.d.d.s.LdapConfigDao [105-6083-exec-1] - getActiveLdapConfigs
DEBUG 09-20 15:35:51.297 500379 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.468 500550 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.501 500583 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.812 500894 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.892 500974 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
From: Maxim Solodovnik [mailto:solomax666@gmail.com <ma...@gmail.com> ]
Sent: Thursday, September 21, 2017 12:41 AM
To: Openmeetings user-list <user@openmeetings.apache.org <ma...@openmeetings.apache.org> >; OM.Insights@coscend.com <ma...@coscend.com>
Subject: Re: 3.3.2 Snapshot: Login not Posting via Proxy
In case of CSRF you should have the record in the logs CSRF was violated
Is it the case?
On Thu, Sep 21, 2017 at 3:56 AM, Coscend@OM <OM.Insights@coscend.com <ma...@coscend.com> > wrote:
Dear OpenMeetings Users,
We would appreciate any vectors to resolve the following issue:
We successfully installed, configured, logged in OM 3.3.2 Snapshot
1. Internally, i.e., http://IP:port/openmeetings
2. Externally, i.e., http:// <http://%3cour.FQDN.name%3e:port/openmeetings> <our.FQDN.name>:port/openmeetings
OM logs have a line:
DEBUG 09-20 14:45:14.219 221956 388 o.a.o.w.a.Application [105-6083-exec-2] - Adding online client: 63e8a860-65c6-4687-a7e0-ca435ca21ec6, room: null
ISSUE
--------
However, we are unable to login to OM 3.3.2 Snapshot via Proxy server. When we click on submit username/password, it reloads the login page.
OM logs are MISSING this line: “Adding online client:…”
QUESTIONS
--------
1. What has changed between OM 3.3.2 and 3.3.0 that does not POST login credentials? Anything to do with Session variables and session request handlers?
2. We have used the proxy server settings that are working perfectly with OM 3.3.0 in which CSRF and CSP, XSS were introduced.
Alteametasoft Demo server: What additional proxy settings needed to be added to Apache Web server to enable OM 3.3.2?
Source of proxy server settings:
i) CSRF: http://markmail.org/message/o4szinpxt4e2tzch
ii) Proxy logging: http://markmail.org/message/mft3m5bdjeqxwicw
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
Virus-free. <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> www.avg.com
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
---
This email has been checked for viruses by AVG.
http://www.avg.com
RE: 3.3.2 Snapshot: Login not Posting via Proxy
Posted by "Coscend@OM" <OM...@Coscend.com>.
Dear Maxim,
Below is the summary (and detail) of browser log. Why is Form data being blocked? Any vectors to resolve this would be appreciated.
Summary of browser log
==================
Browser / Network tab log has status 200 for all requests except cookie (302 status for redirection via proxy).
All security headers enabled.
The signin field at the end is ‘(empty)’.
‘Form data’ (login and pass) is missing.
Browser log Detailed
===============
Browser log of request https://ourdomain.com/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=BD8C3A0FC93992B0A980ADC9690B2F94?1-1.0-signin&_=1505980053143&navigatorAppName=Netscape&navigatorAppVersion=5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F60.0.3112.113%20Safari%2F537.36&navigatorAppCodeName=Mozilla&navigatorCookieEnabled=true&navigatorJavaEnabled=false&navigatorLanguage=en-US&navigatorPlatform=Win32&navigatorUserAgent=Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F60.0.3112.113%20Safari%2F537.36&screenWidth=1600&screenHeight=900&screenColorDepth=24&utcOffset=-6&utcDSTOffset=-5&browserWidth=2000&browserHeight=187&hostname=coscend.fortiddns.com&codebase=https%3A%2F%2Fcoscend.fortiddns.com%2Fopenmeetings%2Fsignin%3Bjsessionid%3DBD8C3A0FC93992B0A980ADC9690B2F94&settings=%7B%7D
Request URL:https://ourdomain.com/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=74112B08358FDA7D4EE6F1FB8A85D0E5?2-1.0-&_=1505979797255&
Request Method:GET
Status Code:200
Remote Address:76.186.214.195:443
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Origin, X-Requested-With, Content-Type, Accept, X-CSRF-Token, X-XSRF-TOKEN
Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin:*
Cache-Control:nocache, no-store
Content-Security-Policy:default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';
Content-Type:text/xml;charset=UTF-8
Date:Thu, 21 Sep 2017 07:43:18 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Origin:http://Coscend.Fortiddns.com
Pragma:no-cache
Referrer-Policy:no-referrer-when-downgrade
Strict-Transport-Security:max-age=31536000; includeSubDomains; preload
Transfer-Encoding:chunked
X-Backend-Server-Name:openmeetings
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:application/xml, text/xml, */*; q=0.01
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
DNT:1
Host:coscend.fortiddns.com
Referer:https://ourdomain.com/openmeetings/signin;jsessionid=74112B08358FDA7D4EE6F1FB8A85D0E5
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Wicket-Ajax:true
Wicket-Ajax-BaseURL:signin
X-Requested-With:XMLHttpRequest
Query String Parameters
view source
view URL encoded
2-1.0-:
_:1505979797255
(empty)
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
From: Maxim Solodovnik [mailto:solomax666@gmail.com]
Sent: Thursday, September 21, 2017 2:27 AM
To: Openmeetings user-list <us...@openmeetings.apache.org>; OM.Insights@coscend.com
Subject: Re: 3.3.2 Snapshot: Login not Posting via Proxy
You have no chances to see "WebSocketBehavior::onConnect " log message due to your login is unsuccessful
as you are saying there are no errors in the logs ...
