Dear Maxim,
Below is the summary (and detail) of browser log. Why is Form data being blocked? Any vectors to resolve this would be appreciated. Summary of browser log ================== Browser / Network tab log has status 200 for all requests except cookie (302 status for redirection via proxy). All security headers enabled. The signin field at the end is ‘(empty)’. ‘Form data’ (login and pass) is missing. Browser log Detailed =============== Browser log of request https://ourdomain.com/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=BD8C3A0FC93992B0A980ADC9690B2F94?1-1.0-signin&_=1505980053143&navigatorAppName=Netscape&navigatorAppVersion=5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F60.0.3112.113%20Safari%2F537.36&navigatorAppCodeName=Mozilla&navigatorCookieEnabled=true&navigatorJavaEnabled=false&navigatorLanguage=en-US&navigatorPlatform=Win32&navigatorUserAgent=Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F60.0.3112.113%20Safari%2F537.36&screenWidth=1600&screenHeight=900&screenColorDepth=24&utcOffset=-6&utcDSTOffset=-5&browserWidth=2000&browserHeight=187&hostname=coscend.fortiddns.com&codebase=https%3A%2F%2Fcoscend.fortiddns.com%2Fopenmeetings%2Fsignin%3Bjsessionid%3DBD8C3A0FC93992B0A980ADC9690B2F94&settings=%7B%7D Request URL:https://ourdomain.com/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=74112B08358FDA7D4EE6F1FB8A85D0E5?2-1.0-&_=1505979797255&; Request Method:GET Status Code:200 Remote Address:76.186.214.195:443 Referrer Policy:no-referrer-when-downgrade Response Headers view source Access-Control-Allow-Credentials:true Access-Control-Allow-Headers:Origin, X-Requested-With, Content-Type, Accept, X-CSRF-Token, X-XSRF-TOKEN Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Origin:* Cache-Control:nocache, no-store Content-Security-Policy:default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; Content-Type:text/xml;charset=UTF-8 Date:Thu, 21 Sep 2017 07:43:18 GMT Expires:Thu, 01 Jan 1970 00:00:00 GMT Origin:http://Coscend.Fortiddns.com Pragma:no-cache Referrer-Policy:no-referrer-when-downgrade Strict-Transport-Security:max-age=31536000; includeSubDomains; preload Transfer-Encoding:chunked X-Backend-Server-Name:openmeetings X-Content-Type-Options:nosniff X-Frame-Options:SAMEORIGIN X-XSS-Protection:1; mode=block Request Headers view source Accept:application/xml, text/xml, */*; q=0.01 Accept-Encoding:gzip, deflate, br Accept-Language:en-US,en;q=0.8 Connection:keep-alive DNT:1 Host:coscend.fortiddns.com Referer:https://ourdomain.com/openmeetings/signin;jsessionid=74112B08358FDA7D4EE6F1FB8A85D0E5 User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Wicket-Ajax:true Wicket-Ajax-BaseURL:signin X-Requested-With:XMLHttpRequest Query String Parameters view source view URL encoded 2-1.0-: _:1505979797255 (empty) Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions www.Coscend.com <http://www.coscend.com/> ------------------------------------------------------------------ Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly… ------------------------------------------------------------------ CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html From: Maxim Solodovnik [mailto:solomax...@gmail.com] Sent: Thursday, September 21, 2017 2:27 AM To: Openmeetings user-list <user@openmeetings.apache.org>; om.insig...@coscend.com Subject: Re: 3.3.2 Snapshot: Login not Posting via Proxy You have no chances to see "WebSocketBehavior::onConnect " log message due to your login is unsuccessful as you are saying there are no errors in the logs ... Are there any errors in browser console? network tab? On Thu, Sep 21, 2017 at 2:08 PM, Coscend@OM <om.insig...@coscend.com <mailto:om.insig...@coscend.com> > wrote: Dear Maxim, CSRF is not violated in proxy scenario because: 1. No OM log records of CSRF violation. 2. Also, 3.3.0 is working fine that has CSRF event listener enabled (Application.Java @235). 3.3.0 is working fine under same proxy setting and same server / environment. -----------Log DIFFs---------Detailed logs at the end. DIFF between FAILED (via proxy) vs SUCCESSFUL (without proxy) login: the following lines are MISSING when it FAILS: DEBUG 09-20 11:05:33.339 631732 229 o.a.o.w.c.MainPanel [105-6083-exec-6] - WebSocketBehavior::onConnect [uid: 648aabcf-2bc0-4df5-b891-065e3ffde9c3, session: E73B6C62D991E218215709F7F7095547, key: org.apache.wicket.protocol.ws <http://org.apache.wicket.protocol.ws> .api.registry.PageIdKey@0] DEBUG 09-20 11:05:33.342 631735 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'E73B6C62D991E218215709F7F7095547' and page id '0' DEBUG 09-20 11:05:33.351 631744 238 o.a.o.w.c.MainPanel [105-6083-exec-7] - WebSocketBehavior:: pingTimer is attached -------------Relevant DIFF of 3.3.2 and 3.3.0 files----------- Could any of these changes require some additional proxy settings? openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/ISlaveHTTPConnectionManager.jav a removed <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/MainService.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/MainService.java Changed <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/UserService.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/UserService.java changed openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/util/SessionVariablesUtil.java removed openmeetings-core/src/main/java/org/apache/openmeetings/core/session/ServerUtil.java removed <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/session/SessionManager.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/session/SessionManager.java changed openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/DatabaseStore.java removed openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/HashMapStore.java removed openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/IClientPersistenceStore. java removed <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/IClientUtil.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/IClientUtil.java added <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/WebSocketHelper.