On Tue, 26 Jan 2021 at 15:20, [email protected] <[email protected]> wrote:
> That is very nifty subset of rule. > Let me try that again. > > Would be good to log the actual error instead of the password. > And/or return it in the api response. > The code for this was added: https://github.com/apache/openmeetings/blob/master/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/UserWebService.java#L191 Maybe it has some bugs ... :( > > Currently all those calls just return error 500 without any indication or > msg as of why it failed. Mostly because the ‘ServiceException’ is not part > of the method signature. So neither cxf nor jax-rs can map it to a response > body. > I had no time to check the mapping :( I would appreciate it if you can improve this :) > > But if you look at the msg in the log it actually says ‘null’. So even if > the service could map ServiceException to a response body, it would just > contain an empty message. > > Thanks > Sebastain > > On Tue, 26 Jan 2021 at 7:51 PM, Maxim Solodovnik <[email protected]> > wrote: > > > On Tue, 26 Jan 2021 at 13:45, [email protected] < > [email protected] > > > > > wrote: > > > > > The log debug message clearly shows the actual password on the server > > side. > > > It logs the actual password on server side. > > > > > > > > yep > > my bad > > your password contains login > > which is violation ... > > > > > > > Anyway I will try again with debugger turned on. > > > > > > Thanks > > > Seb > > > > > > On Tue, 26 Jan 2021 at 6:50 PM, Maxim Solodovnik <[email protected] > > > > > wrote: > > > > > > > Your issue with add user is most probably caused by the request you > are > > > > sending (I guess password is treated as NULL) > > > > > > > > here is the example of valid request > > > > > > > > Address: > > > > > > > > > > http://localhost:46325/openmeetings/services/user/?sid=5538950f-74f3-4ba2-ad29-b1309bac1cf7 > > > > HttpMethod: POST > > > > Content-Type: application/x-www-form-urlencoded > > > > ExchangeId: 39d80bfb-778f-456e-ba6a-cbecc9208a01 > > > > Headers: {Accept=application/json, host=localhost:46325, > > > > connection=keep-alive, > content-type=application/x-www-form-urlencoded, > > > > cache-control=no-cache, Content-Length=552, pragma=no-cache, > > > > user-agent=Apache-CXF/3.4.1} > > > > Payload: > > > > > > > > > > user=%7B%22address%22%3A%7B%22deleted%22%3Afalse%2C%22email%22%3A%22email89749faf-8fc0-43d7-a372-46caed5ce271%40local%22%7D%2C%22firstname%22%3A%22firstname89749faf-8fc0-43d7-a372-46caed5ce271%22%2C%22languageId%22%3A1%2C%22lastname%22%3A%22lastname89749faf-8fc0-43d7-a372-46caed5ce271%22%2C%22login%22%3A%22login89749faf-8fc0-43d7-a372-46caed5ce271%22%2C%22password%22%3A%22pass1_%21%40%23%24%25_A%22%2C%22rights%22%3A%5B%22LOGIN%22%2C%22ROOM%22%2C%22DASHBOARD%22%5D%2C%22timeZoneId%22%3A%22Asia%2FBangkok%22%2C%22type%22%3A%22USER%22%7D&confirm=false > > > > > > > > > > > > can always be checked on build server: > > > > > > > > > > > > > > https://ci-builds.apache.org/job/OpenMeetings/job/openmeetings/230/consoleFull > > > > > > > > I'm planning to improve captcha as described in this thread: > > > > https://markmail.org/message/bmp6tq3t5j6rw2rz > > > > > > > > particularly, modify language.xml, add following attributes: > > > > 1) 'tip' - short text describing this captcha for ex. "Enter > uppercase > > > > English letters" > > > > 2) 'rangeStart' - initial letter/code of possible captcha characters > > > > 3) 'rangeEnd' - final letter/code of possible captcha characters > > > > > > > > processing for above > > > > > > > > Will try to implement it this week > > > > > > > > On Tue, 26 Jan 2021 at 11:26, [email protected] < > > > [email protected] > > > > > > > > > wrote: > > > > > > > > > Also the parameter "confirm" doesn't seem to have any meaning. It's > > not > > > > > referenced in the rest of the code. > > > > > > > > > > Maybe I will change my Jira to fix some of this instead of > disabling > > > > > captcha. > > > > > > > > > > Thanks > > > > > Seb > > > > > > > > > > Sebastian Wagner > > > > > Director Arrakeen Solutions, OM-Hosting.com > > > > > http://arrakeen-solutions.co.nz/ > > > > > https://om-hosting.com - Cloud & Server Hosting for HTML5 > > > > > Video-Conferencing OpenMeetings > > > > > < > > > > > > > > > > > > > > > https://www.youracclaim.com/badges/da4e8828-743d-4968-af6f-49033f10d60a/public_url > > > > > > > > > > > < > > > > > > > > > > > > > > > https://www.youracclaim.com/badges/b7e709c6-aa87-4b02-9faf-099038475e36/public_url > > > > > > > > > > > > > > > > > > > > > On Tue, 26 Jan 2021 at 17:21, [email protected] < > > > > [email protected] > > > > > > > > > > > wrote: > > > > > > > > > > > That doesn't mean that you shall not be able to disable it by > admin > > > > > > configuration parameters. > > > > > > > > > > > > Btw I tried the soap/Rest service for adding users. but for some > > > reason > > > > > it > > > > > > does not accept even the most complex password. > > > > > > > > > > > > curl --location --request POST ' > > > > > > > > > > > > > > > > > > > > > https://my-server.xyz/openmeetings/services/user/?sid=b20c5012-3c94-4e7a-bc6a-61f8cced3150 > > > > > > ' \ > > > > > > --header 'Content-Type: application/json' \ > > > > > > --header 'Cookie: JSESSIONID=866564BDD7D8562C9B8CD1B94621AB43' \ > > > > > > --form > > > > 'user="{firstname:'\''asdads'\'',lastname:'\''aasds'\'',login:'\'' > > > > > > Test123123'\'',password:'\''IAmComplex_@Testing1234 > > > > '\'',right:['\''ADMIN > > > > > > '\''],languageId:1,timeZoneId:'\''Pacific/Auckland'\''}"' \ > > > > > > --form 'confirm="false"' > > > > > > > > > > > > > > > > > > "IAmComplex_@Testing1234" is certainly a complex password. > > > > > > > > > > > > But the server reject it and in the log file it says: > > > > > > [39mDEBUG [0;39m 01-26 03:32:59.119 > [36mo.a.o.w.UserWebService:191 > > > > > > [-nio-443-exec-5] [0;39m - addNewUser::weak password > > > > > > 'IAmComplex_@Testing1234', msg: null > > > > > > > > > > > > Seems like msg is null but still the input is not valid, above > log > > is > > > > > from > > > > > > here: > > > > > > > > > > > > > > > > > > > > > > > > > > > https://github.com/apache/openmeetings/blob/master/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/UserWebService.java#L186 > > > > > > > > > > > > Looks strange to me. > > > > > > > > > > > > Sebastian Wagner > > > > > > Director Arrakeen Solutions, OM-Hosting.com > > > > > > http://arrakeen-solutions.co.nz/ > > > > > > https://om-hosting.com - Cloud & Server Hosting for HTML5 > > > > > > Video-Conferencing OpenMeetings > > > > > > > > > > > > < > > > > > > > > > > > > > > > https://www.youracclaim.com/badges/da4e8828-743d-4968-af6f-49033f10d60a/public_url > > > > > > > > > > > > < > > > > > > > > > > > > > > > https://www.youracclaim.com/badges/b7e709c6-aa87-4b02-9faf-099038475e36/public_url > > > > > > > > > > > > > > > > > > > > > > > > On Tue, 26 Jan 2021 at 16:15, Maxim Solodovnik < > > [email protected] > > > > > > > > > > wrote: > > > > > > > > > > > >> The captcha was added because it's absence was reported as > > security > > > > > >> vulnerability (you can check CVE at our security page ...) > > > > > >> > > > > > >> On Tue, 26 Jan 2021 at 10:05, [email protected] < > > > > > >> [email protected]> > > > > > >> wrote: > > > > > >> > > > > > >> > I can try with the API approach, it should be possible. It is > > > just a > > > > > bit > > > > > >> > hacky. It would be easier to create a Selenium test that does > > > both: > > > > > >> > a) sign up > > > > > >> > b) use that user to participate in a conference call > > > > > >> > > > > > > >> > I don't think the ability to turn off captcha would mean it's > a > > > > > security > > > > > >> > risk > > > > > >> > > > > > > >> > Thanks > > > > > >> > Seb > > > > > >> > > > > > > >> > Sebastian Wagner > > > > > >> > Director Arrakeen Solutions, OM-Hosting.com > > > > > >> > http://arrakeen-solutions.co.nz/ > > > > > >> > https://om-hosting.com - Cloud & Server Hosting for HTML5 > > > > > >> > Video-Conferencing OpenMeetings > > > > > >> > < > > > > > >> > > > > > > >> > > > > > > > > > > > > > > > https://www.youracclaim.com/badges/da4e8828-743d-4968-af6f-49033f10d60a/public_url > > > > > >> > > > > > > > >> > < > > > > > >> > > > > > > >> > > > > > > > > > > > > > > > https://www.youracclaim.com/badges/b7e709c6-aa87-4b02-9faf-099038475e36/public_url > > > > > >> > > > > > > > >> > > > > > > >> > > > > > > >> > On Tue, 26 Jan 2021 at 15:54, Maxim Solodovnik < > > > > [email protected]> > > > > > >> > wrote: > > > > > >> > > > > > > >> > > I've added the comment: I'm -1 for this feature > > > > > >> > > > > > > > >> > > Registration is now covered with JUnit tests > > > > > >> > > For performance testing you can > > > > > >> > > 1) create users via API > > > > > >> > > 2) create users directly in DB > > > > > >> > > > > > > > >> > > Users tend to turn off all security related "complications" > > just > > > > > >> because > > > > > >> > > some of their clients have some difficulties .... :( > > > > > >> > > I'll plan to add customization options for captcha: i.e. > admin > > > can > > > > > >> > specify > > > > > >> > > "letter range" for captcha > > > > > >> > > In such case you can specify [A,A] range ... :) > > > > > >> > > > > > > > >> > > On Tue, 26 Jan 2021 at 09:49, [email protected] < > > > > > >> > [email protected] > > > > > >> > > > > > > > > >> > > wrote: > > > > > >> > > > > > > > >> > > > In order to do automated signup using Selenium. > > > > > >> > > > That is both for testing, but in my case it is around > > > > performance > > > > > >> and > > > > > >> > > load > > > > > >> > > > testing. > > > > > >> > > > I created a ticket for now: > > > > > >> > > > https://issues.apache.org/jira/browse/OPENMEETINGS-2560 > and > > > see > > > > > how > > > > > >> > > > difficult it would be to add this config. > > > > > >> > > > > > > > > >> > > > Thanks, > > > > > >> > > > Seb > > > > > >> > > > > > > > > >> > > > Sebastian Wagner > > > > > >> > > > Director Arrakeen Solutions, OM-Hosting.com > > > > > >> > > > http://arrakeen-solutions.co.nz/ > > > > > >> > > > https://om-hosting.com - Cloud & Server Hosting for HTML5 > > > > > >> > > > Video-Conferencing OpenMeetings > > > > > >> > > > < > > > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > > https://www.youracclaim.com/badges/da4e8828-743d-4968-af6f-49033f10d60a/public_url > > > > > >> > > > > > > > > > >> > > > < > > > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > > https://www.youracclaim.com/badges/b7e709c6-aa87-4b02-9faf-099038475e36/public_url > > > > > >> > > > > > > > > > >> > > > > > > > > >> > > > > > > > > >> > > > On Tue, 26 Jan 2021 at 15:44, Maxim Solodovnik < > > > > > >> [email protected]> > > > > > >> > > > wrote: > > > > > >> > > > > > > > > >> > > > > Hello Sebastian, > > > > > >> > > > > > > > > > >> > > > > there is no such option ATM > > > > > >> > > > > Why is it required for you? > > > > > >> > > > > > > > > > >> > > > > On Tue, 26 Jan 2021 at 05:17, [email protected] < > > > > > >> > > > [email protected] > > > > > >> > > > > > > > > > > >> > > > > wrote: > > > > > >> > > > > > > > > > >> > > > > > Hi, > > > > > >> > > > > > > > > > > >> > > > > > is there a way to disable the need to enter a captcha > > > during > > > > > the > > > > > >> > sign > > > > > >> > > > up > > > > > >> > > > > ? > > > > > >> > > > > > > > > > > >> > > > > > Thanks > > > > > >> > > > > > Seb > > > > > >> > > > > > > > > > > >> > > > > > Sebastian Wagner > > > > > >> > > > > > Director Arrakeen Solutions, OM-Hosting.com > > > > > >> > > > > > http://arrakeen-solutions.co.nz/ > > > > > >> > > > > > https://om-hosting.com - Cloud & Server Hosting for > > HTML5 > > > > > >> > > > > > Video-Conferencing OpenMeetings > > > > > >> > > > > > < > > > > > >> > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > > https://www.youracclaim.com/badges/da4e8828-743d-4968-af6f-49033f10d60a/public_url > > > > > >> > > > > > > > > > > > >> > > > > > < > > > > > >> > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > > https://www.youracclaim.com/badges/b7e709c6-aa87-4b02-9faf-099038475e36/public_url > > > > > >> > > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > >> > > > > -- > > > > > >> > > > > Best regards, > > > > > >> > > > > Maxim > > > > > >> > > > > > > > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > > >> > > -- > > > > > >> > > Best regards, > > > > > >> > > Maxim > > > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > > >> -- > > > > > >> Best regards, > > > > > >> Maxim > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Best regards, > > > > Maxim > > > > > > > -- > > > Sebastian Wagner > > > Director Arrakeen Solutions, OM-Hosting.com > > > http://arrakeen-solutions.co.nz/ > > > https://om-hosting.com - Cloud & Server Hosting for HTML5 > > > Video-Conferencing OpenMeetings > > > < > > > > > > https://www.youracclaim.com/badges/da4e8828-743d-4968-af6f-49033f10d60a/public_url > > > > > > > < > > > > > > https://www.youracclaim.com/badges/b7e709c6-aa87-4b02-9faf-099038475e36/public_url > > > > > > > > > > > > > -- > > Best regards, > > Maxim > > > -- > Sebastian Wagner > Director Arrakeen Solutions, OM-Hosting.com > http://arrakeen-solutions.co.nz/ > https://om-hosting.com - Cloud & Server Hosting for HTML5 > Video-Conferencing OpenMeetings > < > https://www.youracclaim.com/badges/da4e8828-743d-4968-af6f-49033f10d60a/public_url > > > < > https://www.youracclaim.com/badges/b7e709c6-aa87-4b02-9faf-099038475e36/public_url > > > -- Best regards, Maxim