Are there any errors in browser console? network tab?
On Thu, Sep 21, 2017 at 2:08 PM, Coscend@OM <OM.Insights@coscend.com <ma...@coscend.com> > wrote:
Dear Maxim,
CSRF is not violated in proxy scenario because:
1. No OM log records of CSRF violation.
2. Also, 3.3.0 is working fine that has CSRF event listener enabled (Application.Java @235). 3.3.0 is working fine under same proxy setting and same server / environment.
-----------Log DIFFs---------Detailed logs at the end.
DIFF between FAILED (via proxy) vs SUCCESSFUL (without proxy) login: the following lines are MISSING when it FAILS:
DEBUG 09-20 11:05:33.339 631732 229 o.a.o.w.c.MainPanel [105-6083-exec-6] - WebSocketBehavior::onConnect [uid: 648aabcf-2bc0-4df5-b891-065e3ffde9c3, session: E73B6C62D991E218215709F7F7095547, key: org.apache.wicket.protocol.ws <http://org.apache.wicket.protocol.ws> .api.registry.PageIdKey@0]
DEBUG 09-20 11:05:33.342 631735 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'E73B6C62D991E218215709F7F7095547' and page id '0'
DEBUG 09-20 11:05:33.351 631744 238 o.a.o.w.c.MainPanel [105-6083-exec-7] - WebSocketBehavior:: pingTimer is attached
-------------Relevant DIFF of 3.3.2 and 3.3.0 files-----------
Could any of these changes require some additional proxy settings?
openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/ISlaveHTTPConnectionManager.jav
a
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/MainService.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/MainService.java
Changed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/UserService.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/UserService.java
changed
openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/util/SessionVariablesUtil.java
removed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/ServerUtil.java
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/session/SessionManager.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/session/SessionManager.java
changed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/DatabaseStore.java
removed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/HashMapStore.java
removed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/IClientPersistenceStore.
java
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/IClientUtil.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/IClientUtil.java
added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/WebSocketHelper.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/WebSocketHelper.java
Changed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageAll.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageAll.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageChat.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageChat.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoom.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoom.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoomMsg.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoomMsg.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageUser.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageUser.java
Added
openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ISessionManager.java <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ISessionManager.java>
changed
openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ServerDao.java
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/SessiondataDao.java> openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/SessiondataDao.java
changed
Logs: FAILED LOGIN
===================
Step 1: Load Login Page
----------
DEBUG 09-20 15:33:59.748 388830 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:33:59.915 388997 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:33:59.947 389029 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:34:00.236 389318 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:34:00.316 389398 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
Step 2: POST / Authentication
--------
DEBUG 09-20 15:35:50.776 499858 642 o.a.o.d.d.u.UserDao [105-6083-exec-5] - login:: 1 users were found
DEBUG 09-20 15:35:51.228 500310 40 o.a.o.d.u.AuthLevelUtil [105-6083-exec-5] - Level Login :: [GRANTED]
DEBUG 09-20 15:35:51.229 500311 659 o.a.o.d.d.u.UserDao [105-6083-exec-5] - loginUser [GroupUser [id=1, moderator=false, group=Group [id=1, name=Coscend, deleted=false], user=User [id=1, firstname=firstname, lastname=lastname, login=Coscend.Insights, pictureuri=null, deleted=false, languageId=1, address=Address [id=1, country=US, street=null, town=null, zip=null, deleted=false, email=<>@Coscend.com, phone=null], externalId=null, externalType=null, type=user]]]
DEBUG 09-20 15:35:51.233 500315 40 o.a.o.d.u.AuthLevelUtil [105-6083-exec-5] - Level Admin :: [GRANTED]
DEBUG 09-20 15:35:51.236 500318 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'EE17FFD4E063A1234AF5E595D772F897' and page id '1'
DEBUG 09-20 15:35:51.286 500368 87 o.a.o.d.d.s.LdapConfigDao [105-6083-exec-1] - getActiveLdapConfigs
DEBUG 09-20 15:35:51.297 500379 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.468 500550 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.501 500583 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.812 500894 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.892 500974 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
From: Maxim Solodovnik [mailto:solomax666@gmail.com <ma...@gmail.com> ]
Sent: Thursday, September 21, 2017 12:41 AM
To: Openmeetings user-list <user@openmeetings.apache.org <ma...@openmeetings.apache.org> >; OM.Insights@coscend.com <ma...@coscend.com>
Subject: Re: 3.3.2 Snapshot: Login not Posting via Proxy
In case of CSRF you should have the record in the logs CSRF was violated
Is it the case?
