Thank you Maxim ;) Pablo Vidal Figueiras [email protected]<mailto:[email protected]> 981926047
................................................................................ BALIDEA Consulting & Programming Avda. Finisterre, 281, 1º / 15008 A Coruña Tel.: 981 93 78 76 / Fax: 981 93 78 21 / [email protected]<mailto:[email protected]> / www.balidea.com<http://www.balidea.com/> De: Maxim Solodovnik [mailto:[email protected]] Enviado el: jueves, 26 de mayo de 2016 14:30 Para: Openmeetings user-list <[email protected]> CC: Bruno Rubio Gayo <[email protected]> Asunto: Re: SecureHash issue https://issues.apache.org/jira/browse/OPENMEETINGS-1411 On Thu, May 26, 2016 at 6:00 PM, Maxim Solodovnik <[email protected]<mailto:[email protected]>> wrote: Hello Pablo, secureHashes are mostly being used as one-time-hash, I'll check what is going on in case "allowSameURLMultipleTimes" is set to true and will write back here On Thu, May 26, 2016 at 4:57 PM, Pablo Vidal Figueiras <[email protected]<mailto:[email protected]>> wrote: Hi, I detected an issue related to secureHash url and indirectly with the allowSameURLMultipleTimes when it's setted as true. I'm using a 3.1.2 Snapshot version I donwloaded the 5/5 from the svn branch and disconnected from the apache svn, so I have no further updates SecureHash url is created with an administrator user (swCetir in the case) for an external user (moderator) ExternalUserDTO Json in construction properties.addProperty("login", 1111L); properties.addProperty("firstname", "moderator"); properties.addProperty("lastname", "grabable"); properties.addProperty("propilePictureUrl", StringUtils.EMPTY); properties.addProperty("email", "[email protected]<mailto:[email protected]>"); properties.addProperty("externalId", 1111L); properties.addProperty("externalType", "tipo_cetir"); RoomOptionsDTO Json in construction properties.addProperty("roomId", 11L); properties.addProperty("moderator", Boolean.TRUE); properties.addProperty("showAudioVideoTest", Boolean.FALSE); properties.addProperty("allowSameURLMultipleTimes", Boolean.TRUE); properties.addProperty("recordingId", 11L); properties.addProperty("showNickNameDialog", Boolean.FALSE); properties.addProperty("allowRecording", Boolean.TRUE); Resulting in an url like "http://localhost:5080/openmeetings/?secureHash=dbc154dc-7bb4-4d2d-9993-d3f4e54fbe3f"; Now, the 1st time the url is called, the traces I added show the user used to check permission is administrator user (swCetir) DEBUG 05-26 10:33:10.095 MainService.java 311480 361 org.apache.openmeetings.core.remote.MainService [RTMPConnectionExecutor-1] - users_id: 2 DEBUG 05-26 10:33:10.131 AuthLevelUtil.java 311516 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Dashboard DEBUG 05-26 10:33:10.146 AuthLevelUtil.java 311531 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Soap DEBUG 05-26 10:33:10.153 AuthLevelUtil.java 311538 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Login DEBUG 05-26 10:33:10.157 AuthLevelUtil.java 311542 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - rights: Room DEBUG 05-26 10:33:10.182 AuthLevelUtil.java 311567 36 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-1] - Level Soap :: [GRANTED] 2nd and next tries, it uses external user (moderator) DEBUG 05-26 10:33:29.290 MainService.java 330675 361 org.apache.openmeetings.core.remote.MainService [RTMPConnectionExecutor-2] - users_id: 3 DEBUG 05-26 10:33:29.315 AuthLevelUtil.java 330700 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - rights: Dashboard DEBUG 05-26 10:33:29.319 AuthLevelUtil.java 330704 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - rights: Login DEBUG 05-26 10:33:29.331 AuthLevelUtil.java 330716 65 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - rights: Room DEBUG 05-26 10:33:29.342 AuthLevelUtil.java 330727 36 org.apache.openmeetings.db.util.AuthLevelUtil [RTMPConnectionExecutor-2] - Level Soap :: [DENIED] Resulting in a popup error: "Unknown error. Please report this to the administrator. [334]" If allowSameURLMultipleTimes is setted as false, error shown is: "This session hash has already been used [787]", but it still checks the rights of the administrator user Best regards. Pablo Vidal Figueiras [email protected]<mailto:[email protected]> 981926047 ................................................................................ BALIDEA Consulting & Programming Avda. Finisterre, 281, 1º / 15008 A Coruña Tel.: 981 93 78 76 / Fax: 981 93 78 21 / [email protected]<mailto:[email protected]> / www.balidea.com<http://www.balidea.com/> ________________________________ Antes de imprimir este mensaje, asegúrese de que es necesario hacerlo. Aviso Legal: La información contenida en este mensaje y sus posibles documentos adjuntos es privada y confidencial y está dirigida únicamente a su destinatario/a. Si usted no es el/la destinatario/a original de este mensaje, por favor elimínelo. Cualquier uso de este mensaje o sus adjuntos sin autorización está prohibida por ley. _____ Before printing this message, make sure it is really necessary. Legal Notice: The information contained in this message and its possible attachments are private and confidential and is intended solely for the addressee shown. If you are not the intended recipient of this message, please delete it. Any use of this message or its attachments without permission is prohibited by law. -- WBR Maxim aka solomax -- WBR Maxim aka solomax ________________________________ Antes de imprimir este mensaje, asegúrese de que es necesario hacerlo. Aviso Legal: La información contenida en este mensaje y sus posibles documentos adjuntos es privada y confidencial y está dirigida únicamente a su destinatario/a. Si usted no es el/la destinatario/a original de este mensaje, por favor elimínelo. Cualquier uso de este mensaje o sus adjuntos sin autorización está prohibida por ley. _____ Before printing this message, make sure it is really necessary. Legal Notice: The information contained in this message and its possible attachments are private and confidential and is intended solely for the addressee shown. If you are not the intended recipient of this message, please delete it. Any use of this message or its attachments without permission is prohibited by law.