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/WebSocketHelper.java Changed <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageAll.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageAll.java Added <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageChat.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageChat.java Added <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoom.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoom.java Added <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoomMsg.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoomMsg.java Added <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageUser.java> openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageUser.java Added openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ISessionManager.java <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ISessionManager.java> changed openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ServerDao.java removed <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/SessiondataDao.java> openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/SessiondataDao.java changed Logs: FAILED LOGIN =================== Step 1: Load Login Page ---------- DEBUG 09-20 15:33:59.748 388830 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6' DEBUG 09-20 15:33:59.915 388997 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6' DEBUG 09-20 15:33:59.947 389029 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6' DEBUG 09-20 15:34:00.236 389318 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6' DEBUG 09-20 15:34:00.316 389398 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6' Step 2: POST / Authentication -------- DEBUG 09-20 15:35:50.776 499858 642 o.a.o.d.d.u.UserDao [105-6083-exec-5] - login:: 1 users were found DEBUG 09-20 15:35:51.228 500310 40 o.a.o.d.u.AuthLevelUtil [105-6083-exec-5] - Level Login :: [GRANTED] DEBUG 09-20 15:35:51.229 500311 659 o.a.o.d.d.u.UserDao [105-6083-exec-5] - loginUser [GroupUser [id=1, moderator=false, group=Group [id=1, name=Coscend, deleted=false], user=User [id=1, firstname=firstname, lastname=lastname, login=Coscend.Insights, pictureuri=null, deleted=false, languageId=1, address=Address [id=1, country=US, street=null, town=null, zip=null, deleted=false, email=<>@Coscend.com, phone=null], externalId=null, externalType=null, type=user]]] DEBUG 09-20 15:35:51.233 500315 40 o.a.o.d.u.AuthLevelUtil [105-6083-exec-5] - Level Admin :: [GRANTED] DEBUG 09-20 15:35:51.236 500318 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session 'EE17FFD4E063A1234AF5E595D772F897' and page id '1' DEBUG 09-20 15:35:51.286 500368 87 o.a.o.d.d.s.LdapConfigDao [105-6083-exec-1] - getActiveLdapConfigs DEBUG 09-20 15:35:51.297 500379 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1' DEBUG 09-20 15:35:51.468 500550 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1' DEBUG 09-20 15:35:51.501 500583 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1' DEBUG 09-20 15:35:51.812 500894 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1' DEBUG 09-20 15:35:51.892 500974 91 o.w.d.h.HazelcastDataStore [ageSavingThread] - Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1' Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions www.Coscend.com <http://www.coscend.com/> ------------------------------------------------------------------ Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly… ------------------------------------------------------------------ CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html From: Maxim Solodovnik [mailto:solomax...@gmail.com <mailto:solomax...@gmail.com> ] Sent: Thursday, September 21, 2017 12:41 AM To: Openmeetings user-list <user@openmeetings.apache.org <mailto:user@openmeetings.apache.org> >; om.insig...@coscend.com <mailto:om.insig...@coscend.com> Subject: Re: 3.3.2 Snapshot: Login not Posting via Proxy In case of CSRF you should have the record in the logs CSRF was violated Is it the case? On Thu, Sep 21, 2017 at 3:56 AM, Coscend@OM <om.insig...@coscend.com <mailto:om.insig...@coscend.com> > wrote: Dear OpenMeetings Users, We would appreciate any vectors to resolve the following issue: We successfully installed, configured, logged in OM 3.3.2 Snapshot 1. Internally, i.e., http://IP:port/openmeetings 2. Externally, i.e., http:// <http://%3cour.FQDN.name%3e:port/openmeetings> <our.FQDN.name>:port/openmeetings OM logs have a line: DEBUG 09-20 14:45:14.219 221956 388 o.a.o.w.a.Application [105-6083-exec-2] - Adding online client: 63e8a860-65c6-4687-a7e0-ca435ca21ec6, room: null ISSUE -------- However, we are unable to login to OM 3.3.2 Snapshot via Proxy server. When we click on submit username/password, it reloads the login page. OM logs are MISSING this line: “Adding online client:…” QUESTIONS -------- 1. What has changed between OM 3.3.2 and 3.3.0 that does not POST login credentials? Anything to do with Session variables and session request handlers? 2. We have used the proxy server settings that are working perfectly with OM 3.3.0 in which CSRF and CSP, XSS were introduced. Alteametasoft Demo server: What additional proxy settings needed to be added to Apache Web server to enable OM 3.3.2? Source of proxy server settings: i) CSRF: http://markmail.org/message/o4szinpxt4e2tzch ii) Proxy logging: http://markmail.org/message/mft3m5bdjeqxwicw Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions www.Coscend.com <http://www.coscend.com/> ------------------------------------------------------------------ Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly… ------------------------------------------------------------------ CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Virus-free. <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> www.avg.com -- WBR Maxim aka solomax -- WBR Maxim aka solomax --- This email has been checked for viruses by AVG. http://www.avg.com