On Thu, Sep 21, 2017 at 3:56 AM, Coscend@OM <OM.Insights@coscend.com <ma...@coscend.com> > wrote:
Dear OpenMeetings Users,
We would appreciate any vectors to resolve the following issue:
We successfully installed, configured, logged in OM 3.3.2 Snapshot
1. Internally, i.e., http://IP:port/openmeetings
2. Externally, i.e., http:// <http://%3cour.FQDN.name%3e:port/openmeetings> <our.FQDN.name>:port/openmeetings
OM logs have a line:
DEBUG 09-20 14:45:14.219 221956 388 o.a.o.w.a.Application [105-6083-exec-2] - Adding online client: 63e8a860-65c6-4687-a7e0-ca435ca21ec6, room: null
ISSUE
--------
However, we are unable to login to OM 3.3.2 Snapshot via Proxy server. When we click on submit username/password, it reloads the login page.
OM logs are MISSING this line: “Adding online client:…”
QUESTIONS
--------
1. What has changed between OM 3.3.2 and 3.3.0 that does not POST login credentials? Anything to do with Session variables and session request handlers?
2. We have used the proxy server settings that are working perfectly with OM 3.3.0 in which CSRF and CSP, XSS were introduced.
Alteametasoft Demo server: What additional proxy settings needed to be added to Apache Web server to enable OM 3.3.2?
Source of proxy server settings:
i) CSRF: http://markmail.org/message/o4szinpxt4e2tzch
ii) Proxy logging: http://markmail.org/message/mft3m5bdjeqxwicw
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
Virus-free. <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> www.avg.com
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
---
This email has been checked for viruses by AVG.
http://www.avg.com
Re: 3.3.2 Snapshot: Login not Posting via Proxy
Posted by Maxim Solodovnik <so...@gmail.com>.
You have no chances to see "WebSocketBehavior::onConnect " log message due
to your login is unsuccessful
as you are saying there are no errors in the logs ...
Are there any errors in browser console? network tab?
On Thu, Sep 21, 2017 at 2:08 PM, Coscend@OM <OM...@coscend.com> wrote:
> Dear Maxim,
>
>
>
> CSRF is not violated in proxy scenario because:
>
> 1. No OM log records of CSRF violation.
>
> 2. Also, 3.3.0 is working fine that has CSRF event listener enabled
> (Application.Java @235). 3.3.0 is working fine under same proxy setting
> and same server / environment.
>
>
>
> -----------Log DIFFs---------Detailed logs at the end.
>
> DIFF between FAILED (via proxy) vs SUCCESSFUL (without proxy) login: the
> following lines are MISSING when it FAILS:
>
> DEBUG 09-20 11:05:33.339 631732 229 o.a.o.w.c.MainPanel [105-6083-exec-6]
> - WebSocketBehavior::onConnect [uid: 648aabcf-2bc0-4df5-b891-065e3ffde9c3,
> session: E73B6C62D991E218215709F7F7095547, key:
> org.apache.wicket.protocol.ws.api.registry.PageIdKey@0]
>
> DEBUG 09-20 11:05:33.342 631735 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> E73B6C62D991E218215709F7F7095547' and page id '0'
>
> DEBUG 09-20 11:05:33.351 631744 238 o.a.o.w.c.MainPanel [105-6083-exec-7]
> - WebSocketBehavior:: pingTimer is attached
>
>
>
> -------------Relevant DIFF of 3.3.2 and 3.3.0 files-----------
>
> Could any of these changes require some additional proxy settings?
