On Tue, 26 Jan 2021 at 13:45, [email protected] <[email protected]> wrote:
> The log debug message clearly shows the actual password on the server side. > It logs the actual password on server side. > > yep my bad your password contains login which is violation ... > Anyway I will try again with debugger turned on. > > Thanks > Seb > > On Tue, 26 Jan 2021 at 6:50 PM, Maxim Solodovnik <[email protected]> > wrote: > > > Your issue with add user is most probably caused by the request you are > > sending (I guess password is treated as NULL) > > > > here is the example of valid request > > > > Address: > > > http://localhost:46325/openmeetings/services/user/?sid=5538950f-74f3-4ba2-ad29-b1309bac1cf7 > > HttpMethod: POST > > Content-Type: application/x-www-form-urlencoded > > ExchangeId: 39d80bfb-778f-456e-ba6a-cbecc9208a01 > > Headers: {Accept=application/json, host=localhost:46325, > > connection=keep-alive, content-type=application/x-www-form-urlencoded, > > cache-control=no-cache, Content-Length=552, pragma=no-cache, > > user-agent=Apache-CXF/3.4.1} > > Payload: > > > user=%7B%22address%22%3A%7B%22deleted%22%3Afalse%2C%22email%22%3A%22email89749faf-8fc0-43d7-a372-46caed5ce271%40local%22%7D%2C%22firstname%22%3A%22firstname89749faf-8fc0-43d7-a372-46caed5ce271%22%2C%22languageId%22%3A1%2C%22lastname%22%3A%22lastname89749faf-8fc0-43d7-a372-46caed5ce271%22%2C%22login%22%3A%22login89749faf-8fc0-43d7-a372-46caed5ce271%22%2C%22password%22%3A%22pass1_%21%40%23%24%25_A%22%2C%22rights%22%3A%5B%22LOGIN%22%2C%22ROOM%22%2C%22DASHBOARD%22%5D%2C%22timeZoneId%22%3A%22Asia%2FBangkok%22%2C%22type%22%3A%22USER%22%7D&confirm=false > > > > > > can always be checked on build server: > > > > > https://ci-builds.apache.org/job/OpenMeetings/job/openmeetings/230/consoleFull > > > > I'm planning to improve captcha as described in this thread: > > https://markmail.org/message/bmp6tq3t5j6rw2rz > > > > particularly, modify language.xml, add following attributes: > > 1) 'tip' - short text describing this captcha for ex. "Enter uppercase > > English letters" > > 2) 'rangeStart' - initial letter/code of possible captcha characters > > 3) 'rangeEnd' - final letter/code of possible captcha characters > > > > processing for above > > > > Will try to implement it this week > > > > On Tue, 26 Jan 2021 at 11:26, [email protected] < > [email protected] > > > > > wrote: > > > > > Also the parameter "confirm" doesn't seem to have any meaning. It's not > > > referenced in the rest of the code. > > > > > > Maybe I will change my Jira to fix some of this instead of disabling > > > captcha. > > > > > > Thanks > > > Seb > > > > > > Sebastian Wagner > > > Director Arrakeen Solutions, OM-Hosting.com > > > http://arrakeen-solutions.co.nz/ > > > https://om-hosting.com - Cloud & Server Hosting for HTML5 > > > Video-Conferencing OpenMeetings > > > < > > > > > > https://www.youracclaim.com/badges/da4e8828-743d-4968-af6f-49033f10d60a/public_url > > > > > > > < > > > > > > https://www.youracclaim.com/badges/b7e709c6-aa87-4b02-9faf-099038475e36/public_url > > > > > > > > > > > > > On Tue, 26 Jan 2021 at 17:21, [email protected] < > > [email protected] > > > > > > > wrote: > > > > > > > That doesn't mean that you shall not be able to disable it by admin > > > > configuration parameters. > > > > > > > > Btw I tried the soap/Rest service for adding users. but for some > reason > > > it > > > > does not accept even the most complex password. > > > > > > > > curl --location --request POST ' > > > > > > > > > > https://my-server.xyz/openmeetings/services/user/?sid=b20c5012-3c94-4e7a-bc6a-61f8cced3150 > > > > ' \ > > > > --header 'Content-Type: application/json' \ > > > > --header 'Cookie: JSESSIONID=866564BDD7D8562C9B8CD1B94621AB43' \ > > > > --form > > 'user="{firstname:'\''asdads'\'',lastname:'\''aasds'\'',login:'\'' > > > > Test123123'\'',password:'\''IAmComplex_@Testing1234 > > '\'',right:['\''ADMIN > > > > '\''],languageId:1,timeZoneId:'\''Pacific/Auckland'\''}"' \ > > > > --form 'confirm="false"' > > > > > > > > > > > > "IAmComplex_@Testing1234" is certainly a complex password. > > > > > > > > But the server reject it and in the log file it says: > > > > [39mDEBUG [0;39m 01-26 03:32:59.119 [36mo.a.o.w.UserWebService:191 > > > > [-nio-443-exec-5] [0;39m - addNewUser::weak password > > > > 'IAmComplex_@Testing1234', msg: null > > > > > > > > Seems like msg is null but still the input is not valid, above log is > > > from > > > > here: > > > > > > > > > > > > > > https://github.com/apache/openmeetings/blob/master/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/UserWebService.java#L186 > > > > > > > > Looks strange to me. > > > > > > > > Sebastian Wagner > > > > Director Arrakeen Solutions, OM-Hosting.com > > > > http://arrakeen-solutions.co.nz/ > > > > https://om-hosting.com - Cloud & Server Hosting for HTML5 > > > > Video-Conferencing OpenMeetings > > > > > > > > < > > > > > > https://www.youracclaim.com/badges/da4e8828-743d-4968-af6f-49033f10d60a/public_url > > > > > > > > < > > > > > > https://www.youracclaim.com/badges/b7e709c6-aa87-4b02-9faf-099038475e36/public_url > > > > > > > > > > > > > > > > On Tue, 26 Jan 2021 at 16:15, Maxim Solodovnik <[email protected] > > > > > > wrote: > > > > > > > >> The captcha was added because it's absence was reported as security > > > >> vulnerability (you can check CVE at our security page ...) > > > >> > > > >> On Tue, 26 Jan 2021 at 10:05, [email protected] < > > > >> [email protected]> > > > >> wrote: > > > >> > > > >> > I can try with the API approach, it should be possible. It is > just a > > > bit > > > >> > hacky. It would be easier to create a Selenium test that does > both: > > > >> > a) sign up > > > >> > b) use that user to participate in a conference call > > > >> > > > > >> > I don't think the ability to turn off captcha would mean it's a > > > security > > > >> > risk > > > >> > > > > >> > Thanks > > > >> > Seb > > > >> > > > > >> > Sebastian Wagner > > > >> > Director Arrakeen Solutions, OM-Hosting.com > > > >> > http://arrakeen-solutions.co.nz/ > > > >> > https://om-hosting.com - Cloud & Server Hosting for HTML5 > > > >> > Video-Conferencing OpenMeetings > > > >> > < > > > >> > > > > >> > > > > > > https://www.youracclaim.com/badges/da4e8828-743d-4968-af6f-49033f10d60a/public_url > > > >> > > > > > >> > < > > > >> > > > > >> > > > > > > https://www.youracclaim.com/badges/b7e709c6-aa87-4b02-9faf-099038475e36/public_url > > > >> > > > > > >> > > > > >> > > > > >> > On Tue, 26 Jan 2021 at 15:54, Maxim Solodovnik < > > [email protected]> > > > >> > wrote: > > > >> > > > > >> > > I've added the comment: I'm -1 for this feature > > > >> > > > > > >> > > Registration is now covered with JUnit tests > > > >> > > For performance testing you can > > > >> > > 1) create users via API > > > >> > > 2) create users directly in DB > > > >> > > > > > >> > > Users tend to turn off all security related "complications" just > > > >> because > > > >> > > some of their clients have some difficulties .... :( > > > >> > > I'll plan to add customization options for captcha: i.e. admin > can > > > >> > specify > > > >> > > "letter range" for captcha > > > >> > > In such case you can specify [A,A] range ... :) > > > >> > > > > > >> > > On Tue, 26 Jan 2021 at 09:49, [email protected] < > > > >> > [email protected] > > > >> > > > > > > >> > > wrote: > > > >> > > > > > >> > > > In order to do automated signup using Selenium. > > > >> > > > That is both for testing, but in my case it is around > > performance > > > >> and > > > >> > > load > > > >> > > > testing. > > > >> > > > I created a ticket for now: > > > >> > > > https://issues.apache.org/jira/browse/OPENMEETINGS-2560 and > see > > > how > > > >> > > > difficult it would be to add this config. > > > >> > > > > > > >> > > > Thanks, > > > >> > > > Seb > > > >> > > > > > > >> > > > Sebastian Wagner > > > >> > > > Director Arrakeen Solutions, OM-Hosting.com > > > >> > > > http://arrakeen-solutions.co.nz/ > > > >> > > > https://om-hosting.com - Cloud & Server Hosting for HTML5 > > > >> > > > Video-Conferencing OpenMeetings > > > >> > > > < > > > >> > > > > > > >> > > > > > >> > > > > >> > > > > > > https://www.youracclaim.com/badges/da4e8828-743d-4968-af6f-49033f10d60a/public_url > > > >> > > > > > > > >> > > > < > > > >> > > > > > > >> > > > > > >> > > > > >> > > > > > > https://www.youracclaim.com/badges/b7e709c6-aa87-4b02-9faf-099038475e36/public_url > > > >> > > > > > > > >> > > > > > > >> > > > > > > >> > > > On Tue, 26 Jan 2021 at 15:44, Maxim Solodovnik < > > > >> [email protected]> > > > >> > > > wrote: > > > >> > > > > > > >> > > > > Hello Sebastian, > > > >> > > > > > > > >> > > > > there is no such option ATM > > > >> > > > > Why is it required for you? > > > >> > > > > > > > >> > > > > On Tue, 26 Jan 2021 at 05:17, [email protected] < > > > >> > > > [email protected] > > > >> > > > > > > > > >> > > > > wrote: > > > >> > > > > > > > >> > > > > > Hi, > > > >> > > > > > > > > >> > > > > > is there a way to disable the need to enter a captcha > during > > > the > > > >> > sign > > > >> > > > up > > > >> > > > > ? > > > >> > > > > > > > > >> > > > > > Thanks > > > >> > > > > > Seb > > > >> > > > > > > > > >> > > > > > Sebastian Wagner > > > >> > > > > > Director Arrakeen Solutions, OM-Hosting.com > > > >> > > > > > http://arrakeen-solutions.co.nz/ > > > >> > > > > > https://om-hosting.com - Cloud & Server Hosting for HTML5 > > > >> > > > > > Video-Conferencing OpenMeetings > > > >> > > > > > < > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > > > > https://www.youracclaim.com/badges/da4e8828-743d-4968-af6f-49033f10d60a/public_url > > > >> > > > > > > > > > >> > > > > > < > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > > > > https://www.youracclaim.com/badges/b7e709c6-aa87-4b02-9faf-099038475e36/public_url > > > >> > > > > > > > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > > >> > > > > -- > > > >> > > > > Best regards, > > > >> > > > > Maxim > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > > >> > > -- > > > >> > > Best regards, > > > >> > > Maxim > > > >> > > > > > >> > > > > >> > > > >> > > > >> -- > > > >> Best regards, > > > >> Maxim > > > >> > > > > > > > > > > > > > -- > > Best regards, > > Maxim > > > -- > Sebastian Wagner > Director Arrakeen Solutions, OM-Hosting.com > http://arrakeen-solutions.co.nz/ > https://om-hosting.com - Cloud & Server Hosting for HTML5 > Video-Conferencing OpenMeetings > < > https://www.youracclaim.com/badges/da4e8828-743d-4968-af6f-49033f10d60a/public_url > > > < > https://www.youracclaim.com/badges/b7e709c6-aa87-4b02-9faf-099038475e36/public_url > > > -- Best regards, Maxim