>
>
>
> openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/
> ISlaveHTTPConnectionManager.jav
> a
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/remote/MainService.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/MainService.java>
>
> Changed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/remote/UserService.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/UserService.java>
>
> changed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/util/
> SessionVariablesUtil.java
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/session/ServerUtil.java
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/session/SessionManager.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/session/SessionManager.java>
>
> changed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/session/store/DatabaseStore.java
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/session/store/HashMapStore.java
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/session/store/IClientPersistenceStore.
> java
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/IClientUtil.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/IClientUtil.java>
>
> added
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/WebSocketHelper.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/WebSocketHelper.java>
>
> Changed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/ws/WsMessageAll.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageAll.java>
>
> Added
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/ws/WsMessageChat.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageChat.java>
>
> Added
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/ws/WsMessageRoom.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoom.java>
>
> Added
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/ws/WsMessageRoomMsg.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoomMsg.java>
>
> Added
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/ws/WsMessageUser.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageUser.java>
>
> Added
>
> openmeetings-db/src/main/java/org/apache/openmeetings/db/
> dao/server/ISessionManager.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ISessionManager.java>
>
> changed
>
> openmeetings-db/src/main/java/org/apache/openmeetings/db/
> dao/server/ServerDao.java
>
> removed
>
> openmeetings-db/src/main/java/org/apache/openmeetings/db/
> dao/server/SessiondataDao.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/SessiondataDao.java>
>
> changed
>
>
>
>
>
> Logs: FAILED LOGIN
>
> ===================
>
> Step 1: Load Login Page
>
> ----------
>
> DEBUG 09-20 15:33:59.748 388830 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
>
> DEBUG 09-20 15:33:59.915 388997 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
>
> DEBUG 09-20 15:33:59.947 389029 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
>
> DEBUG 09-20 15:34:00.236 389318 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
>
> DEBUG 09-20 15:34:00.316 389398 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
>
>
>
> Step 2: POST / Authentication
>
> --------
>
> DEBUG 09-20 15:35:50.776 499858 642 o.a.o.d.d.u.UserDao [105-6083-exec-5]
> - login:: 1 users were found
>
> DEBUG 09-20 15:35:51.228 500310 40 o.a.o.d.u.AuthLevelUtil
> [105-6083-exec-5] - Level Login :: [GRANTED]
>
> DEBUG 09-20 15:35:51.229 500311 659 o.a.o.d.d.u.UserDao [105-6083-exec-5]
> - loginUser [GroupUser [id=1, moderator=false, group=Group [id=1,
> name=Coscend, deleted=false], user=User [id=1, firstname=firstname,
> lastname=lastname, login=Coscend.Insights, pictureuri=null, deleted=false,
> languageId=1, address=Address [id=1, country=US, street=null, town=null,
> zip=null, deleted=false, email=<>@Coscend.com, phone=null],
> externalId=null, externalType=null, type=user]]]
>
> DEBUG 09-20 15:35:51.233 500315 40 o.a.o.d.u.AuthLevelUtil
> [105-6083-exec-5] - Level Admin :: [GRANTED]
>
> DEBUG 09-20 15:35:51.236 500318 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> EE17FFD4E063A1234AF5E595D772F897' and page id '1'
>
> DEBUG 09-20 15:35:51.286 500368 87 o.a.o.d.d.s.LdapConfigDao
> [105-6083-exec-1] - getActiveLdapConfigs
>
> DEBUG 09-20 15:35:51.297 500379 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> 1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
>
> DEBUG 09-20 15:35:51.468 500550 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> 1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
>
> DEBUG 09-20 15:35:51.501 500583 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> 1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
>
> DEBUG 09-20 15:35:51.812 500894 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> 1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
>
> DEBUG 09-20 15:35:51.892 500974 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> 1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
>
>
>
> Thank you.
>
>
>
> Sincerely,
>
>
>
> Hemant K. Sabat
>
>
>
> Coscend Communications Solutions
>
> www.Coscend.com <http://www.coscend.com/>
>
> ------------------------------------------------------------------
>
> *Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly…*
>
> ------------------------------------------------------------------
>
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted at:
> http://www.Coscend.com/Terms_and_Conditions.html
> <http://www.coscend.com/Terms_and_Conditions.html>
>
>
>
>
>
>
>
>
>
> *From:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Sent:* Thursday, September 21, 2017 12:41 AM
> *To:* Openmeetings user-list <us...@openmeetings.apache.org>;
> OM.Insights@coscend.com
> *Subject:* Re: 3.3.2 Snapshot: Login not Posting via Proxy
>
>
>
> In case of CSRF you should have the record in the logs CSRF was violated
>
> Is it the case?
>
>
>
> On Thu, Sep 21, 2017 at 3:56 AM, Coscend@OM <OM...@coscend.com>
> wrote:
>
> Dear OpenMeetings Users,
>
>
>
> We would appreciate any vectors to resolve the following issue:
>
>
>
> We successfully installed, configured, logged in OM 3.3.2 Snapshot
>
> 1. Internally, i.e., http://IP:port/openmeetings
>
> 2. Externally, i.e., http://<our.FQDN.name>:port/openmeetings
>
> OM logs have a line:
>
> DEBUG 09-20 14:45:14.219 221956 388 o.a.o.w.a.Application
> [105-6083-exec-2] - Adding online client: 63e8a860-65c6-4687-a7e0-ca435ca21ec6,
> room: null
>
>
>
> ISSUE
>
> --------
>
> However, we are unable to login to OM 3.3.2 Snapshot via Proxy server.
> When we click on submit username/password, it reloads the login page.
>
> OM logs are MISSING this line: “Adding online client:…”
>
>
>
>
>
> QUESTIONS
>
> --------
>
>
>
> 1. What has changed between OM 3.3.2 and 3.3.0 that does not POST
> login credentials? Anything to do with Session variables and session
> request handlers?
>
> 2. We have used the proxy server settings that are working perfectly
> with OM 3.3.0 in which CSRF and CSP, XSS were introduced.
>
> Alteametasoft Demo server: What additional proxy settings needed to be
> added to Apache Web server to enable OM 3.3.2?
>
>
>
> Source of proxy server settings:
>
> i) CSRF: http://markmail.org/message/o4szinpxt4e2tzch
>
> ii) Proxy logging: http://markmail.org/message/
> mft3m5bdjeqxwicw
>
>
>
> Thank you.
>
>
>
> Sincerely,
>
>
>
> Hemant K. Sabat
>
>
>
> Coscend Communications Solutions
>
> www.Coscend.com <http://www.coscend.com/>
>
> ------------------------------------------------------------------
>
> *Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly…*
>
> ------------------------------------------------------------------
>
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted at:
> http://www.Coscend.com/Terms_and_Conditions.html
> <http://www.coscend.com/Terms_and_Conditions.html>
>
>
>
>
>
>
>
>
>
>
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>
> Virus-free. www.avg.com
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
--
WBR
Maxim aka solomax
RE: 3.3.2 Snapshot: Login not Posting via Proxy
Posted by "Coscend@OM" <OM...@Coscend.com>.
UPDATED log
-------DIFF between FAILED (via proxy) vs SUCCESSFUL (without proxy) login: the following lines are MISSING when login FAILS under proxy----------
DEBUG 09-20 11:05:33.337 631730 369 o.a.o.w.a.Application [105-6083-exec-6] - Adding online client: 648aabcf-2bc0-4df5-b891-065e3ffde9c3, room: null
DEBUG 09-20 11:05:33.339 631732 229 o.a.o.w.c.MainPanel [105-6083-exec-6] - WebSocketBehavior::onConnect [uid: 648aabcf-2bc0-4df5-b891-065e3ffde9c3, session: E73B6C62D991E218215709F7F7095547, key: org.apache.wicket.protocol.ws.api.registry.PageIdKey@0]
DEBUG 09-20 11:05:33.342 631735 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'E73B6C62D991E218215709F7F7095547' and page id '0'
DEBUG 09-20 11:05:33.351 631744 238 o.a.o.w.c.MainPanel [105-6083-exec-7] - WebSocketBehavior:: pingTimer is attached
From: Coscend@OM [mailto:OM.Insights@Coscend.com]
Sent: Thursday, September 21, 2017 2:08 AM
To: 'Openmeetings user-list' <us...@openmeetings.apache.org>
Subject: RE: 3.3.2 Snapshot: Login not Posting via Proxy
Dear Maxim,
CSRF is not violated in proxy scenario because:
1. No OM log records of CSRF violation.
2. Also, 3.3.0 is working fine that has CSRF event listener enabled (Application.Java @235). 3.3.0 is working fine under same proxy setting and same server / environment.
-----------Log DIFFs---------Detailed logs at the end.
DIFF between FAILED (via proxy) vs SUCCESSFUL (without proxy) login: the following lines are MISSING when it FAILS:
DEBUG 09-20 11:05:33.339 631732 229 o.a.o.w.c.MainPanel [105-6083-exec-6] - WebSocketBehavior::onConnect [uid: 648aabcf-2bc0-4df5-b891-065e3ffde9c3, session: E73B6C62D991E218215709F7F7095547, key: org.apache.wicket.protocol.ws.api.registry.PageIdKey@0 <ma...@0> ]
DEBUG 09-20 11:05:33.342 631735 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'E73B6C62D991E218215709F7F7095547' and page id '0'
DEBUG 09-20 11:05:33.351 631744 238 o.a.o.w.c.MainPanel [105-6083-exec-7] - WebSocketBehavior:: pingTimer is attached
-------------Relevant DIFF of 3.3.2 and 3.3.0 files-----------
Could any of these changes require some additional proxy settings?
openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/ISlaveHTTPConnectionManager.jav
a
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/MainService.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/MainService.java
Changed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/UserService.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/UserService.java
changed
openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/util/SessionVariablesUtil.java
removed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/ServerUtil.java
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/session/SessionManager.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/session/SessionManager.java
changed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/DatabaseStore.java
removed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/HashMapStore.java
removed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/IClientPersistenceStore.
java
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/IClientUtil.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/IClientUtil.java
added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/WebSocketHelper.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/WebSocketHelper.java
Changed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageAll.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageAll.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageChat.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageChat.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoom.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoom.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoomMsg.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoomMsg.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageUser.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageUser.java
Added
openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ISessionManager.java <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ISessionManager.java>
changed
openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ServerDao.java
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/SessiondataDao.java> openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/SessiondataDao.java
changed
Logs: FAILED LOGIN
===================
Step 1: Load Login Page
----------
DEBUG 09-20 15:33:59.748 388830 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:33:59.915 388997 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:33:59.947 389029 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:34:00.236 389318 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:34:00.316 389398 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
Step 2: POST / Authentication
--------
DEBUG 09-20 15:35:50.776 499858 642 o.a.o.d.d.u.UserDao [105-6083-exec-5] - login:: 1 users were found
DEBUG 09-20 15:35:51.228 500310 40 o.a.o.d.u.AuthLevelUtil [105-6083-exec-5] - Level Login :: [GRANTED]
DEBUG 09-20 15:35:51.229 500311 659 o.a.o.d.d.u.UserDao [105-6083-exec-5] - loginUser [GroupUser [id=1, moderator=false, group=Group [id=1, name=Coscend, deleted=false], user=User [id=1, firstname=firstname, lastname=lastname, login=Coscend.Insights, pictureuri=null, deleted=false, languageId=1, address=Address [id=1, country=US, street=null, town=null, zip=null, deleted=false, email=<>@Coscend.com, phone=null], externalId=null, externalType=null, type=user]]]
DEBUG 09-20 15:35:51.233 500315 40 o.a.o.d.u.AuthLevelUtil [105-6083-exec-5] - Level Admin :: [GRANTED]
DEBUG 09-20 15:35:51.236 500318 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'EE17FFD4E063A1234AF5E595D772F897' and page id '1'
DEBUG 09-20 15:35:51.286 500368 87 o.a.o.d.d.s.LdapConfigDao [105-6083-exec-1] - getActiveLdapConfigs
DEBUG 09-20 15:35:51.297 500379 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.468 500550 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.501 500583 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.812 500894 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.892 500974 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
From: Maxim Solodovnik [mailto:solomax666@gmail.com]
Sent: Thursday, September 21, 2017 12:41 AM
To: Openmeetings user-list <user@openmeetings.apache.org <ma...@openmeetings.apache.org> >; OM.Insights@coscend.com <ma...@coscend.com>
Subject: Re: 3.3.2 Snapshot: Login not Posting via Proxy
In case of CSRF you should have the record in the logs CSRF was violated
Is it the case?
On Thu, Sep 21, 2017 at 3:56 AM, Coscend@OM <OM.Insights@coscend.com <ma...@coscend.com> > wrote:
Dear OpenMeetings Users,
We would appreciate any vectors to resolve the following issue:
We successfully installed, configured, logged in OM 3.3.2 Snapshot
1. Internally, i.e., http://IP:port/openmeetings
2. Externally, i.e., http:// <http://%3cour.FQDN.name%3e:port/openmeetings> <our.FQDN.name>:port/openmeetings
OM logs have a line:
DEBUG 09-20 14:45:14.219 221956 388 o.a.o.w.a.Application [105-6083-exec-2] - Adding online client: 63e8a860-65c6-4687-a7e0-ca435ca21ec6, room: null
ISSUE
--------
However, we are unable to login to OM 3.3.2 Snapshot via Proxy server. When we click on submit username/password, it reloads the login page.
OM logs are MISSING this line: “Adding online client:…”
QUESTIONS
--------
1. What has changed between OM 3.3.2 and 3.3.0 that does not POST login credentials? Anything to do with Session variables and session request handlers?
2. We have used the proxy server settings that are working perfectly with OM 3.3.0 in which CSRF and CSP, XSS were introduced.
Alteametasoft Demo server: What additional proxy settings needed to be added to Apache Web server to enable OM 3.3.2?
Source of proxy server settings:
i) CSRF: http://markmail.org/message/o4szinpxt4e2tzch
ii) Proxy logging: http://markmail.org/message/mft3m5bdjeqxwicw
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
Virus-free. <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> www.avg.com
--
WBR
Maxim aka solomax
---
This email has been checked for viruses by AVG.
http://www.avg.com
RE: 3.3.2 Snapshot: Login not Posting via Proxy
Posted by "Coscend@OM" <OM...@Coscend.com>.
Dear Maxim,
CSRF is not violated in proxy scenario because:
1. No OM log records of CSRF violation.
2. Also, 3.3.0 is working fine that has CSRF event listener enabled (Application.Java @235). 3.3.0 is working fine under same proxy setting and same server / environment.
-----------Log DIFFs---------Detailed logs at the end.
DIFF between FAILED (via proxy) vs SUCCESSFUL (without proxy) login: the following lines are MISSING when it FAILS:
DEBUG 09-20 11:05:33.339 631732 229 o.a.o.w.c.MainPanel [105-6083-exec-6] - WebSocketBehavior::onConnect [uid: 648aabcf-2bc0-4df5-b891-065e3ffde9c3, session: E73B6C62D991E218215709F7F7095547, key: org.apache.wicket.protocol.ws.api.registry.PageIdKey@0]
DEBUG 09-20 11:05:33.342 631735 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'E73B6C62D991E218215709F7F7095547' and page id '0'
DEBUG 09-20 11:05:33.351 631744 238 o.a.o.w.c.MainPanel [105-6083-exec-7] - WebSocketBehavior:: pingTimer is attached
-------------Relevant DIFF of 3.3.2 and 3.3.0 files-----------
Could any of these changes require some additional proxy settings?
openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/ISlaveHTTPConnectionManager.jav
a
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/MainService.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/MainService.java
Changed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/UserService.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/UserService.java
changed
openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/util/SessionVariablesUtil.java
removed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/ServerUtil.java
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/session/SessionManager.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/session/SessionManager.java
changed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/DatabaseStore.java
removed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/HashMapStore.java
removed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/IClientPersistenceStore.
java
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/IClientUtil.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/IClientUtil.java
added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/WebSocketHelper.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/WebSocketHelper.java
Changed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageAll.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageAll.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageChat.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageChat.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoom.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoom.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoomMsg.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoomMsg.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageUser.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageUser.java
Added
openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ISessionManager.java <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ISessionManager.java>
changed
openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ServerDao.java
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/SessiondataDao.java> openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/SessiondataDao.java
changed
Logs: FAILED LOGIN
===================
Step 1: Load Login Page
----------
DEBUG 09-20 15:33:59.748 388830 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:33:59.915 388997 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:33:59.947 389029 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:34:00.236 389318 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:34:00.316 389398 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
Step 2: POST / Authentication
--------
DEBUG 09-20 15:35:50.776 499858 642 o.a.o.d.d.u.UserDao [105-6083-exec-5] - login:: 1 users were found
DEBUG 09-20 15:35:51.228 500310 40 o.a.o.d.u.AuthLevelUtil [105-6083-exec-5] - Level Login :: [GRANTED]
DEBUG 09-20 15:35:51.229 500311 659 o.a.o.d.d.u.UserDao [105-6083-exec-5] - loginUser [GroupUser [id=1, moderator=false, group=Group [id=1, name=Coscend, deleted=false], user=User [id=1, firstname=firstname, lastname=lastname, login=Coscend.Insights, pictureuri=null, deleted=false, languageId=1, address=Address [id=1, country=US, street=null, town=null, zip=null, deleted=false, email=<>@Coscend.com, phone=null], externalId=null, externalType=null, type=user]]]
DEBUG 09-20 15:35:51.233 500315 40 o.a.o.d.u.AuthLevelUtil [105-6083-exec-5] - Level Admin :: [GRANTED]
DEBUG 09-20 15:35:51.236 500318 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'EE17FFD4E063A1234AF5E595D772F897' and page id '1'
DEBUG 09-20 15:35:51.286 500368 87 o.a.o.d.d.s.LdapConfigDao [105-6083-exec-1] - getActiveLdapConfigs
DEBUG 09-20 15:35:51.297 500379 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.468 500550 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.501 500583 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.812 500894 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.892 500974 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
From: Maxim Solodovnik [mailto:solomax666@gmail.com]
Sent: Thursday, September 21, 2017 12:41 AM
To: Openmeetings user-list <us...@openmeetings.apache.org>; OM.Insights@coscend.com
Subject: Re: 3.3.2 Snapshot: Login not Posting via Proxy
In case of CSRF you should have the record in the logs CSRF was violated
Is it the case?
On Thu, Sep 21, 2017 at 3:56 AM, Coscend@OM <OM.Insights@coscend.com <ma...@coscend.com> > wrote:
Dear OpenMeetings Users,
We would appreciate any vectors to resolve the following issue:
We successfully installed, configured, logged in OM 3.3.2 Snapshot
1. Internally, i.e., http://IP:port/openmeetings
2. Externally, i.e., http:// <http://%3cour.FQDN.name%3e:port/openmeetings> <our.FQDN.name>:port/openmeetings
OM logs have a line:
DEBUG 09-20 14:45:14.219 221956 388 o.a.o.w.a.Application [105-6083-exec-2] - Adding online client: 63e8a860-65c6-4687-a7e0-ca435ca21ec6, room: null
ISSUE
--------
However, we are unable to login to OM 3.3.2 Snapshot via Proxy server. When we click on submit username/password, it reloads the login page.
OM logs are MISSING this line: “Adding online client:…”
QUESTIONS
--------
1. What has changed between OM 3.3.2 and 3.3.0 that does not POST login credentials? Anything to do with Session variables and session request handlers?
2. We have used the proxy server settings that are working perfectly with OM 3.3.0 in which CSRF and CSP, XSS were introduced.
Alteametasoft Demo server: What additional proxy settings needed to be added to Apache Web server to enable OM 3.3.2?
Source of proxy server settings:
i) CSRF: http://markmail.org/message/o4szinpxt4e2tzch
ii) Proxy logging: http://markmail.org/message/mft3m5bdjeqxwicw
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
Virus-free. <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> www.avg.com
--
WBR
Maxim aka solomax
---
This email has been checked for viruses by AVG.
http://www.avg.com
Re: 3.3.2 Snapshot: Login not Posting via Proxy
Posted by Maxim Solodovnik <so...@gmail.com>.
In case of CSRF you should have the record in the logs CSRF was violated
Is it the case?
On Thu, Sep 21, 2017 at 3:56 AM, Coscend@OM <OM...@coscend.com> wrote:
> Dear OpenMeetings Users,
>
>
>
> We would appreciate any vectors to resolve the following issue:
>
>
>
> We successfully installed, configured, logged in OM 3.3.2 Snapshot
>
> 1. Internally, i.e., http://IP:port/openmeetings
>
> 2. Externally, i.e., http://<our.FQDN.name>:port/openmeetings
>
> OM logs have a line:
>
> DEBUG 09-20 14:45:14.219 221956 388 o.a.o.w.a.Application
> [105-6083-exec-2] - Adding online client: 63e8a860-65c6-4687-a7e0-ca435ca21ec6,
> room: null
>
>
>
> ISSUE
>
> --------
>
> However, we are unable to login to OM 3.3.2 Snapshot via Proxy server.
> When we click on submit username/password, it reloads the login page.
>
> OM logs are MISSING this line: “Adding online client:…”
>
>
>
>
>
> QUESTIONS
>
> --------
>
>
>
> 1. What has changed between OM 3.3.2 and 3.3.0 that does not POST
> login credentials? Anything to do with Session variables and session
> request handlers?
>
> 2. We have used the proxy server settings that are working perfectly
> with OM 3.3.0 in which CSRF and CSP, XSS were introduced.
>
> Alteametasoft Demo server: What additional proxy settings needed to be
> added to Apache Web server to enable OM 3.3.2?
>
>
>
> Source of proxy server settings:
>
> i) CSRF: http://markmail.org/message/o4szinpxt4e2tzch
>
> ii) Proxy logging: http://markmail.org/message/
> mft3m5bdjeqxwicw
>
>
>
> Thank you.
>
>
>
> Sincerely,
>
>
>
> Hemant K. Sabat
>
>
>
> Coscend Communications Solutions
>
> www.Coscend.com <http://www.coscend.com/>
>
> ------------------------------------------------------------------
>
> *Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly…*
>
> ------------------------------------------------------------------
>
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted at:
> http://www.Coscend.com/Terms_and_Conditions.html
> <http://www.coscend.com/Terms_and_Conditions.html>
>
>
>
>
>
>
>
>
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Virus-free.
> www.avg.com
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> <#m_-3774582028157409911_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
--
WBR
Maxim aka solomax